Bug 984831 - (CVE-2016-5314) VUL-1: tiff: CVE-2016-5314: Out-of-bounds write in PixarLogDecode() function
(CVE-2016-5314)
VUL-1: tiff: CVE-2016-5314: Out-of-bounds write in PixarLogDecode() function
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/170098/
CVSSv2:SUSE:CVE-2016-5314:5.8:(AV:N/A...
:
Depends on: CVE-2016-5875
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-15 11:51 UTC by Marcus Meissner
Modified: 2018-11-02 07:50 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-15 11:51:41 UTC
http://seclists.org/oss-sec/2016/q2/543

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: out-of-bound writes
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-5314
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Introduction
=======

It was always corrupted when I use rgb2ycbcr command followed by a crafted TIFF image. The vulnerability of 
out-of-bound writes comes from PixarLogDecode() function without checking the buffer length, which cause the head of 
next heap could be filled with any data, crash occurs when malloc() or free() is called.Attackers could exploit this 
issue to result in DoS.


Here is the stack info:
gdb –args ./rgb2ycbcr gtTileContig.tif tmpout.tif
--- ---
(gdb) b tif_pixarlog.c:787
Breakpoint 1 at 0xb7f7916c: file tif_pixarlog.c, line 787.
(gdb) r
--- ---
Breakpoint 1, PixarLogDecode (tif=0x804f148, op=0x804f508 "", occ=<optimized out>, s=0) at tif_pixarlog.c:787
787                     int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
(gdb) x/32xw  sp->stream->next_out
0x804f598:       0xb7d917b0     0xb7d917b0     0x9b9a9998     0x9f9e9d9c
0x804f5a8:       0xa3a2a1a0     0xa7a6a5a4     0xabaaa9a8     0xafaeadac
0x804f5b8:       0xb3b2b1b0     0xb7b6b5b4     0xbbbab9b8     0xbfbebdbc
0x804f5c8:       0xc3c2c1c0     0xc7c6c5c4     0xcbcac9c8     0xcfcecdcc
0x804f5d8:       0xd3d2d1d0     0xd7d6d5d4     0xdbdad9d8     0x00000091
0x804f5e8:       0xb7d91838     0xb7d91838     0xebeae9e8     0xefeeedec

(gdb) finish
(gdb) x/32xw  sp->stream->next_out
0x804f598:       0x86868686     0x93920d0c      0xa09e1a18     0xadaa2724
0x804f5a8:       0xbab63430     0xc7c2413c      0xd4ce4e48     0xe1da5b54
0x804f5b8:       0xeee66860     0xfbf2756c      0x08fe8278     0x160a8f84
0x804f5c8:       0x23169c90     0x3022a99c      0x3d2eb6a8     0x4a3ac3b4
0x804f5d8:       0x5746d0c0     0x8686ddcc      0x93920d0c     0x409d1a18
0x804f5e8:       0x4da9c723     0x5ab5d42f      0x67c1e13b     0x74cdee47

(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xb7c3bd38 in _int_free (av=0xb7d91780 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015
4015                   unlink(av, nextchunk, bck, fwd);
(gdb) bt
#0  0xb7c3bd38 in _int_free (av=0xb7d91780 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:4015
#1  0xb7c3f6e0 in __GI___libc_free (mem=0x804f508) at malloc.c:2969
#2  0xb7faa8f8 in _TIFFfree (p=0x804f508) at tif_unix.c:322
#3  0xb7f29050 in gtTileContig (img=0xbfffe584, raster=0x8068b00, w=34, h=4) at tif_getimage.c:691
#4  0xb7f31517 in TIFFRGBAImageGet (img=0xbfffe584, raster=0x8068b00, w=34, h=4) at tif_getimage.c:500
#5  0xb7f3173c in TIFFReadRGBAImageOriented (tif=0x804f148, rwidth=34, rheight=4, raster=0x8068b00, orientation=4, 
stop=0) at tif_getimage.c:519
#6  0xb7f317ba in TIFFReadRGBAImage (tif=0x804f148, rwidth=34, rheight=4, raster=0x8068b00, stop=0) at 
tif_getimage.c:537
#7  0x0804a59f in tiffcvt (in=in@entry=0x804f148, out=out@entry=0x804e008) at rgb2ycbcr.c:315
#8  0x080494a1 in main (argc=3, argv=0xbffff3b4) at rgb2ycbcr.c:127

(gdb) x/8xw 0x804f508-8
0x804f500:       0x00000030     0x00000091     0xffffffff    0x42c4ffff
0x804f510:       0x02f70eb8      0xffffffff    0x1bb17d9c     0xffff061b
(gdb) x/8xw 0x804f500+0x90
0x804f590:       0x8b8a8988     0x00000051     0x86868686     0x93920d0c
0x804f5a0:       0xa09e1a18     0xadaa2724     0xbab63430     0xc7c2413c
(gdb) x/8xw 0x804f500+0x90+0x50
0x804f5e0:       0x93920d0c     0x409d1a18     0x4da9c723     0x5ab5d42f
0x804f5f0:       0x67c1e13b     0x74cdee47     0x81d9fb53      0x8ee5085f
Comment 1 Swamp Workflow Management 2016-06-15 22:02:05 UTC
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2016-07-27 17:10:52 UTC
openSUSE-SU-2016:1889-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 964225,984808,984831,984837,984842,987351
CVE References: CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE 13.2 (src):    tiff-4.0.6-10.26.1
Comment 3 Fridrich Strba 2016-09-06 07:44:24 UTC
Closing as fixed. Reopen if you think you need to.
Comment 4 Swamp Workflow Management 2016-09-09 10:11:38 UTC
SUSE-SU-2016:2271-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 964225,973340,984808,984831,984837,984842,987351
CVE References: CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.6-26.3
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.6-26.3
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.6-26.3
Comment 5 Swamp Workflow Management 2016-09-16 13:10:23 UTC
openSUSE-SU-2016:2321-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 964225,973340,984808,984831,984837,984842,987351
CVE References: CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE Leap 42.1 (src):    tiff-4.0.6-6.1
Comment 6 Swamp Workflow Management 2016-09-25 10:09:58 UTC
openSUSE-SU-2016:2375-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974614,974618,975069,975070,984808,984831,984837,984842,987351
CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE 13.1 (src):    tiff-4.0.6-8.25.1
Comment 7 Swamp Workflow Management 2016-10-13 15:12:11 UTC
SUSE-SU-2016:2527-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 973340,974449,974614,974618,975069,984808,984831,984837,984842,987351
CVE References: CVE-2016-3186,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.168.1
Comment 8 Swamp Workflow Management 2018-05-30 13:16:14 UTC
SUSE-SU-2018:1472-1: An update that solves 14 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1017694,1031250,1031254,1033109,1033111,1033112,1033113,1033120,1033126,1033127,1033129,1074317,984808,984809,984831,987351
CVE References: CVE-2016-10267,CVE-2016-10269,CVE-2016-10270,CVE-2016-5314,CVE-2016-5315,CVE-2017-18013,CVE-2017-7593,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.6.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.6.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.6.1