Bug 1010163 (CVE-2016-9273)

Summary: VUL-1: CVE-2016-9273: tiff: heap overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Michael Vetter <mvetter>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, karol, meissner, mvetter, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/176289/
Whiteboard: CVSSv2:SUSE:CVE-2016-9273:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2016-9273:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2016-9273:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2016-9273:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv2:RedHat:CVE-2016-9273:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) maint:released:sle10-sp3:64181
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Reproducer

Description Alexander Bergmann 2016-11-15 10:23:38 UTC
CVE-2016-9273

http://bugzilla.maptools.org/show_bug.cgi?id=2587

AddressSanitizer: heap-buffer-overflow READ of size 8

* libtiff/tif_strip.c: make TIFFNumberOfStrips() return the
  td->td_nstrips value when it is non-zero, instead of recomputing it.
  This is needed in TIFF_STRIPCHOP mode where td_nstrips is modified.
  Fixes a read outside of array in tiffsplit
  (or other utilities using TIFFNumberOfStrips()).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9273
http://seclists.org/oss-sec/2016/q4/400
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9273.html
Comment 1 Alexander Bergmann 2016-11-15 10:25:18 UTC
Created attachment 702021 [details]
Reproducer

Copied from: http://bugzilla.maptools.org/show_bug.cgi?id=2587

Triggered in libtiff 4.0.6 with AFL and ASAN.

./tiffsplit test049
Comment 2 Swamp Workflow Management 2016-11-15 23:00:32 UTC
bugbot adjusting priority
Comment 3 Swamp Workflow Management 2016-12-07 14:09:22 UTC
openSUSE-SU-2016:3035-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2015-7554,CVE-2015-8665,CVE-2015-8683,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE 13.2 (src):    tiff-4.0.7-10.35.1
Comment 4 Swamp Workflow Management 2016-12-29 23:16:06 UTC
SUSE-SU-2016:3301-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.7-35.1
Comment 5 Swamp Workflow Management 2017-01-08 00:17:17 UTC
openSUSE-SU-2017:0074-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE Leap 42.2 (src):    tiff-4.0.7-12.1
openSUSE Leap 42.1 (src):    tiff-4.0.7-12.1
Comment 6 Michael Vetter 2018-01-22 14:20:08 UTC
Is this one already fixed?
Comment 7 Karol Babioch 2018-03-23 14:27:41 UTC
SLE10/SLE11 still missing.

Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2587

Upstream fix: https://gitlab.com/libtiff/libtiff/commit/a7abf0ba9044810d8d3104045e3bd840d1569d51
Comment 8 Petr Gajdos 2018-11-14 09:01:54 UTC
4.0.10, 4.0.9
ASAN for the test case from upstream bug shows only few leaks related to tifsplit tool, probably not harmful.

3.8.2
No valgrind error or leak shown for the test case.
Comment 9 Karol Babioch 2018-11-14 09:19:55 UTC
(In reply to Petr Gajdos from comment #8)
> 3.8.2
> No valgrind error or leak shown for the test case.

Which means we do not have to do anything for SLE10/SLE11 here, correct? In that case I will close the bug and adjust our tracking.
Comment 10 Petr Gajdos 2018-11-14 09:45:47 UTC
There is a follow up with a revert:

https://gitlab.com/libtiff/libtiff/commit/a7abf0ba9044810d8d3104045e3bd840d1569d51

3.8.2:

BEFORE upstream 2587 bug fix:

$ valgrind -q --leak-check=full tiffsplit test049
TIFFReadDirectory: Warning, test049: unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, test049: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, test049: wrong data type 3 for "TileOffsets"; tag ignored.
MissingRequired: test049: TIFF directory is missing required "StripOffsets" field.
$
[no issues observed]

AFTER upstream 2587 bug fix:

$ valgrind -q --leak-check=full tiffsplit test049
TIFFReadDirectory: Warning, test049: unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, test049: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, test049: wrong data type 3 for "TileOffsets"; tag ignored.
MissingRequired: test049: TIFF directory is missing required "StripOffsets" field.
$

For the upstream 2608 testcase:

$ valgrind -q tiffcp -i 00074-libtiff-heapoverflow-TIFFFillStrip foo
TIFFReadDirectory: Warning, 00074-libtiff-heapoverflow-TIFFFillStrip: unknown field with tag 795 (0x31b) encountered.
TIFFReadDirectory: Warning, 00074-libtiff-heapoverflow-TIFFFillStrip: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, 00074-libtiff-heapoverflow-TIFFFillStrip: wrong data type 4 for "DocumentName"; tag ignored.
TIFFReadDirectory: Warning, 00074-libtiff-heapoverflow-TIFFFillStrip: wrong data type 8 for "StripOffsets"; tag ignored.
TIFFReadDirectory: Warning, 00074-libtiff-heapoverflow-TIFFFillStrip: unknown field with tag 65407 (0xff7f) encountered.
TIFFReadDirectory: Warning, 00074-libtiff-heapoverflow-TIFFFillStrip: unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, 00074-libtiff-heapoverflow-TIFFFillStrip: wrong data type 62981 for "FillOrder"; tag ignored.
TIFFReadDirectory: Warning, 00074-libtiff-heapoverflow-TIFFFillStrip: wrong data type 196 for "YResolution"; tag ignored.
00074-libtiff-heapoverflow-TIFFFillStrip: Warning, Nonstandard tile width 3, convert file.
00074-libtiff-heapoverflow-TIFFFillStrip: Warning, incorrect count for field "ImageWidth" (419430417, expecting 1); tag trimmed.
00074-libtiff-heapoverflow-TIFFFillStrip: Error fetching data for field "ImageWidth".
$
[no issues observed]

Upstream says in the log commit for fix 2608:

"revert the change in TIFFNumberOfStrips() done for http://bugzilla.maptools.org/show_bug.cgi?id=2587 / CVE-2016-9273 since the above change is a better fix that makes it unnecessary."

So, at the end, I guess we can either consider 3.8.2 unaffected (there's not testcase which would exhibit the issue and the code of tif_dir.c / ChopUpSingleUncompressedStrip() is different) or accept the commit referenced in comment 7 as the fix for this bug. What do you think?
Comment 11 Petr Gajdos 2018-11-14 14:14:21 UTC
(In reply to Karol Babioch from comment #9)
> Which means we do not have to do anything for SLE10/SLE11 here, correct? In
> that case I will close the bug and adjust our tracking.

Yes, at the end I think sle10 and sle11 is unaffected.
Comment 14 Swamp Workflow Management 2018-11-23 20:11:40 UTC
SUSE-SU-2018:3879-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010163,1014461,1040080,1040322,1074186,1099257,1113672,974446,974447,974448,983440
CVE References: CVE-2015-8870,CVE-2016-3619,CVE-2016-3620,CVE-2016-3621,CVE-2016-5319,CVE-2016-9273,CVE-2017-17942,CVE-2017-9117,CVE-2017-9147,CVE-2018-12900,CVE-2018-18661
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.22.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.22.1
Comment 15 Swamp Workflow Management 2018-12-11 10:03:25 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-12-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64180