Bug 974618 - (CVE-2016-3623) VUL-1: CVE-2016-3623: tiff: Divide By Zero in the rgb2ycbcr tool
(CVE-2016-3623)
VUL-1: CVE-2016-3623: tiff: Divide By Zero in the rgb2ycbcr tool
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/166799/
CVSSv2:SUSE:CVE-2016-3623:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-08 08:18 UTC by Johannes Segitz
Modified: 2017-09-20 14:59 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
not_kitty.tiff (448 bytes, application/octet-stream)
2016-10-06 12:03 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-04-08 08:18:41 UTC
Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Divide By Zero
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-3623
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

Division by zero occurs in rgb2ycbcr in libtiff-4.0.6 allows attackers to cause a denial of service when the param v or param h was set to 0.


libtiff-master/libtiff/rgb2ycbcr.c:256-257

250 cvtRaster(TIFF* tif, uint32* raster, uint32 width, uint32 height)
251 {
252         uint32 y;
253         tstrip_t strip = 0;
254         tsize_t cc, acc;
255         unsigned char* buf;
256         uint32 rwidth = roundup(width, horizSubSampling);
257         uint32 rheight = roundup(height, vertSubSampling);
258         uint32 nrows = (rowsperstrip > rheight ? rheight : rowsperstrip);


gdb rgb2ycbcr

(gdb)r -c zip  -r 0  -h 2  -v 0 ./sample/rgb2ycbcr_cvtRaster.tif 1.tif

Program received signal SIGFPE, Arithmetic exception.
0x00000000004017cd in cvtRaster (tif=0x604010, raster=0x7ffff4cab010, width=65312, height=152) at rgb2ycbcr.c:257
257             uint32 rheight = roundup(height, vertSubSampling);
(gdb) p height
$1 = 152
(gdb) p vertSubSampling
$2 = 0

(gdb) r -c zip  -r 0  -h 0  -v 2 ./sample/rgb2ycbcr_cvtRaster.tif 1.tif

Program received signal SIGFPE, Arithmetic exception.
0x0000000000401798 in cvtRaster (tif=0x604010, raster=0x7ffff4cab010, width=65312, height=152) at rgb2ycbcr.c:256
256             uint32 rwidth = roundup(width, horizSubSampling);
(gdb) p width
$3 = 65312
(gdb) p horizSubSampling
$4 = 0


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3623
http://seclists.org/oss-sec/2016/q2/27
Comment 1 Swamp Workflow Management 2016-04-08 22:00:54 UTC
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2016-09-09 12:10:25 UTC
openSUSE-SU-2016:2275-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 974614,974618,975069,975070
CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
openSUSE 13.2 (src):    tiff-4.0.6-10.29.1
Comment 3 Swamp Workflow Management 2016-09-25 10:09:10 UTC
openSUSE-SU-2016:2375-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974614,974618,975069,975070,984808,984831,984837,984842,987351
CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE 13.1 (src):    tiff-4.0.6-8.25.1
Comment 4 Marcus Meissner 2016-10-06 12:03:21 UTC
Created attachment 696168 [details]
not_kitty.tiff

QA REPRODUCER:

(tiff can be any tiff file actually. The argument handling is buggy.)


rgb2ycbcr -c zip  -r 0  -h 2  -v 0 not_kitty.tiff 1.tif

TIFFScanlineSize64: Invalid YCbCr subsampling.

BAD:
Gleitkomma-Ausnahme
(Floating Ppoint Exception)

GOOD: 
no floating point exception
Comment 5 Swamp Workflow Management 2016-10-12 13:15:22 UTC
SUSE-SU-2016:2508-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974449,974614,974618,975069,975070
CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.6-31.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.6-31.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.6-31.1
Comment 7 Swamp Workflow Management 2016-10-13 15:09:41 UTC
openSUSE-SU-2016:2525-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974449,974614,974618,975069,975070
CVE References: CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991
Sources used:
openSUSE Leap 42.1 (src):    tiff-4.0.6-9.1
Comment 8 Swamp Workflow Management 2016-10-13 15:11:40 UTC
SUSE-SU-2016:2527-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 973340,974449,974614,974618,975069,984808,984831,984837,984842,987351
CVE References: CVE-2016-3186,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.168.1