[Bug 1017693] New: VUL-0: libtiff: multiple heap-based buffer overflow

http://bugzilla.opensuse.org/show_bug.cgi?id=1017693 Bug ID: 1017693 Summary: VUL-0: libtiff: multiple heap-based buffer overflow Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/3 =========================================== Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. Some crafted images, through a fuzzing revealed multiple overflow. Since the number of the issues, I will post the relevant part of the stacktrace. Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b... Reproducer: https://github.com/asarubbo/poc/blob/master/00068-libtiff-heapoverflow-_tiff... Relevant part of the stacktrace: # tiffcp -i $FILE /tmp/foo ==16440==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000e861 at pc 0x0000004531de bp 0x7ffd2aba5c30 sp 0x7ffd2aba53e0 READ of size 78490 at 0x62500000e861 thread T0 #1 0x7f280456d37b in _tiffWriteProc /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:115:23 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b... Reproducer: https://github.com/asarubbo/poc/blob/master/00066-libtiff-heapoverflow-TIFFR... Relevant part of the stacktrace: # tiffcp -i $FILE /tmp/foo ==14332==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000f4f0 at pc 0x7f95e90c11ad bp 0x7ffd74ba5ca0 sp 0x7ffd74ba5c98 READ of size 1 at 0x63000000f4f0 thread T0 #0 0x7f95e90c11ac in TIFFReverseBits /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_swab.c:289:27 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/1044b43637fa7f70fb19b93593777b78bd20d... Reproducer: https://github.com/asarubbo/poc/blob/master/00071-libtiff-heapoverflow-_TIFF... Relevant part of the stacktrace: #tiffcp -i $FILE /tmp/foo ==10398==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef4 at pc 0x0000004bc235 bp 0x7fff3ebfa700 sp 0x7fff3ebf9eb0 READ of size 512 at 0x60200000eef4 thread T0 #1 0x7fcaf590cf0d in _TIFFmemcpy /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d... Reproducer: https://github.com/asarubbo/poc/blob/master/00074-libtiff-heapoverflow-TIFFF... Relevant part of the stacktrace: # tiffcp -i $FILE /tmp/foo ==15106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edd8 at pc 0x7f33918c5de3 bp 0x7ffc5abe6ba0 sp 0x7ffc5abe6b98 READ of size 8 at 0x60200000edd8 thread T0 #0 0x7f33918c5de2 in TIFFFillStrip /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_read.c:523:22 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0b... Reproducer: https://github.com/asarubbo/poc/blob/master/00100-libtiff-heapoverflow-_TIFF... Relevant part of the stacktrace: # tiffcrop -i $FILE /tmp/foo ==9181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd3b2e277f8 at pc 0x7fd3b7a762cc bp 0x7ffffd6e2550 sp 0x7ffffd6e2548 READ of size 1 at 0x7fd3b2e277f8 thread T0 #0 0x7fd3b7a762cb in _TIFFFax3fillruns /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_fax3.c:413:13 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0b... Reproducer: https://github.com/asarubbo/poc/blob/master/00102-libtiff-heapoverflow-_TIFF... Relevant part of the stacktrace: # tiffcrop -i $FILE /tmp/foo ==988==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001ccff at pc 0x0000004bc00c bp 0x7fff920da690 sp 0x7fff920d9e40 WRITE of size 1 at 0x62100001ccff thread T0 #1 0x7f49edd6af0d in _TIFFmemcpy /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/b4b41925115059b49f97432bda0613411df2f... Reproducer: https://github.com/asarubbo/poc/blob/master/00067-libtiff-heapoverflow-tiffc... Relevant part of the stacktrace: # tiffcp -i $FILE /tmp/foo ==7788==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edd3 at pc 0x0000004629ac bp 0x7ffe4adf8df0 sp 0x7ffe4adf85a0 READ of size 1 at 0x60200000edd3 thread T0 #1 0x50d6a5 in tiffcp /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:784:57 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: Upstream said that the previous changes, fixes this too. It needs to be bisected. Reproducer: https://github.com/asarubbo/poc/blob/master/00079-libtiff-heapoverflow-cpSep... Relevant part of the stacktrace: # tiffcp -i $FILE /tmp/foo ==25645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f651cc3b800 at pc 0x00000051ef24 bp 0x7ffec0573a70 sp 0x7ffec0573a68 READ of size 16 at 0x7f651cc3b800 thread T0 #0 0x51ef23 in cpSeparateBufToContigBuf /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1209:14 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070f... Reproducer: https://github.com/asarubbo/poc/blob/master/00082-libtiff-heap-overflow-cpSt... Relevant part of the stacktrace: # tiffcp -i $FILE /tmp/foo ==20438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fef2adde803 at pc 0x00000051befa bp 0x7ffd3ee26b50 sp 0x7ffd3ee26b48 WRITE of size 16 at 0x7fef2adde803 thread T0 #0 0x51bef9 in cpStripToTile /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1171:11 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: Upstream said that the previous changes, fixes this too. It needs to be bisected. Reproducer: https://github.com/asarubbo/poc/blob/master/00103-libtiff-heapoverflow-NeXTD... Relevant part of the stacktrace: # tiffcrop -i $FILE /tmp/foo ==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00000a3fc at pc 0x0000004bc48c bp 0x7ffd6f23c680 sp 0x7ffd6f23be30 WRITE of size 2048 at 0x62d00000a3fc thread T0 #1 0x7fcac5ac0033 in NeXTDecode /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_next.c:64:9 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: Upstream said that the previous changes, fixes this too. It needs to be bisected. Reproducer: https://github.com/asarubbo/poc/blob/master/00102-libtiff-heapoverflow-_TIFF... Relevant part of the stacktrace: # tiffcrop -i $FILE /tmp/foo ==23091==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eed2 at pc 0x0000004629dc bp 0x7fff8d1e2950 sp 0x7fff8d1e2100 READ of size 1 at 0x60200000eed2 thread T0 #1 0x53277f in writeCroppedImage /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcrop.c:7940:23 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2db... Reproducer: https://github.com/asarubbo/poc/blob/master/00108-libtiff-heapoverflow-PSDat... Relevant part of the stacktrace: # tiff2ps $FILE ==32416==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee91 at pc 0x00000051ea78 bp 0x7ffd76b73dd0 sp 0x7ffd76b73dc8 READ of size 1 at 0x60200000ee91 thread T0 #0 0x51ea77 in PSDataBW /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2ps.c:2703:21 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2db... Reproducer: https://github.com/asarubbo/poc/blob/master/00107-libtiff-heapoverflow-PSDat... Relevant part of the stacktrace: # tiff2ps $FILE ==31384==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee54 at pc 0x000000518b75 bp 0x7fff437bfdb0 sp 0x7fff437bfda8 READ of size 1 at 0x60200000ee54 thread T0 #0 0x518b74 in PSDataColorContig /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiff2ps.c:2470:2 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/bd9d7670d0224412b3bd146e221658211ece8... Reproducer: https://github.com/asarubbo/poc/blob/master/00101-libtiff-heapoverflow-combi... Relevant part of the stacktrace: # tiffcrop -i $FILE /tmp/foo ==8016==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef1 at pc 0x000000530805 bp 0x7ffeb0d41770 sp 0x7ffeb0d41768 READ of size 1 at 0x60200000eef1 thread T0 #0 0x530804 in combineSeparateSamples16bits /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcrop.c:3913:20 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b09692... Reproducer: https://github.com/asarubbo/poc/blob/master/00112-libtiff-heapoverflow-_TIFF... Relevant part of the stacktrace: # tiff2pdf $FILE -o foo ==31315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ea11 at pc 0x0000004bc10c bp 0x7fffd59abc40 sp 0x7fffd59ab3f0 WRITE of size 2 at 0x60200000ea11 thread T0 #1 0x7fd49c1adf0d in _TIFFmemcpy /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00109-libtiff-heapoverflow-putco... Relevant part of the stacktrace: # tiff2rgba $FILE /tmp/foo ==20699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000ed12 at pc 0x7f49ab2c134c bp 0x7ffc7e4eda30 sp 0x7ffc7e4eda28 READ of size 1 at 0x62500000ed12 thread T0 #0 0x7f49ab2c134b in putcontig8bitYCbCr44tile /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_getimage.c:1885:28 Credit: These bugs were discovered by Agostino Sarubbo of Gentoo. Timeline: 2016-11-20: started to post the issues to upstream 2017-01-01: blog post about the issue Note: These bugs were found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-o... -- Agostino Sarubbo Gentoo Linux Developer =========================================== https://software.opensuse.org/package/libtiff5 TW: 4.0.7 42.2: 4.0.6 42.1: 4.0.6 13.2: 4.0.7 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1017693 Mikhail Kasimov <mikhail.kasimov@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|VUL-0: libtiff: multiple |VUL-0: CVE-2016-10092, |heap-based buffer overflow |CVE-2016-10093, | |CVE-2016-10094: libtiff: | |multiple heap-based buffer | |overflow Alias| |CVE-2016-10092 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com