Bugzilla – Bug 974448
VUL-1: CVE-2016-3621: tiff: Out-of-bounds Read in the bmp2tiff tool (lzw packing)
Last modified: 2019-01-14 08:11:50 UTC
Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Out-of-bounds Read Vendor URL: http://www.libtiff.org/ CVE ID: CVE-2016-3621 Credit: Mei Wang of the Cloud Security Team, Qihoo 360 Introduction ============ LZWEncode function in tif_lzw.c in bmp2tiff allows attackers to cause a denial of service (Out-of-bounds Read) via a crafted bmp image with param -c lzw. libtiff-master/libtiff/tif_lzw.c:915 910 */ 911 PutNextCode(op, CODE_CLEAR); 912 ent = *bp++; cc--; incount++; 913 } 914 while (cc > 0) { 915 c = *bp++; cc--; incount++; 916 fcode = ((long)c << BITS_MAX) + ent; 917 h = (c << HSHIFT) ^ ent; /* xor hashing */ ./bmp2tiff -c lzw ./sample/bmp2tiff_lzw.bmp 1.tif ================================================================= ==10455== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fbcd06d1c00 at pc 0x4827aa bp 0x7ffef81741d0 sp 0x7ffef81741c0 READ of size 1 at 0x7fbcd06d1c00 thread T0 #0 0x4827a9 in LZWEncode /home/dazhuang/asan/libtiff-master/libtiff/tif_lzw.c:915 #1 0x45665e in TIFFWriteScanline /home/dazhuang/asan/libtiff-master/libtiff/tif_write.c:173 #2 0x40450f in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:775 #3 0x7fbcccc92af4 in __libc_start_main (/lib64/libc.so.6+0x21af4) #4 0x4019a8 in _start (/home/dazhuang/asan/libtiff-master/tools/bmp2tiff+0x4019a8) 0x7fbcd06d1c00 is located 0 bytes to the right of 1573888-byte region [0x7fbcd0551800,0x7fbcd06d1c00) allocated by thread T0 here: #0 0x7fbccd563129 (/lib64/libasan.so.0+0x16129) #1 0x45b761 in _TIFFmalloc /home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:316 #2 0x4037c3 in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:678 #3 0x7fbcccc92af4 in __libc_start_main (/lib64/libc.so.6+0x21af4) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/dazhuang/asan/libtiff-master/libtiff/tif_lzw.c:915 LZWEncode Shadow bytes around the buggy address: 0x0ff81a0d2330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff81a0d2340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff81a0d2350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff81a0d2360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff81a0d2370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ff81a0d2380:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff81a0d2390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff81a0d23a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff81a0d23b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff81a0d23c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff81a0d23d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==10455== ABORTING References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3621 http://seclists.org/oss-sec/2016/q2/22
bugbot adjusting priority
Created attachment 696789 [details] crash1.tif found by local afl run QA REPRODUCER: bmp2tiff -c lzw crash1.tif output.tif
http://bugzilla.maptools.org/show_bug.cgi?id=2565#c1 Closing as wontfix since bmp2tiff has been removed from libtiff
The same resolution as in bug 974446 comment 4: (gdb) p length $1 = 32 (gdb) p j $2 = 265 (gdb) p width $3 = 49184 (gdb) p length > j || width > j || length * width > j $4 = 1 (gdb) This is fixed by tiff-bmp2tiff.c-update.patch.
Will amend rpm changelog for: 11,10sp3/tiff.
I believe all fixed.
SUSE-SU-2018:3879-1: An update that fixes 11 vulnerabilities is now available. Category: security (moderate) Bug References: 1010163,1014461,1040080,1040322,1074186,1099257,1113672,974446,974447,974448,983440 CVE References: CVE-2015-8870,CVE-2016-3619,CVE-2016-3620,CVE-2016-3621,CVE-2016-5319,CVE-2016-9273,CVE-2017-17942,CVE-2017-9117,CVE-2017-9147,CVE-2018-12900,CVE-2018-18661 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): tiff-3.8.2-141.169.22.1 SUSE Linux Enterprise Server 11-SP4 (src): tiff-3.8.2-141.169.22.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): tiff-3.8.2-141.169.22.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-12-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64180
released