Bug 2554 - CVE-2016-5314: libtiff 4.0.6 PixarLogDecode() out-of-bound writes
: CVE-2016-5314: libtiff 4.0.6 PixarLogDecode() out-of-bound writes
Status: RESOLVED FIXED
: libtiff
default
: unspecified
: PC Linux
: P2 critical
: ---
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-06-25 11:31 by
Modified: 2016-08-15 13:45 (History)


Attachments
CVE-2016-5314.tif (4.51 KB, image/tiff)
2016-06-28 10:02, Henri Salo
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-06-25 11:31:49
This vulnerability was reported in http://seclists.org/oss-sec/2016/q2/543

It was always corrupted when I use rgb2ycbcr command followed by a crafted TIFF
image. The vulnerability of 
out-of-bound writes comes from PixarLogDecode() function without checking the
buffer length, which cause the head of 
next heap could be filled with any data, crash occurs when malloc() or free()
is called.Attackers could exploit this 
issue to result in DoS.

The problem was found using rgb2ycbcr (which AFAIK is being removed in 4.0.7)
but the code is in libtiff, so this may affect any libtiff user and not just
rgb2ycbcr.
------- Comment #1 From 2016-06-25 11:50:01 -------
CVE-2016-5320 talks about a possible arbitrary code execution vulnerability,
but mentions this PixarLogDecode bug, so I'm not sure if it's a separate issue
or a duplicate of this.

See http://seclists.org/oss-sec/2016/q2/551
------- Comment #2 From 2016-06-28 10:02:23 -------
Created an attachment (id=654) [details]
CVE-2016-5314.tif

MD5: 1383f74a9a29f20b7ceda44a9694d863
SHA1: 20a0d74af6a84f133cfc533e669852430469f315
------- Comment #3 From 2016-06-30 01:00:27 -------
(In reply to comment #1)
> CVE-2016-5320 talks about a possible arbitrary code execution vulnerability,
> but mentions this PixarLogDecode bug, so I'm not sure if it's a separate issue
> or a duplicate of this.
> 
> See http://seclists.org/oss-sec/2016/q2/551

It probably is. PixarLogDecode() overwrites the pointer to sp->vgetparent

 libtiff/tif_pixarlog.c:787:
 int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);

which is then later executed in PredictorVGetField().
------- Comment #4 From 2016-06-30 01:02:26 -------
(In reply to comment #3)
>  libtiff/tif_pixarlog.c:787

While we're here, I think I'd like to note:

        llen = sp->stride * td->td_imagewidth;

        (void) s;
        assert(sp != NULL);

just a few lines above.
------- Comment #5 From 2016-07-10 06:31:30 -------
Was fixed by :

2016-06-28  Even Rouault <even.rouault at spatialys.com>

    * libtiff/tif_pixarlog.c: fix potential buffer write overrun in
    PixarLogDecode() on corrupted/unexpected images (reported by Mathias
Svensson)
    (CVE-2016-5875)
------- Comment #6 From 2016-07-10 06:33:43 -------
*** Bug 2556 has been marked as a duplicate of this bug. ***
------- Comment #7 From 2016-08-15 13:39:39 -------
*** Bug 2557 has been marked as a duplicate of this bug. ***
------- Comment #8 From 2016-08-15 13:45:22 -------
*** Bug 2555 has been marked as a duplicate of this bug. ***