Bug 2567 - CVE-2016-3619: libtiff: out-of-bounds read in the bmp2tiff tool
: CVE-2016-3619: libtiff: out-of-bounds read in the bmp2tiff tool
Status: RESOLVED WONTFIX
: libtiff
default
: unspecified
: PC Linux
: P1 critical
: ---
Assigned To:
: http://www.openwall.com/lists/oss-sec...
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-06-27 08:35 by
Modified: 2016-08-15 16:13 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2016-06-27 08:35:35
Original advisory:

Affected Versions: <= 4.0.6
Vulnerability Type: Out-of-bounds Read
CVE ID: CVE-2016-3619
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

 When bmp2tiff function DumpModeEncode handle malicious bmp file with param -c
none will cause Out-of-bounds Read. An attacker could exploit this issue to
cause a denial of service.


 libtiff-master/libtiff/tif_dumpmode.c:62

59                  * data buffer to avoid extra copy.
 60                  */
 61                 if (tif->tif_rawcp != pp)
 62                         _TIFFmemcpy(tif->tif_rawcp, pp, n);
 63                 tif->tif_rawcp += n;
 64                 tif->tif_rawcc += n;
 65                 pp += n;
 66                 cc -= n;
 67                 if (tif->tif_rawcc >= tif->tif_rawdatasize &&
 68                     !TIFFFlushData1(tif))
 69                         return (0);

./bmp2tiff  -c none  ./sample/bmp2tiff_none.bmp 1.tif

=================================================================
==16644== ERROR: AddressSanitizer: unknown-crash on address 0x7f6f7dbde800 at
pc 0x7f6f7ab77b3f bp 0x7ffc82264d60 sp 0x7ffc82264508
READ of size 3342336 at 0x7f6f7dbde800 thread T0
    #0 0x7f6f7ab77b3e (/lib64/libasan.so.0+0xeb3e)
    #1 0x45b96c in _TIFFmemcpy
/home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:340
    #2 0x4614c1 in DumpModeEncode
/home/dazhuang/asan/libtiff-master/libtiff/tif_dumpmode.c:62
    #3 0x45665e in TIFFWriteScanline
/home/dazhuang/asan/libtiff-master/libtiff/tif_write.c:173
    #4 0x40450f in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:775
    #5 0x7f6f7a2aeaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
    #6 0x4019a8 in _start
(/home/dazhuang/asan/libtiff-master/tools/bmp2tiff+0x4019a8)
0x7f6f7dcee800 is located 0 bytes to the right of 1114112-byte region
[0x7f6f7dbde800,0x7f6f7dcee800)
allocated by thread T0 here:
    #0 0x7f6f7ab7f129 (/lib64/libasan.so.0+0x16129)
    #1 0x45b761 in _TIFFmalloc
/home/dazhuang/asan/libtiff-master/libtiff/tif_unix.c:316
    #2 0x4037c3 in main /home/dazhuang/asan/libtiff-master/tools/bmp2tiff.c:678
    #3 0x7f6f7a2aeaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
SUMMARY: AddressSanitizer: unknown-crash ??:0 ??
Shadow bytes around the buggy address:
  0x0fee6fb73cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fee6fb73cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fee6fb73cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fee6fb73ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fee6fb73cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fee6fb73d00:[00]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee6fb73d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee6fb73d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee6fb73d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee6fb73d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee6fb73d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==16644== ABORTING

Other references:

https://bugzilla.redhat.com/show_bug.cgi?id=1316569
http://seclists.org/oss-sec/2016/q2/20
------- Comment #1 From 2016-08-15 16:13:04 -------
Closing as wontfix since bmp2tiff has been removed from libtiff