Bug 974841 - (CVE-2016-3633) VUL-1: CVE-2016-3633: tiff: Illegal read occurs in _setrow function in thumbnail
(CVE-2016-3633)
VUL-1: CVE-2016-3633: tiff: Illegal read occurs in _setrow function in thumbnail
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/166958/
CVSSv2:SUSE:CVE-2016-3633:5.0:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-11 08:43 UTC by Johannes Segitz
Modified: 2019-04-25 14:42 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
setrow_cve_20163633.tif (384 bytes, image/tiff)
2016-11-25 08:24 UTC, Alexander Bergmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-04-11 08:43:35 UTC
Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: Illegel read
Vendor URL: http://www.libtiff.org/
CVE ID: CVE-2016-3633
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Introduction
Illegal read occurs in the _ setrow function in thumbnail.c when using thumbnail command, which allows attackers to exploit this issue to cause denial-of-service.

/libtiff/tools/thumbnail.c:525
523  for (y = 0; y < nrows; y++) {
524      const uint8* src = rows[y] + off;
525      acc += bits[*src++ & mask0];

gdb  --args  thumbnail  setrow.tif  tmpout.tif
����
Program received signal SIGSEGV, Segmentation fault.
0x08049de5 in setrow (row=0x8061d00 "", nrows=256, rows=0xbfffeba0) at thumbnail.c:525
525                acc += bits[*src++ & mask0];
(gdb) bt
#0  0x08049de5 in setrow (row=0x8061d00 "", nrows=256, rows=0xbfffeba0) at thumbnail.c:525
#1  0x0804a07a in setImage1 (br=0x804d9b8 "\377", rw=5242880, rh=5242880) at thumbnail.c:581
#2  0x0804a121 in setImage (br=0x804d9b8 "\377", rw=5242880, rh=5242880) at thumbnail.c:591
#3  0x0804a2db in generateThumbnail (in=0x804d530, out=0x804d008) at thumbnail.c:633
#4  0x08048f5f in main (argc=3, argv=0xbffff134) at thumbnail.c:122
(gdb) p *src
Cannot access memory at address 0x8204988

References:
http://www.openwall.com/lists/oss-security/2016/04/08/11
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3633
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3633.html
Comment 1 Swamp Workflow Management 2016-04-11 22:00:37 UTC
bugbot adjusting priority
Comment 3 Alexander Bergmann 2016-11-23 16:33:41 UTC
http://bugzilla.maptools.org/show_bug.cgi?id=2548#c1

The thumbnail utility is no longer installed by the libtiff package (as will
appear in 4.0.7).  It now only exists for internal testing.
Comment 5 Alexander Bergmann 2016-11-25 08:24:05 UTC
Created attachment 703718 [details]
setrow_cve_20163633.tif

I've got the original reproducer from the reporter.
Comment 6 Alexander Bergmann 2017-12-13 14:43:27 UTC
The thumbnail tool is not part of tiff anymore. It will not be present in major future SLE releases.

Closing bug as WONTFIX.