Bug 984815 - (CVE-2016-5323) VUL-1: tiff: CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (null ptr dereference?)
(CVE-2016-5323)
VUL-1: tiff: CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (n...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Michael Vetter
Security Team bot
https://smash.suse.de/issue/170094/
CVSSv2:SUSE:CVE-2016-5323:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-15 10:04 UTC by Marcus Meissner
Modified: 2019-04-25 14:45 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2016-5323.tiff (340 bytes, application/octet-stream)
2016-10-13 13:54 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-15 10:04:09 UTC
http://seclists.org/oss-sec/2016/q2/548

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: divide by zero
Vendor URL: http://www.remotesensing.org/libtiff/
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360
CVE ID: CVE-2016-5323
Tested system version:
       fedora23 32bit
       fedora23 64bit
       CentOS Linux release 7.1.1503 64bit

Introduction
=======

t was always corrupted when I use tiffcrop command followed by a crafted TIFF image in function _TIFFFax3fillruns () 
without checking the value of divisor, it causes a divide by zero flaw. Attackers cound exploit this issue to cause 
denial-of-service.

Here is the stack info:
gdb –args ./tiffcrop _TIFFFax3fillruns.tif tmpout.tif
--- ---
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ad97f0 in _TIFFFax3fillruns (buf=0x0, runs=0x673500, erun=<optimized out>, lastx=64) at tif_fax3.c:407
407                              ZERO(n, cp);
(gdb) bt
#0  0x00007ffff7ad97f0 in _TIFFFax3fillruns (buf=0x0, runs=0x673500, erun=<optimized out>, lastx=64) at tif_fax3.c:407
#1  0x00007ffff7ae087c in Fax3DecodeRLE (tif=0x662010, buf=0x0, occ=8192, s=<optimized out>) at tif_fax3.c:1527
#2  0x00007ffff7ba3739 in TIFFReadEncodedTile (tif=tif@entry=0x662010, tile=8, buf=0x0, size=8192, size@entry=-1) at 
tif_read.c:668
#3  0x00007ffff7ba3a01 in TIFFReadTile (tif=tif@entry=0x662010, buf=<optimized out>, x=x@entry=0, y=y@entry=0, 
z=z@entry=0, s=s@entry=8) at tif_read.c:641
#4  0x0000000000443e41 in readSeparateTilesIntoBuffer (bps=1, spp=129, tl=1024, tw=64, imagewidth=32, imagelength=32, 
obuf=0x7ffff7ee5010 "", in=0x662010) at tiffcrop.c:994
#5  loadImage (in=in@entry=0x662010, image=image@entry=0x7fffffff7960, dump=dump@entry=0x7fffffffc270, 
read_ptr=read_ptr@entry=0x7fffffff7920) at tiffcrop.c:6079
#6  0x0000000000403209 in main (argc=<optimized out>, argv=<optimized out>) at tiffcrop.c:2278
(gdb) p cp
$2 = (unsigned char *) 0x0
Comment 1 Marcus Meissner 2016-06-15 10:05:31 UTC
NULL ptr dereference, not division by zero.
Comment 2 Swamp Workflow Management 2016-06-15 22:01:41 UTC
bugbot adjusting priority
Comment 4 Marcus Meissner 2016-10-13 13:54:54 UTC
Created attachment 697218 [details]
CVE-2016-5323.tiff

QA  REPRODUCER:

tiffcrop CVE-2016-5323.tiff output.tiff

(should not crash)
Comment 5 Swamp Workflow Management 2016-12-07 14:10:51 UTC
openSUSE-SU-2016:3035-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2015-7554,CVE-2015-8665,CVE-2015-8683,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE 13.2 (src):    tiff-4.0.7-10.35.1
Comment 6 Swamp Workflow Management 2016-12-29 23:17:34 UTC
SUSE-SU-2016:3301-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Server 12-SP1 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.7-35.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    tiff-4.0.7-35.1
Comment 7 Swamp Workflow Management 2017-01-08 00:18:43 UTC
openSUSE-SU-2017:0074-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1007280,1010161,1010163,1011103,1011107,914890,974449,974840,984813,984815,987351
CVE References: CVE-2014-8127,CVE-2016-3622,CVE-2016-3658,CVE-2016-5321,CVE-2016-5323,CVE-2016-5652,CVE-2016-5875,CVE-2016-9273,CVE-2016-9297,CVE-2016-9448,CVE-2016-9453
Sources used:
openSUSE Leap 42.2 (src):    tiff-4.0.7-12.1
openSUSE Leap 42.1 (src):    tiff-4.0.7-12.1
Comment 8 Petr Gajdos 2018-06-04 10:00:22 UTC
Upstream bug:
http://bugzilla.maptools.org/show_bug.cgi?id=2559
Commit:
https://github.com/vadz/libtiff/commit/2f79856097f423eb33796a15fcf700d2ea41bf31

BEFORE

12/tiff

$ tiffcrop CVE-2016-5323.tiff out.tiff
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 295 (0x127) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 27 (0x1b) encountered.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, IO error during reading of "XResolution"; tag ignored.
_TIFFVSetField: CVE-2016-5323.tiff: Null count for "Tag 27" (type 1, writecount -3, passcount 1).
TIFFReadDirectory: Warning, Ignoring ColorMap since BitsPerSample tag not found.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpreation tag.
loadImage: Integer overflow detected..
$

10sp3,11/tiff

Does not have tiffcrop, the fix is not applicable.