Bug 984842 - (CVE-2016-5317) VUL-1: tiff: CVE-2016-5317: Out-of-bounds write in PixarLogDecode() function in libtiff.so
(CVE-2016-5317)
VUL-1: tiff: CVE-2016-5317: Out-of-bounds write in PixarLogDecode() function ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/170095/
CVSSv2:SUSE:CVE-2016-5317:5.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-15 12:18 UTC by Marcus Meissner
Modified: 2018-10-04 22:48 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-15 12:18:30 UTC
http://seclists.org/oss-sec/2016/q2/547

Details
============
Product: nautilus
Affected Versions: <= GNOME nautilus 3.18.5, <=libtiff.so 4.0.6
Vulnerability Type: out-of-bounds write
Tested system: fedora23 32bit, fedora23 64bit
Vendor URL: https://www.gnome.org/
CVE ID: CVE-2016-5317
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Introduction
============
It was always corrupted when I use nautilus command followed a specific directory containing a crafted TIFF image. The 
vulnerability of out-of-bound writes is in PixarLogDecode() in libtiff.so without checking the buffer length, which 
cause the head data of next heap could be filled with any data, crash occurs when the next heap is allocated or freed. 
Attackers could exploit this issue to crash nautilus to result in DoS.

Source info
============
1082           wp += n + stride - 1;     /* point to last one */
1083           ip += n + stride - 1;       /* point to last one */
1084           n -= stride;
1085           while (n > 0) {
1086              REPEAT(stride, wp[0] = CLAMP(ip[0]);
1087                            wp[stride] -= wp[0];
1088                            wp[stride] &= mask;
1089                            wp--; ip--)
1090              n -= stride;
1091           }
1092           REPEAT(stride, wp[0] = CLAMP(ip[0]); wp--; ip--)

Debug info
============
gdb –args nautilus .

(gdb) b tif_pixarlog.c:787
Breakpoint 1 at 0xaeba016c: file tif_pixarlog.c, line 787.
(gdb) c
Continuing.

Breakpoint 1, PixarLogDecode (tif=0xaec037a8,
    op=0xaec03bd0 
"\377\377\377\377\377\377\304B\270\016\367\002\377\377\377\377\234}\261\033\033\006\377\377\377\377P\354\032\064}\v\315\001\377\377\377\377\005b\234\025\304\004\377\377\377\377i\270\250(\367\b\243",
 occ=<optimized out>, s=0) at tif_pixarlog.c:787
787                int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
(gdb) x/32xw sp->stream->next_out-8
0xaec03c58:    0x8b8a8988    0x00000055    0xaec000b0    0xaec000b0
0xaec03c68:    0x9b9a9998    0x9f9e9d9c     0xa3a2a1a0     0xa7a6a5a4
(gdb) x/32xw sp->stream->next_out-8+0x50
0xaec03ca8:    0xdbdad9d8    0x00000029    0xaec00060    0xaec00060
0xaec03cb8:    0xebeae9e8     0xefeeedec      0xf3f2f1f0      0xf7f6f5f4

(gdb) finish
(gdb) x/32xw sp->stream->next_out-8
0xaec03c58:    0x8b8a8988    0x00000055    0x86868686    0x93920d0c
0xaec03c68:    0xa09e1a18    0xadaa2724    0xbab63430    0xc7c2413c
(gdb) x/32xw sp->stream->next_out-8+0x50
0xaec03ca8:    0x93920d0c    0x409d1a18    0x4da9c723    0x5ab5d42f
0xaec03cb8:    0x67c1e13b    0x74cdee47    0x81d9fb53    0x8ee5085f

(gdb) c
Continuing.
[Thread 0xb0723b40 (LWP 24948) exited]

Program received signal SIGSEGV, Segmentation fault.
0xb6be4d38 in _int_free (av=0xaec00010, p=<optimized out>, have_lock=0) at malloc.c:4015
4015              unlink(av, nextchunk, bck, fwd);
(gdb) p av
$42 = (mstate) 0xaec00010
(gdb) p nextchunk
$43 = (mchunkptr) 0xaec03c58
(gdb) x/8xw nextchunk
(gdb) p bck
$44 = (mchunkptr) 0x93920d0c
(gdb) p fwd
$45 = (mchunkptr) 0x86868686
0xaec03c58:    0x8b8a8988    0x00000055    0x86868686    0x93920d0c
0xaec03c68:    0xa09e1a18    0xadaa2724    0xbab63430    0xc7c2413c

(gdb) bt
#0  0xb6be4d38 in _int_free (av=0xaec00010, p=<optimized out>, have_lock=0) at malloc.c:4015
#1  0xb6be86e0 in __GI___libc_free (mem=0xaec00010) at malloc.c:2969
#2  0xad3438f8 in _TIFFfree (p=0xaec00010) at tif_unix.c:322
#3  0xad2c2050 in gtTileContig (img=0xadb709d4, raster=0xae51f560, w=34, h=4) at tif_getimage.c:691
#4  0xad2ca517 in TIFFRGBAImageGet (img=0xadb709d4, raster=0xae51f560, w=34, h=4) at tif_getimage.c:500
#5  0xad2ca73c in TIFFReadRGBAImageOriented (tif=0xae505be8, rwidth=34, rheight=4, raster=0xae51f560, orientation=1, 
stop=1) at tif_getimage.c:519
#6  0xae71b37f in tiff_image_parse () from /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-tiff.so
#7  0xae71b94e in gdk_pixbuf.tiff_image_stop_load () from /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-tiff.so
#8  0xb75283e3 in gdk_pixbuf_loader_close () from /usr/lib/libgdk_pixbuf-2.0.so.0
#9  0xb7f5edb5 in _gdk_pixbuf_new_from_uri_at_scale.constprop.7 () from /usr/lib/libgnome-desktop-3.so.12
#10 0xb7f5f41b in gnome_desktop_thumbnail_factory_generate_thumbnail () from /usr/lib/libgnome-desktop-3.so.12
#11 0x800e0ef9 in thumbnail_thread_start ()
#12 0xb6d45452 in start_thread (arg=0xadb72b40) at pthread_create.c:334
#13 0xb6c6925e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:122


Best regards,
Kaixiang Zhang
------
Comment 1 Swamp Workflow Management 2016-06-15 22:02:29 UTC
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2016-07-27 17:11:10 UTC
openSUSE-SU-2016:1889-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 964225,984808,984831,984837,984842,987351
CVE References: CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE 13.2 (src):    tiff-4.0.6-10.26.1
Comment 3 Fridrich Strba 2016-09-06 07:43:27 UTC
Closing as fixed. Reopen if you think you need to.
Comment 4 Marcus Meissner 2016-09-06 08:08:03 UTC
no sle fixes done?
Comment 5 Swamp Workflow Management 2016-09-09 10:11:56 UTC
SUSE-SU-2016:2271-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 964225,973340,984808,984831,984837,984842,987351
CVE References: CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.6-26.3
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.6-26.3
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.6-26.3
Comment 6 Swamp Workflow Management 2016-09-16 13:10:46 UTC
openSUSE-SU-2016:2321-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 964225,973340,984808,984831,984837,984842,987351
CVE References: CVE-2015-8781,CVE-2015-8782,CVE-2015-8783,CVE-2016-3186,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE Leap 42.1 (src):    tiff-4.0.6-6.1
Comment 7 Swamp Workflow Management 2016-09-25 10:10:20 UTC
openSUSE-SU-2016:2375-1: An update that fixes 9 vulnerabilities is now available.

Category: security (moderate)
Bug References: 974614,974618,975069,975070,984808,984831,984837,984842,987351
CVE References: CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-3991,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
openSUSE 13.1 (src):    tiff-4.0.6-8.25.1
Comment 9 Swamp Workflow Management 2016-10-13 15:12:33 UTC
SUSE-SU-2016:2527-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 973340,974449,974614,974618,975069,984808,984831,984837,984842,987351
CVE References: CVE-2016-3186,CVE-2016-3622,CVE-2016-3623,CVE-2016-3945,CVE-2016-3990,CVE-2016-5314,CVE-2016-5316,CVE-2016-5317,CVE-2016-5320,CVE-2016-5875
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.168.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.168.1