Bug 960589 - (CVE-2015-8668) VUL-0: CVE-2015-8668: tiff: Heap-based buffer overflow in bmp2tiff / PackBitsEncode (default packing)
(CVE-2015-8668)
VUL-0: CVE-2015-8668: tiff: Heap-based buffer overflow in bmp2tiff / PackBits...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/160240/
maint:running:62403:important CVSSv2:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-04 15:28 UTC by Johannes Segitz
Modified: 2018-11-30 13:59 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
crash1.tif (146 bytes, application/octet-stream)
2016-10-11 11:09 UTC, Marcus Meissner
Details
libtiff-poc.bmp (1.57 KB, image/bmp)
2016-11-25 07:28 UTC, Alexander Bergmann
Details
Patch from upstream tracker (1.22 KB, patch)
2018-03-23 12:48 UTC, Karol Babioch
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-04 15:28:39 UTC
rh#1294425

A heap-buffer oveflow was found in bmp2tiff. An attacker could provide a specially-crafted BMP format file, which when converted to TIFF format, using the bmp2tiff tool, could lead to bmp2tiff executable to crash or potentially, arbitrary code execution with the privileges of the user running the bmp2tiff binary.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1294425
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8668
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8668.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8668
Comment 1 SMASH SMASH 2016-01-04 15:48:51 UTC
An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Jan. 6, 2016".

When done, reassign the bug to "security-team@suse.de".
/update/121220/.
Comment 2 SMASH SMASH 2016-01-04 15:55:21 UTC
An update workflow for this issue was started.

This issue was rated as "moderate".
Please submit fixed packages until "Jan. 11, 2016".

When done, reassign the bug to "security-team@suse.de".
/update/62403/.
Comment 3 Swamp Workflow Management 2016-01-04 15:57:22 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-01-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62403
Comment 4 Swamp Workflow Management 2016-01-04 23:00:50 UTC
bugbot adjusting priority
Comment 6 Marcus Meissner 2016-10-11 11:08:00 UTC
http://seclists.org/bugtraq/2015/Dec/138

 From: riusksk () qq com
Date: Mon, 28 Dec 2015 02:40:36 GMT

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Heap Overflow
Security Risk: High
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2015-8668
Credit: riusksk of Tencent Security Platform Department

Introduction
============

 libtiff  v4.0.6 bmp2tiff function PackBitsPreEncode() (./libtiff/tif_packbits.c ) handle malicious bmp file (Width = 
65663) to cause memory corruption. An attacker could exploit this issue to execute arbitrary code in the context of the 
application using the library. Failed exploit attempts may result in denial-of-service conditions. 

&#9581;&#9472;riusksk@MacBook  ~/Downloads ‹› 
&#9584;&#9472;&#10148;$ ./tiff-4.0.6/tools/bmp2tiff ./libtiff-poc.bmp out.tif                                           
        255 &#8629;
=================================================================
==54340==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63100001087f at pc 0x00010cdc0532 bp 0x7fff52f459b0 
sp 0x7fff52f459a8
READ of size 1 at 0x63100001087f thread T0
    #0 0x10cdc0531 in PackBitsEncode (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100108531)
    #1 0x10cdfaa18 in TIFFWriteScanline (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100142a18)
    #2 0x10ccbde7b in main (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x100005e7b)
    #3 0x7fff8dcbc5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #4 0x2  (<unknown module>)

0x63100001087f is located 0 bytes to the right of 65663-byte region [0x631000000800,0x63100001087f)
allocated by thread T0 here:
    #0 0x10cefdf60 in wrap_malloc 
(/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x42f60)
    #1 0x10ce073bf in _TIFFmalloc (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x10014f3bf)
    #2 0x10ccbc9d5 in main (/Users/riusksk/Downloads/./tiff-4.0.6/tools/bmp2tiff+0x1000049d5)
    #3 0x7fff8dcbc5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #4 0x2  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 PackBitsEncode
Shadow bytes around the buggy address:
  0x1c62000020b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c62000020c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c62000020d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c62000020e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c62000020f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c6200002100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[07]
  0x1c6200002110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c6200002120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c6200002130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c6200002140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c6200002150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==54340==ABORTING
[1]    54340 abort      ./tiff-4.0.6/tools/bmp2tiff ./libtiff-poc.bmp out.tif
Comment 7 Marcus Meissner 2016-10-11 11:09:15 UTC
Created attachment 696770 [details]
crash1.tif

(found by own afl run)

QA REPRODCUCER:
bmp2tiff crash1.tif output.tif
Comment 9 Alexander Bergmann 2016-11-25 07:28:13 UTC
Created attachment 703712 [details]
libtiff-poc.bmp

For me on Leap 42.1 the reproducer from comment 7 did not work.

I've contacted the reporter of this issue <riusksk () qq com> and attached the original reproducer to this bug report that is working for me.

$ bmp2tiff libtiff-poc.bmp out.tif
Segmentation fault
Comment 10 Victor Pereira 2017-09-19 08:29:33 UTC
please submit to SUSE:SLE-11:Update
Comment 11 Karol Babioch 2018-03-23 12:48:21 UTC
Created attachment 764764 [details]
Patch from upstream tracker
Comment 12 Karol Babioch 2018-03-23 12:48:43 UTC
Comment on attachment 764764 [details]
Patch from upstream tracker

Caution: it seems that the int overflow in the bits == 8 case has been lost by
this patch
Comment 13 Karol Babioch 2018-03-23 12:50:05 UTC
The patch has been dropped upstream and the patch is probably incomplete: http://bugzilla.maptools.org/show_bug.cgi?id=2563

> I'd note the proposed patch is incorrect in the bits == 8 case where the
> following check has now been removed
> 
> {{{
> -            uncompr_size = width * length;
> -            /* Detect int overflow */
> -            if( uncompr_size / width != length )
> -            {
> -                TIFFError(infilename,
> -                    "Invalid dimensions of BMP file" );
> -                close(fd);
> -                return -1;
> -            }
> }}}
Comment 15 Michael Vetter 2018-08-01 08:21:18 UTC
Based the patch on the one that is attached to this bugzilla (coming from RH).
But adjusted the else case.
It should now be a complete patch.

Before patch:
# bmp2tiff crash1.tif output.tif                                                                                                            
Segmentation fault
# bmp2tiff crash2.bmp output.tif
Segmentation fault

After patch:
# bmp2tiff crash1.tif output.tif
#
# bmp2tiff crash2.bmp output.tif
#

SR#169235 to SUSE_SLE-11_Update
Comment 19 Swamp Workflow Management 2018-09-10 16:08:42 UTC
SUSE-SU-2018:2676-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1074186,1092480,960589,983440
CVE References: CVE-2015-8668,CVE-2016-5319,CVE-2017-17942,CVE-2018-10779
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.16.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.16.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.16.1
Comment 20 Marcus Meissner 2018-11-30 13:59:27 UTC
done I think.