Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 8 Apr 2016 05:02:06 +0000
From: 王梅 <wangmei@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2016-3625 libtiff: Out-of-bounds Read in the tiff2bw tool

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type:  Out-of-bounds Read
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-3625
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Introduction
============

Out-of-bounds Read occurred in tif_read.c:545 or tif_read.c:402 or tif_read.c:560 in tiff2bw allows attackers to cause a denial of service via a crafted TIFF image.



gdb tiff2bw

(gdb)r sample/tiff2bw_1.tif 1.tif

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bb4b3a in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:545
545                                 td->td_stripoffset[strip] > (uint64)tif->tif_size - bytecount) {
Missing separate debuginfos, use: debuginfo-install glibc-2.17-78.el7.x86_64
(gdb) p td->td_stripoffset[strip]
Cannot access memory at address 0x0
(gdb) bt
#0  0x00007ffff7bb4b3a in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:545
#1  0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228
#2  0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x6076d0, row=0, sample=0) at tif_read.c:295
#3  0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253
(gdb)


(gdb) r sample/tiff2bw_2.tif 1.tif

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bb46e4 in TIFFReadRawStrip1 (tif=0x604010, strip=0, buf=0x605620, size=10, module=0x7ffff7bcfa81 <module.3917> "TIFFFillStrip") at tif_read.c:402
402                     ma=(tmsize_t)td->td_stripoffset[strip];
(gdb) p td->td_stripoffset[strip]
Cannot access memory at address 0x0
(gdb) bt
#0  0x00007ffff7bb46e4 in TIFFReadRawStrip1 (tif=0x604010, strip=0, buf=0x605620, size=10, module=0x7ffff7bcfa81 <module.3917> "TIFFFillStrip") at tif_read.c:402
#1  0x00007ffff7bb4d73 in TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:612
#2  0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228
#3  0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x6076e0, row=0, sample=0) at tif_read.c:295
#4  0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253

(gdb) r sample/tiff2bw_3.tif 1.tif

Program received signal SIGSEGV, Segmentation fault.
TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:560
560                                     TIFFErrorExt(tif->tif_clientdata, module,
(gdb) l
555                                             "got %I64u bytes, expected %I64u",
556                                             (unsigned long) strip,
557                                             (unsigned __int64) tif->tif_size - td->td_stripoffset[strip],
558                                             (unsigned __int64) bytecount);
559     #else
560                                     TIFFErrorExt(tif->tif_clientdata, module,
561
562                                             "Read error on strip %lu; "
563                                             "got %llu bytes, expected %llu",
564                                             (unsigned long) strip,
(gdb) p td->td_stripoffset[strip]
Cannot access memory at address 0x0
(gdb) bt
#0  TIFFFillStrip (tif=0x604010, strip=0) at tif_read.c:560
#1  0x00007ffff7bb411a in TIFFSeek (tif=0x604010, row=0, sample=0) at tif_read.c:228
#2  0x00007ffff7bb42f2 in TIFFReadScanline (tif=0x604010, buf=0x607600, row=0, sample=0) at tif_read.c:295
#3  0x000000000040197e in main (argc=3, argv=0x7fffffffe428) at tiff2bw.c:253

References:
[1] http://www.remotesensing.org/libtiff/
[2] http://bugzilla.maptools.org/buglist.cgi?product=libtiff


Thank you!
Best Regards,


Mei

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.