Bug 1010161 - (CVE-2016-9297) VUL-0: CVE-2016-9297: tiff: tif_dirread.c read outside buffer in _TIFFPrintField()
(CVE-2016-9297)
VUL-0: CVE-2016-9297: tiff: tif_dirread.c read outside buffer in _TIFFPrintFi...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/176326/
CVSSv2:RedHat:CVE-2016-9297:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-15 10:18 UTC by Alexander Bergmann
Modified: 2017-01-08 00:17 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Reproducer (67 bytes, application/x-gzip)
2016-11-15 10:21 UTC, Alexander Bergmann
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-11-15 10:18:27 UTC
CVE-2016-9297

http://bugzilla.maptools.org/show_bug.cgi?id=2590

AddressSanitizer: SEGV on unknown address 0x7faf9b2d2000

* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that
  values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
  access are null terminated, to avoid potential read outside buffer
  in _TIFFPrintField().

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9297
http://seclists.org/oss-sec/2016/q4/421
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9297.html
Comment 1 Alexander Bergmann 2016-11-15 10:21:58 UTC
Created attachment 702019 [details]
Reproducer

Copied from: http://bugzilla.maptools.org/show_bug.cgi?id=2590

Triggered in libtiff 4.0.6 with AFL and ASAN. Only crashes if I LD_PRELOAD
AFL's libdislocator (more info: https://github.com/mirrorer/afl/tree/master/libdislocator).

LD_PRELOAD=/root/afl-2.35b/libdislocator/libdislocator.so ./tiffinfo -i test000
Comment 2 Swamp Workflow Management 2016-11-15 23:00:22 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2016-11-17 09:48:33 UTC
assuming sle11 and older not affected (does not have the tags),
sle12 affected.
Comment 4 Mikhail Kasimov 2016-11-19 00:30:20 UTC
Updated info about CVE-2016-9297: http://seclists.org/oss-sec/2016/q4/460

See https://bugzilla.opensuse.org/show_bug.cgi?id=1011103 report (CVE-2016-9448).
Comment 5 Swamp Workflow Management 2016-12-07 14:09:11 UTC
openSUSE-SU-2016:3035-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2015-7554,CVE-2015-8665,CVE-2015-8683,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE 13.2 (src):    tiff-4.0.7-10.35.1
Comment 6 Swamp Workflow Management 2016-12-29 23:15:55 UTC
SUSE-SU-2016:3301-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.7-35.1
Comment 7 Andreas Stieger 2017-01-07 20:35:03 UTC
release openSUSE, all done
Comment 8 Swamp Workflow Management 2017-01-08 00:17:07 UTC
openSUSE-SU-2017:0074-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE Leap 42.2 (src):    tiff-4.0.7-12.1
openSUSE Leap 42.1 (src):    tiff-4.0.7-12.1