Mailinglist Archive: opensuse-bugs (4227 mails)

< Previous Next >
[Bug 1017694] New: VUL-0: libtiff: multiple divide-by-zero
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Sun, 01 Jan 2017 18:06:25 +0000
  • Message-id: <bug-1017694-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1017694


Bug ID: 1017694
Summary: VUL-0: libtiff: multiple divide-by-zero
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Security
Assignee: security-team@xxxxxxx
Reporter: mikhail.kasimov@xxxxxxxxx
QA Contact: qa-bugs@xxxxxxx
Found By: ---
Blocker: ---

Ref: http://seclists.org/oss-sec/2017/q1/2
===========================================
Description:
Libtiff is a software that provides support for the Tag Image File Format
(TIFF), a widely used format for storing image data.

Some crafted images, through a fuzzing revealed multiple division by zero.
Since the number of the issues, I will post the relevant part of the
stacktrace.

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/438274f938e046d33cb0e1230b41da32ffe223e1
Reproducer:
https://github.com/asarubbo/poc/blob/master/00064-libtiff-fpe-TIFFReadEncodedStrip
Relevant part of the stacktrace:

# tiffcp $FILE /tmp/foo
==12079==ERROR: AddressSanitizer: FPE on unknown address 0x7fd319436251 (pc
0x7fd319436251 bp 0x7fff851e3d80 sp 0x7fff851e3d30 T0)
#0 0x7fd319436250 in TIFFReadEncodedStrip /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_read.c:351:22

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/43bc256d8ae44b92d2734a3c5bc73957a4d7c1ec
Reproducer:
https://github.com/asarubbo/poc/blob/master/00083-libtiff-fpe-OJPEGDecodeRaw
Relevant part of the stacktrace:

# tiffmedia $FILE /tmp/foo
==28106==ERROR: AddressSanitizer: FPE on unknown address 0x7faeae7f744e (pc
0x7faeae7f744e bp 0x7ffceab45e40 sp 0x7ffceab45ce0 T0)
#0 0x7faeae7f744d in OJPEGDecodeRaw /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_ojpeg.c:816:8

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/d3c5426395dc53e3345712ac7246c29db9fed8fa
Reproducer:
https://github.com/asarubbo/poc/blob/master/00099-libtiff-fpe-readSeparateStripsIntoBuffer
Relevant part of the stacktrace:

# tiffcrop $FILE /tmp/foo
==19098==ERROR: AddressSanitizer: FPE on unknown address 0x000000523acf (pc
0x000000523acf bp 0x7ffcb22ada30 sp 0x7ffcb22ad780 T0)
#0 0x523ace in readSeparateStripsIntoBuffer /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcrop.c:4841:36

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/a87eb62049f446204ed62c939f965eb76bd98001
Reproducer:
https://github.com/asarubbo/poc/blob/master/00065-libtiff-fpe-readSeparateTilesIntoBuffer
Relevant part of the stacktrace:

# tiffcp $FILE /tmp/foo
==13262==ERROR: AddressSanitizer: FPE on unknown address 0x00000051c43b (pc
0x00000051c43b bp 0x7ffdc8d81d70 sp 0x7ffdc8d81b20 T0)
#0 0x51c43a in readSeparateTilesIntoBuffer /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1434:9

###############################################

Affected version / Tested on:
4.0.7
Fixed version:
N/A
Commit fix:
https://github.com/vadz/libtiff/commit/296803e79542f5523be1009d64574507b9acc239
Reproducer:
https://github.com/asarubbo/poc/blob/master/00073-libtiff-fpe-writeBufferToSeparateTiles
Relevant part of the stacktrace:

# tiffcp -i $FILE /tmp/foo
==3614==ERROR: AddressSanitizer: FPE on unknown address 0x00000051650a (pc
0x00000051650a bp 0x7fff41587d30 sp 0x7fff41587b00 T0)
#0 0x516509 in writeBufferToSeparateTiles /tmp/portage/media-
libs/tiff-4.0.7/work/tiff-4.0.7/tools/tiffcp.c:1591:13


Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2016-11-20: started to post the issues to upstream
2017-01-01: blog post about the issue

Note:
These bugs were found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-divide-by-zero

--
Agostino Sarubbo
Gentoo Linux Developer
===========================================

https://software.opensuse.org/package/libtiff5

TW: 4.0.7
42.2: 4.0.6
42.1: 4.0.6
13.2: 4.0.7

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages