Bug 974618 – VUL-1: CVE-2016-3623: tiff: Divide By Zero in the rgb2ycbcr tool

Bug 974618 - (CVE-2016-3623) VUL-1: CVE-2016-3623: tiff: Divide By Zero in the rgb2ycbcr tool

(CVE-2016-3623)
Summary:	VUL-1: CVE-2016-3623: tiff: Divide By Zero in the rgb2ycbcr tool

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Fridrich Strba
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/166799/
Whiteboard:	CVSSv2:SUSE:CVE-2016-3623:4.3:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-04-08 08:18 UTC by Johannes Segitz
Modified:	2017-09-20 14:59 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
not_kitty.tiff (448 bytes, application/octet-stream) 2016-10-06 12:03 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-04-08 08:18:41 UTC

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Divide By Zero
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-3623
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

Division by zero occurs in rgb2ycbcr in libtiff-4.0.6 allows attackers to cause a denial of service when the param v or param h was set to 0.


libtiff-master/libtiff/rgb2ycbcr.c:256-257

250 cvtRaster(TIFF* tif, uint32* raster, uint32 width, uint32 height)
251 {
252         uint32 y;
253         tstrip_t strip = 0;
254         tsize_t cc, acc;
255         unsigned char* buf;
256         uint32 rwidth = roundup(width, horizSubSampling);
257         uint32 rheight = roundup(height, vertSubSampling);
258         uint32 nrows = (rowsperstrip > rheight ? rheight : rowsperstrip);


gdb rgb2ycbcr

(gdb)r -c zip  -r 0  -h 2  -v 0 ./sample/rgb2ycbcr_cvtRaster.tif 1.tif

Program received signal SIGFPE, Arithmetic exception.
0x00000000004017cd in cvtRaster (tif=0x604010, raster=0x7ffff4cab010, width=65312, height=152) at rgb2ycbcr.c:257
257             uint32 rheight = roundup(height, vertSubSampling);
(gdb) p height
$1 = 152
(gdb) p vertSubSampling
$2 = 0

(gdb) r -c zip  -r 0  -h 0  -v 2 ./sample/rgb2ycbcr_cvtRaster.tif 1.tif

Program received signal SIGFPE, Arithmetic exception.
0x0000000000401798 in cvtRaster (tif=0x604010, raster=0x7ffff4cab010, width=65312, height=152) at rgb2ycbcr.c:256
256             uint32 rwidth = roundup(width, horizSubSampling);
(gdb) p width
$3 = 65312
(gdb) p horizSubSampling
$4 = 0


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623
http://seclists.org/oss-sec/2016/q2/27

Comment 1 Swamp Workflow Management 2016-04-08 22:00:54 UTC

bugbot adjusting priority

Comment 2 Swamp Workflow Management 2016-09-09 12:10:25 UTC

openSUSE-SU-2016:2275-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 974614,974618,975069,975070
CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
openSUSE 13.2 (src):    tiff-4.0.6-10.29.1

Comment 3 Swamp Workflow Management 2016-09-25 10:09:10 UTC

openSUSE-SU-2016:2375-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974614,974618,975069,975070,984808,984831,984837,984842,987351
CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE 13.1 (src):    tiff-4.0.6-8.25.1

Comment 4 Marcus Meissner 2016-10-06 12:03:21 UTC

Created attachment 696168 [details]
not_kitty.tiff

QA REPRODUCER:

(tiff can be any tiff file actually. The argument handling is buggy.)


rgb2ycbcr -c zip  -r 0  -h 2  -v 0 not_kitty.tiff 1.tif

TIFFScanlineSize64: Invalid YCbCr subsampling.

BAD:
Gleitkomma-Ausnahme
(Floating Ppoint Exception)

GOOD: 
no floating point exception

Comment 5 Swamp Workflow Management 2016-10-12 13:15:22 UTC

SUSE-SU-2016:2508-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974449,974614,974618,975069,975070
CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.6-31.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.6-31.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.6-31.1

Comment 7 Swamp Workflow Management 2016-10-13 15:09:41 UTC

openSUSE-SU-2016:2525-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974449,974614,974618,975069,975070
CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
openSUSE Leap 42.1 (src):    tiff-4.0.6-9.1

Comment 8 Swamp Workflow Management 2016-10-13 15:11:40 UTC

SUSE-SU-2016:2527-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 973340,974449,974614,974618,975069,984808,984831,984837,984842,987351
CVE References: CVE-2016-3186,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.168.1