Bug 984809 - (CVE-2016-5315) VUL-1: CVE-2016-5315: tiff: Out-of-bounds read in setByteArray() function in rgb2ycbcr / tif_dir.c
(CVE-2016-5315)
VUL-1: CVE-2016-5315: tiff: Out-of-bounds read in setByteArray() function in ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Michael Vetter
Security Team bot
https://smash.suse.de/issue/170097/
CVSSv2:RedHat:CVE-2016-5315:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-15 09:41 UTC by Marcus Meissner
Modified: 2019-11-14 15:38 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-15 09:41:28 UTC
http://seclists.org/oss-sec/2016/q2/544

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: illegel read
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-5315
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Introduction
=======

Read access violation occurred in function setByteArray in tif_dir.c, which allows attackers to result in DoS via a 
crafted TIFF image.


Here is the stack info:
gdb --args $tool/rgb2ycbcr id31.tif tmpout.tif
--- ---
(gdb) bt
#0  _int_malloc (av=av@entry=0xb7d91780 <main_arena>, bytes=bytes@entry=29) at malloc.c:3728
#1  0xb7c3f44f in __GI___libc_malloc (bytes=29) at malloc.c:2914
#2  0xb7faa875 in _TIFFmalloc (s=29) at tif_unix.c:316
#3  0xb7e88d2d in setByteArray (elem_size=1, nmemb=<optimized out>, vp=0xbfffeab0, vpp=<optimized out>) at tif_dir.c:51
#4  _TIFFVSetField (tif=0x804e008, tag=270, ap=<optimized out>) at tif_dir.c:539
#5  0xb7e89fab in TIFFVSetField (tif=0x804e008, tag=270, ap=0xbfffea48 "\260\352\377\277\370\363\004\b") at 
tif_dir.c:820
#6  0xb7e8a094 in TIFFSetField (tif=0x804e008, tag=270) at tif_dir.c:764
#7  0x0804aa04 in tiffcvt (in=in@entry=0x804f148, out=out@entry=0x804e008) at rgb2ycbcr.c:339
(gdb) i r $ebx
ebx            0x86868686        -2038004090
Comment 1 Marcus Meissner 2016-06-15 09:47:51 UTC
tag = 270 is TIFFTAG_IMAGEDESCRIPTION
Comment 2 Marcus Meissner 2016-06-15 09:55:30 UTC
void _TIFFsetString(char** cpp, char* cp)
    { setByteArray((void**) cpp, (void*) cp, strlen(cp)+1, 1); }

newer tiff versions
                if (fip->field_type == TIFF_ASCII)
                {
                        uint32 ma;
                        char* mb;
                        if (fip->field_passcount)
                        {
                                assert(fip->field_writecount==TIFF_VARIABLE2);
                                ma=(uint32)va_arg(ap,uint32);
                                mb=(char*)va_arg(ap,char*);
                        }
                        else
                        {
                                mb=(char*)va_arg(ap,char*);
                                ma=(uint32)(strlen(mb)+1);
                        }
                        tv->count=ma;
                        setByteArray(&tv->value,mb,ma,1);
                }


I am not sure where it overflows, likely corrupted memory before.
Comment 3 Swamp Workflow Management 2016-06-15 22:01:20 UTC
bugbot adjusting priority
Comment 5 Petr Gajdos 2018-05-18 10:37:02 UTC
http://bugzilla.maptools.org/show_bug.cgi?id=2555

BEFORE

12/tiff

$ valgrind -q rgb2ycbcr CVE-2016-5315.tif out.tif
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 464 (0x1d0) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 642 (0x282) encountered.
TIFFFetchNormalTag: Warning, Incompatible type for "DocumentName"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
$

11/tiff

$ valgrind -q rgb2ycbcr CVE-2016-5315.tif out.tif
TIFFReadDirectory: Warning, CVE-2016-5315.tif: unknown field with tag 464 (0x1d0) encountered.
TIFFReadDirectory: Warning, CVE-2016-5315.tif: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, CVE-2016-5315.tif: wrong data type 7427 for "DocumentName"; tag ignored.
TIFFReadDirectory: Warning, CVE-2016-5315.tif: wrong data type 0 for "ImageWidth"; tag ignored.
TIFFReadDirectory: Warning, CVE-2016-5315.tif: unknown field with tag 642 (0x282) encountered.
TIFFReadDirectory: Warning, CVE-2016-5315.tif: wrong data type 38732 for "DocumentName"; tag ignored.
CVE-2016-5315.tif: Error fetching data for field "DocumentName".
CVE-2016-5315.tif: Warning, incorrect count for field "StripOffsets" (1, expecting 32); tag ignored.
CVE-2016-5315.tif: Warning, incorrect count for field "StripByteCounts" (97, expecting 32); tag trimmed.
MissingRequired: CVE-2016-5315.tif: TIFF directory is missing required "Colormap" field.
$
[no issues observed]


PATCH

Upstream closed this bug as duplicate of bug #2554, which was fixed by a change with CVE-2016-5875:
https://gitlab.com/libtiff/libtiff/commit/bf5b698868b0b16f14cc03d83d74cdcd9e98983e
While I do not encounter any issues with the testcase and this commit is already part of 11/tiff/tiff-3.8.2-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch and 12/tiff has this fix already in trough version update, I consider this already fixed. I will adjust rpm changelog in this regard.
Comment 6 Petr Gajdos 2018-05-18 10:37:44 UTC
Will submit the rpm changelog adjustment for: 11/tiff and 10sp3/tiff
Comment 7 Petr Gajdos 2018-05-18 11:09:01 UTC
Packages submitted:
12/tiff:    165341
11/tiff:    165349
10sp3/tiff: 165350

@Michael, after you review these requests and after you accept and resubmit packages in case everything's ok, I think you can reassign this bug to security-team@.
Comment 9 Swamp Workflow Management 2018-05-30 13:16:03 UTC
SUSE-SU-2018:1472-1: An update that solves 14 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1017694,1031250,1031254,1033109,1033111,1033112,1033113,1033120,1033126,1033127,1033129,1074317,984808,984809,984831,987351
CVE References: CVE-2016-10267,CVE-2016-10269,CVE-2016-10270,CVE-2016-5314,CVE-2016-5315,CVE-2017-18013,CVE-2017-7593,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.6.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.6.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.6.1
Comment 10 Petr Gajdos 2018-06-05 07:55:01 UTC
I think this can be closed.