Bug ID | 1017694 |
---|---|
Summary | VUL-0: libtiff: multiple divide-by-zero |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 42.2 |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | mikhail.kasimov@gmail.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
Ref: http://seclists.org/oss-sec/2017/q1/2 =========================================== Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. Some crafted images, through a fuzzing revealed multiple division by zero. Since the number of the issues, I will post the relevant part of the stacktrace. Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1 Reproducer: https://github.com/asarubbo/poc/blob/master/00064-libtiff-fpe-TIFFReadEncodedStrip Relevant part of the stacktrace: # tiffcp $FILE /tmp/foo ==12079==ERROR: AddressSanitizer: FPE on unknown address 0x7fd319436251 (pc 0x7fd319436251 bp 0x7fff851e3d80 sp 0x7fff851e3d30 T0) #0 0x7fd319436250 in TIFFReadEncodedStrip /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_read.c:351:22 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec Reproducer: https://github.com/asarubbo/poc/blob/master/00083-libtiff-fpe-OJPEGDecodeRaw Relevant part of the stacktrace: # tiffmedia $FILE /tmp/foo ==28106==ERROR: AddressSanitizer: FPE on unknown address 0x7faeae7f744e (pc 0x7faeae7f744e bp 0x7ffceab45e40 sp 0x7ffceab45ce0 T0) #0 0x7faeae7f744d in OJPEGDecodeRaw /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_ojpeg.c:816:8 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/d3c5426395dc53e3345712ac7246c29db9fed8fa Reproducer: https://github.com/asarubbo/poc/blob/master/00099-libtiff-fpe-readSeparateStripsIntoBuffer Relevant part of the stacktrace: # tiffcrop $FILE /tmp/foo ==19098==ERROR: AddressSanitizer: FPE on unknown address 0x000000523acf (pc 0x000000523acf bp 0x7ffcb22ada30 sp 0x7ffcb22ad780 T0) #0 0x523ace in readSeparateStripsIntoBuffer /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcrop.c:4841:36 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/a87eb62049f446204ed62c939f965eb76bd98001 Reproducer: https://github.com/asarubbo/poc/blob/master/00065-libtiff-fpe-readSeparateTilesIntoBuffer Relevant part of the stacktrace: # tiffcp $FILE /tmp/foo ==13262==ERROR: AddressSanitizer: FPE on unknown address 0x00000051c43b (pc 0x00000051c43b bp 0x7ffdc8d81d70 sp 0x7ffdc8d81b20 T0) #0 0x51c43a in readSeparateTilesIntoBuffer /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1434:9 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/296803e79542f5523be1009d64574507b9acc239 Reproducer: https://github.com/asarubbo/poc/blob/master/00073-libtiff-fpe-writeBufferToSeparateTiles Relevant part of the stacktrace: # tiffcp -i $FILE /tmp/foo ==3614==ERROR: AddressSanitizer: FPE on unknown address 0x00000051650a (pc 0x00000051650a bp 0x7fff41587d30 sp 0x7fff41587b00 T0) #0 0x516509 in writeBufferToSeparateTiles /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1591:13 Credit: These bugs were discovered by Agostino Sarubbo of Gentoo. Timeline: 2016-11-20: started to post the issues to upstream 2017-01-01: blog post about the issue Note: These bugs were found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero -- Agostino Sarubbo Gentoo Linux Developer =========================================== https://software.opensuse.org/package/libtiff5 TW: 4.0.7 42.2: 4.0.6 42.1: 4.0.6 13.2: 4.0.7