Bug 984837 - (CVE-2016-5316) VUL-0: tiff: CVE-2016-5316: Out-of-bounds read in PixarLogCleanup() function in tif_pixarlog.c
(CVE-2016-5316)
VUL-0: tiff: CVE-2016-5316: Out-of-bounds read in PixarLogCleanup() function ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/170096/
CVSSv2:RedHat:CVE-2016-5316:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-15 12:01 UTC by Marcus Meissner
Modified: 2016-10-13 15:12 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
rep (4.51 KB, image/tiff)
2016-07-12 07:50 UTC, Andreas Stieger
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-15 12:01:20 UTC
http://seclists.org/oss-sec/2016/q2/545

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: illegel read
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-5316
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Introduction
=======

Segmentation fault ocurrs in PixarLogCleanup() in tif_pixarlog.c when using rgb2ycbcr tool followed a crafted TIFF 
image. Attackers cound exploit this issue to cause denial-of-service.


Here is the stack info:
gdb –args ./rgb2ycbcr PixarLogCleanup.tif tmpout.tif
--- ---
Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x75757575) at malloc.c:2952
2952           if (chunk_is_mmapped (p))                       /* release mmapped memory. */
Missing separate debuginfos, use: dnf debuginfo-install libjpeg-turbo-1.4.1-2.fc23.i686 zlib-1.2.8-9.fc23.i686
(gdb) bt
#0  __GI___libc_free (mem=0x75757575) at malloc.c:2952
#1  0xb7df0a4c in zcfree () from /usr/lib/libz.so.1
#2  0xb7dedd3e in inflateEnd () from /usr/lib/libz.so.1
#3  0xb7f72044 in PixarLogCleanup (tif=0x804f148) at tif_pixarlog.c:1264
#4  0xb7ec29ae in TIFFReadDirectory (tif=0x804f148) at tif_dirread.c:3412
#5  0x0804942d in main (argc=3, argv=0xbffff3a4) at rgb2ycbcr.c:132
Comment 1 Marcus Meissner 2016-06-15 12:01:54 UTC
(looks like memory corruption ... not just overread)
Comment 2 Swamp Workflow Management 2016-06-15 22:02:17 UTC
bugbot adjusting priority
Comment 4 Andreas Stieger 2016-07-12 07:50:55 UTC
Created attachment 683846 [details]
rep
Comment 5 Swamp Workflow Management 2016-07-27 17:11:02 UTC
openSUSE-SU-2016:1889-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 964225,984808,984831,984837,984842,987351
CVE References: CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE 13.2 (src):    tiff-4.0.6-10.26.1
Comment 6 Fridrich Strba 2016-09-06 07:43:56 UTC
Closing as fixed. Reopen if you think you need to.
Comment 7 Swamp Workflow Management 2016-09-09 10:11:48 UTC
SUSE-SU-2016:2271-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 964225,973340,984808,984831,984837,984842,987351
CVE References: CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.6-26.3
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.6-26.3
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.6-26.3
Comment 8 Swamp Workflow Management 2016-09-16 13:10:35 UTC
openSUSE-SU-2016:2321-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 964225,973340,984808,984831,984837,984842,987351
CVE References: CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE Leap 42.1 (src):    tiff-4.0.6-6.1
Comment 9 Swamp Workflow Management 2016-09-25 10:10:11 UTC
openSUSE-SU-2016:2375-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974614,974618,975069,975070,984808,984831,984837,984842,987351
CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE 13.1 (src):    tiff-4.0.6-8.25.1
Comment 10 Swamp Workflow Management 2016-10-13 15:12:21 UTC
SUSE-SU-2016:2527-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 973340,974449,974614,974618,975069,984808,984831,984837,984842,987351
CVE References: CVE-2016-3186,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.168.1