Bug 1038438 - (CVE-2016-10371) VUL-1: CVE-2016-10371: tiff: Assertion failure in TIFFWriteDirectoryTagCheckedRational allowing for DoS
(CVE-2016-10371)
VUL-1: CVE-2016-10371: tiff: Assertion failure in TIFFWriteDirectoryTagChecke...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Michael Vetter
Security Team bot
https://smash.suse.de/issue/184981/
CVSSv2:SUSE:CVE-2016-10371:4.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-10 09:38 UTC by Johannes Segitz
Modified: 2018-05-15 18:01 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducer (3.21 KB, image/tiff)
2017-05-10 09:38 UTC, Johannes Segitz
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-05-10 09:38:38 UTC
Created attachment 724489 [details]
Reproducer

http://bugzilla.maptools.org/show_bug.cgi?id=2535

attached file triggers assert in TIFFWriteDirectoryTagCheckedRational

Reproducer:
# tiffcrop -U px -E top -X 60 -Y 60 assert.tiff out.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not
sorted in ascending order.
TIFFReadDirectory: Warning, TIFF directory is missing required
"StripByteCounts" field, calculating from imagelength.
tiffcrop: tif_dirwrite.c:2084: TIFFWriteDirectoryTagCheckedRational: Assertion
`value>=0.0' failed.

SLE 12 codestream contains this.

References:
http://bugzilla.maptools.org/show_bug.cgi?id=2535
https://bugzilla.redhat.com/show_bug.cgi?id=1449534
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10371
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10371
Comment 1 Swamp Workflow Management 2017-09-26 13:15:34 UTC
SUSE-SU-2017:2569-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805
CVE References: CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.8-44.3.1
Comment 2 Swamp Workflow Management 2017-10-03 19:08:57 UTC
openSUSE-SU-2017:2635-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805
CVE References: CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.8-21.1
openSUSE Leap 42.2 (src):    tiff-4.0.8-17.6.1
Comment 3 Petr Gajdos 2018-05-15 18:01:08 UTC
12/tiff

$ tiffcrop -U px -E top -X 60 -Y 60 assert.tiff out.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
TIFFWriteDirectoryTagCheckedRational: Negative value is illegal.
: Failed to write IFD for page number 0.
writeRegions: Unable to write new image.
TIFFWriteDirectoryTagCheckedRational: Negative value is illegal.
$

11/tiff

no tiffcrop


PATCH

https://gitlab.com/libtiff/libtiff/commit/9f839d923383e3bc21e25ce5e9c3b31901fcaf90

12/tiff: fix is already in by version update
10sp3,11/tiff: no such code