Bug 1011107 - (CVE-2016-9453) VUL-0: CVE-2016-9453: tiff: Out-of-bounds Write memcpy and less bound check in tiff2pdf
(CVE-2016-9453)
VUL-0: CVE-2016-9453: tiff: Out-of-bounds Write memcpy and less bound check i...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/176602/
CVSSv2:SUSE:CVE-2016-9453:6.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-19 00:34 UTC by Mikhail Kasimov
Modified: 2019-11-14 15:38 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2016-11-19 00:34:52 UTC
Reference:
===================================================
http://bugzilla.maptools.org/show_bug.cgi?id=2579

fixed:
  * tools/tiff2pdf.c: fix read -largely- outsize of buffer in
        t2p_readwrite_pdf_image_tile(), causing crash, when reading a
        JPEG compressed image with TIFFTAG_JPEGTABLES length being one.
        Reported as MSVR 35101 by Axel Souchet and Vishal Chauhan from
        the MSRC Vulnerabilities & Mitigations team.
===================================================
Comment 1 Swamp Workflow Management 2016-11-19 22:59:35 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2016-11-21 08:56:10 UTC
Reassigning to tiff maintainer.
Comment 3 Alexander Bergmann 2016-11-23 15:43:00 UTC
Upstream Fix:
https://github.com/vadz/libtiff/commit/d2955714a4a0b8ca10941550cfbf64c7e111fbf1
Comment 4 Swamp Workflow Management 2016-12-07 14:09:42 UTC
openSUSE-SU-2016:3035-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2015-7554,CVE-2015-8665,CVE-2015-8683,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE 13.2 (src):    tiff-4.0.7-10.35.1
Comment 5 Swamp Workflow Management 2016-12-29 23:16:27 UTC
SUSE-SU-2016:3301-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.7-35.1
Comment 6 Swamp Workflow Management 2017-01-08 00:17:37 UTC
openSUSE-SU-2017:0074-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE Leap 42.2 (src):    tiff-4.0.7-12.1
openSUSE Leap 42.1 (src):    tiff-4.0.7-12.1
Comment 7 Michael Vetter 2018-01-22 14:21:19 UTC
Is this one already fixed?
Comment 8 Karol Babioch 2018-03-23 14:32:01 UTC
Still missing for SLE10/11.

Upstream fix: https://gitlab.com/libtiff/libtiff/commit/7399a6f13bd6f4d0dfb7b9d0a25fafa86caa9b50
Comment 9 Petr Gajdos 2018-04-27 06:45:35 UTC
(POC can be found in upstream bug refernced in comment 0)

BEFORE

12/tiff

$ valgrind -q tiff2pdf 1.tiff 1.pdf
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: IO error during reading of "BitsPerSample".
tiff2pdf: Can't open input file 1.tiff for reading.
$

11/tiff

$ valgrind -q tiff2pdf 1.tiff 1.pdf
TIFFReadDirectory: Warning, 1.tiff: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, 1.tiff: unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, 1.tiff: unknown field with tag 3 (0x3) encountered.
1.tiff: Warning, incorrect count for field "BitsPerSample" (805306371, expecting 1); tag trimmed.
1.tiff: Error fetching data for field "BitsPerSample".
tiff2pdf: Can't open input file 1.tiff for reading.
$

[no issues observed via valgrind, also tried -j]


PATCH

see comment 8

12/tiff:       have the check fixed, they even have if (count > 4) there
10sp3,11/tiff: fix is missing, will use if (count > 4)

AFTER

11/tiff

$ valgrind -q tiff2pdf 1.tiff 1.pdf
TIFFReadDirectory: Warning, 1.tiff: invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, 1.tiff: unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, 1.tiff: unknown field with tag 3 (0x3) encountered.
1.tiff: Warning, incorrect count for field "BitsPerSample" (805306371, expecting 1); tag trimmed.
1.tiff: Error fetching data for field "BitsPerSample".
tiff2pdf: Can't open input file 1.tiff for reading.
$
[no change]
Comment 10 Petr Gajdos 2018-04-27 06:46:03 UTC
Will be submitted for 11/tiff and 10sp3/tiff.
Comment 11 Petr Gajdos 2018-04-27 10:15:48 UTC
At the end, I will try to fix by update of tiff2pdf.c to 4.0.9 version.
Comment 12 Petr Gajdos 2018-04-27 10:52:17 UTC
Will be submitted for 11/tiff and 10sp3/tiff.
Comment 13 Petr Gajdos 2018-04-27 10:59:51 UTC
I believe all fixed in sr#163144, sr#163145 and sr#163146.

I think this bug can be reassigned to security-team@ after review and creating maintenance request.
Comment 14 Michael Vetter 2018-05-07 13:16:09 UTC
SR#164509 SLE-10-SP3
SR#164510 SLE-11
Comment 16 Marcus Meissner 2018-05-09 14:46:56 UTC
released
Comment 17 Swamp Workflow Management 2018-05-09 16:13:11 UTC
SUSE-SU-2018:1179-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1007280,1011107,1011845,1017688,1017690,1017691,1017692,1031255,1046077,1048937,1074318,960341,983436
CVE References: CVE-2015-7554,CVE-2016-10095,CVE-2016-10268,CVE-2016-3945,CVE-2016-5318,CVE-2016-5652,CVE-2016-9453,CVE-2016-9536,CVE-2017-11335,CVE-2017-17973,CVE-2017-9935
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    tiff-3.8.2-141.169.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    tiff-3.8.2-141.169.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    tiff-3.8.2-141.169.3.1
Comment 18 Swamp Workflow Management 2018-05-11 15:25:36 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-05-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64038