Bug 974841 - (CVE-2016-3633) VUL-1: CVE-2016-3633: tiff: Illegal read occurs in _setrow function in thumbnail
VUL-1: CVE-2016-3633: tiff: Illegal read occurs in _setrow function in thumbnail
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Fridrich Strba
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-04-11 08:43 UTC by Johannes Segitz
Modified: 2019-04-25 14:42 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

setrow_cve_20163633.tif (384 bytes, image/tiff)
2016-11-25 08:24 UTC, Alexander Bergmann

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-04-11 08:43:35 UTC

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Illegel read
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2016-3633
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Illegal read occurs in the _ setrow function in thumbnail.c when using thumbnail command, which allows attackers to exploit this issue to cause denial-of-service.

523  for (y = 0; y < nrows; y++) {
524      const uint8* src = rows[y] + off;
525      acc += bits[*src++ & mask0];

gdb  --args  thumbnail  setrow.tif  tmpout.tif
Program received signal SIGSEGV, Segmentation fault.
0x08049de5 in setrow (row=0x8061d00 "", nrows=256, rows=0xbfffeba0) at thumbnail.c:525
525                acc += bits[*src++ & mask0];
(gdb) bt
#0  0x08049de5 in setrow (row=0x8061d00 "", nrows=256, rows=0xbfffeba0) at thumbnail.c:525
#1  0x0804a07a in setImage1 (br=0x804d9b8 "\377", rw=5242880, rh=5242880) at thumbnail.c:581
#2  0x0804a121 in setImage (br=0x804d9b8 "\377", rw=5242880, rh=5242880) at thumbnail.c:591
#3  0x0804a2db in generateThumbnail (in=0x804d530, out=0x804d008) at thumbnail.c:633
#4  0x08048f5f in main (argc=3, argv=0xbffff134) at thumbnail.c:122
(gdb) p *src
Cannot access memory at address 0x8204988

Comment 1 Swamp Workflow Management 2016-04-11 22:00:37 UTC
bugbot adjusting priority
Comment 3 Alexander Bergmann 2016-11-23 16:33:41 UTC

The thumbnail utility is no longer installed by the libtiff package (as will
appear in 4.0.7).  It now only exists for internal testing.
Comment 5 Alexander Bergmann 2016-11-25 08:24:05 UTC
Created attachment 703718 [details]

I've got the original reproducer from the reporter.
Comment 6 Alexander Bergmann 2017-12-13 14:43:27 UTC
The thumbnail tool is not part of tiff anymore. It will not be present in major future SLE releases.

Closing bug as WONTFIX.