http://bugzilla.opensuse.org/show_bug.cgi?id=1017694 Bug ID: 1017694 Summary: VUL-0: libtiff: multiple divide-by-zero Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/2 =========================================== Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. Some crafted images, through a fuzzing revealed multiple division by zero. Since the number of the issues, I will post the relevant part of the stacktrace. Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe22... Reproducer: https://github.com/asarubbo/poc/blob/master/00064-libtiff-fpe-TIFFReadEncode... Relevant part of the stacktrace: # tiffcp $FILE /tmp/foo ==12079==ERROR: AddressSanitizer: FPE on unknown address 0x7fd319436251 (pc 0x7fd319436251 bp 0x7fff851e3d80 sp 0x7fff851e3d30 T0) #0 0x7fd319436250 in TIFFReadEncodedStrip /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_read.c:351:22 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c... Reproducer: https://github.com/asarubbo/poc/blob/master/00083-libtiff-fpe-OJPEGDecodeRaw Relevant part of the stacktrace: # tiffmedia $FILE /tmp/foo ==28106==ERROR: AddressSanitizer: FPE on unknown address 0x7faeae7f744e (pc 0x7faeae7f744e bp 0x7ffceab45e40 sp 0x7ffceab45ce0 T0) #0 0x7faeae7f744d in OJPEGDecodeRaw /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_ojpeg.c:816:8 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/d3c5426395dc53e3345712ac7246c29db9fed... Reproducer: https://github.com/asarubbo/poc/blob/master/00099-libtiff-fpe-readSeparateSt... Relevant part of the stacktrace: # tiffcrop $FILE /tmp/foo ==19098==ERROR: AddressSanitizer: FPE on unknown address 0x000000523acf (pc 0x000000523acf bp 0x7ffcb22ada30 sp 0x7ffcb22ad780 T0) #0 0x523ace in readSeparateStripsIntoBuffer /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcrop.c:4841:36 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/a87eb62049f446204ed62c939f965eb76bd98... Reproducer: https://github.com/asarubbo/poc/blob/master/00065-libtiff-fpe-readSeparateTi... Relevant part of the stacktrace: # tiffcp $FILE /tmp/foo ==13262==ERROR: AddressSanitizer: FPE on unknown address 0x00000051c43b (pc 0x00000051c43b bp 0x7ffdc8d81d70 sp 0x7ffdc8d81b20 T0) #0 0x51c43a in readSeparateTilesIntoBuffer /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1434:9 ############################################### Affected version / Tested on: 4.0.7 Fixed version: N/A Commit fix: https://github.com/vadz/libtiff/commit/296803e79542f5523be1009d64574507b9acc... Reproducer: https://github.com/asarubbo/poc/blob/master/00073-libtiff-fpe-writeBufferToS... Relevant part of the stacktrace: # tiffcp -i $FILE /tmp/foo ==3614==ERROR: AddressSanitizer: FPE on unknown address 0x00000051650a (pc 0x00000051650a bp 0x7fff41587d30 sp 0x7fff41587b00 T0) #0 0x516509 in writeBufferToSeparateTiles /tmp/portage/media- libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1591:13 Credit: These bugs were discovered by Agostino Sarubbo of Gentoo. Timeline: 2016-11-20: started to post the issues to upstream 2017-01-01: blog post about the issue Note: These bugs were found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero -- Agostino Sarubbo Gentoo Linux Developer =========================================== https://software.opensuse.org/package/libtiff5 TW: 4.0.7 42.2: 4.0.6 42.1: 4.0.6 13.2: 4.0.7 -- You are receiving this mail because: You are on the CC list for the bug.