Bug 990460 - (CVE-2016-6223) VUL-1: CVE-2016-6223: tiff: Out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1()
(CVE-2016-6223)
VUL-1: CVE-2016-6223: tiff: Out-of-bounds read on memory-mapped files in TIFF...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/170957/
CVSSv2:SUSE:CVE-2016-6223:5.8:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-25 11:39 UTC by Andreas Stieger
Modified: 2020-07-27 02:06 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
reproducer from original reporter (112 bytes, image/tiff)
2016-07-25 11:39 UTC, Andreas Stieger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-25 11:39:15 UTC
Created attachment 685425 [details]
reproducer from original reporter

information leak in LibTIFF, specifically in the file libtiff/tif_read.c.

The vulnerability allows an attacker to specify a negative index into the
file-content buffer and copy data from that position until the end of the
buffer.

This will allow an attacker to crash the process by accessing unmapped
memory and (depending on how LibTIFF is used) might also allow an attacker
to leak sensitive information.

The issue is fixed in CVS HEAD with the commit:

revision 1.49
date: 2016-07-10 20:00:21 +0200;  author: erouault;  state: Exp;  lines: +6
-3;  commitid: YhOZoKv5OA9gNNdz;
* libtiff/tif_read.c: Fix out-of-bounds read on
memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1()
when stripoffset is beyond tmsize_t max value (reported by
Mathias Svensson)

https://github.com/vadz/libtiff/commit/0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496

The attached reproducer file is from the original reporter.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1356867
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6223
http://seclists.org/oss-sec/2016/q3/67
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6223.html
Comment 2 Swamp Workflow Management 2016-07-25 22:00:34 UTC
bugbot adjusting priority
Comment 3 Petr Gajdos 2018-11-21 12:36:51 UTC
This was fixed in 4.0.7.

TW,15,12: already fixed by the version update

Not sure what the command should be, but tried tiffcp, tiffinfo -D and tiff2rgba. No valgrind error observed.

$ valgrind -q tiffcp -i CVE-2016-6223.tiff out.tiff
CVE-2016-6223.tiff: Warning, Nonstandard tile length 559038849, convert file.
TIFFFetchDirectory: Can not read TIFF directory count.
TIFFReadDirectory: Failed to read directory at offset 3203334144.
$

It allocates a lot of memory (0.5G), however this is bug 1003874.

For 3.8.2, I do not see any issue at all running the testcase. The calculation is different there and provided we have not testcase that would exhibit the issue, I would consider it not affected.
Comment 4 Petr Gajdos 2018-11-21 12:37:35 UTC
Will submit the rpm changelog adjustment for: 15/tiff and 12/tiff.
Comment 5 Petr Gajdos 2018-11-23 12:32:30 UTC
I believe all fixed.
Comment 7 Swamp Workflow Management 2018-12-07 14:10:06 UTC
SUSE-SU-2018:4008-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017693,1054594,1115717,990460
CVE References: CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    tiff-4.0.9-5.20.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    tiff-4.0.9-5.20.1
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    tiff-4.0.9-5.20.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    tiff-4.0.9-5.20.1
Comment 8 Swamp Workflow Management 2018-12-08 14:13:11 UTC
openSUSE-SU-2018:4053-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017693,1054594,1115717,990460
CVE References: CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210
Sources used:
openSUSE Leap 15.0 (src):    tiff-4.0.9-lp150.4.12.1
Comment 9 Swamp Workflow Management 2018-12-19 17:12:22 UTC
SUSE-SU-2018:4191-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017693,1054594,1115717,990460
CVE References: CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    tiff-4.0.9-44.30.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.9-44.30.1
SUSE Linux Enterprise Server 12-SP4 (src):    tiff-4.0.9-44.30.1
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.9-44.30.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    tiff-4.0.9-44.30.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.9-44.30.1
Comment 10 Swamp Workflow Management 2018-12-22 23:10:44 UTC
openSUSE-SU-2018:4256-1: An update that fixes 6 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1017693,1054594,1115717,990460
CVE References: CVE-2016-10092,CVE-2016-10093,CVE-2016-10094,CVE-2016-6223,CVE-2017-12944,CVE-2018-19210
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.9-43.1
Comment 11 Marcus Meissner 2019-01-14 08:12:54 UTC
released