{"id":1033,"date":"2017-01-01T17:34:46","date_gmt":"2017-01-01T15:34:46","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1033"},"modified":"2017-03-25T16:01:10","modified_gmt":"2017-03-25T14:01:10","slug":"libtiff-multiple-heap-based-buffer-overflow","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/01\/01\/libtiff-multiple-heap-based-buffer-overflow\/","title":{"rendered":"libtiff: multiple heap-based buffer overflow"},"content":{"rendered":"

Description<\/strong>:
\nLibtiff<\/a> is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.<\/p>\n

Some crafted images, through a fuzzing revealed multiple overflow. Since the number of the issues, I will post the relevant part of the stacktrace.<\/p>\n

Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/5397a417e61258c69209904e652a1f409ec3b9df<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00068-libtiff-heapoverflow-_tiffWriteProc<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n

# tiffcp -i $FILE \/tmp\/foo\r\n==16440==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000e861 at pc 0x0000004531de bp 0x7ffd2aba5c30 sp 0x7ffd2aba53e0\r\nREAD of size 78490 at 0x62500000e861 thread T0\r\n    #1 0x7f280456d37b in _tiffWriteProc \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_unix.c:115:23\r\n<\/font><\/pre>\n
CVE:<\/strong>
\nCVE-2016-10268<\/p>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/5397a417e61258c69209904e652a1f409ec3b9df<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00066-libtiff-heapoverflow-TIFFReverseBits<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiffcp -i $FILE \/tmp\/foo\r\n==14332==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000f4f0 at pc 0x7f95e90c11ad bp 0x7ffd74ba5ca0 sp 0x7ffd74ba5c98\r\nREAD of size 1 at 0x63000000f4f0 thread T0\r\n    #0 0x7f95e90c11ac in TIFFReverseBits \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_swab.c:289:27\r\n<\/font><\/pre>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/1044b43637fa7f70fb19b93593777b78bd20da86<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00071-libtiff-heapoverflow-_TIFFmemcpy<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
#tiffcp -i $FILE \/tmp\/foo\r\n==10398==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef4 at pc 0x0000004bc235 bp 0x7fff3ebfa700 sp 0x7fff3ebf9eb0\r\nREAD of size 512 at 0x60200000eef4 thread T0\r\n     #1 0x7fcaf590cf0d in _TIFFmemcpy \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_unix.c:340:2\r\n<\/font><\/pre>\n
CVE:<\/strong>
\nCVE-2016-10269<\/p>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/9a72a69e035ee70ff5c41541c8c61cd97990d018<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00074-libtiff-heapoverflow-TIFFFillStrip<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiffcp -i $FILE \/tmp\/foo\r\n==15106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edd8 at pc 0x7f33918c5de3 bp 0x7ffc5abe6ba0 sp 0x7ffc5abe6b98\r\nREAD of size 8 at 0x60200000edd8 thread T0\r\n    #0 0x7f33918c5de2 in TIFFFillStrip \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_read.c:523:22\r\n<\/font><\/pre>\n
CVE:<\/strong>
\nCVE-2016-10270<\/p>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00100-libtiff-heapoverflow-_TIFFFax3fillruns<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiffcrop -i $FILE \/tmp\/foo\r\n==9181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd3b2e277f8 at pc 0x7fd3b7a762cc bp 0x7ffffd6e2550 sp 0x7ffffd6e2548\r\nREAD of size 1 at 0x7fd3b2e277f8 thread T0\r\n    #0 0x7fd3b7a762cb in _TIFFFax3fillruns \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_fax3.c:413:13\r\n<\/font><\/pre>\n
CVE:<\/strong>
\nCVE-2016-10271<\/p>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00102-libtiff-heapoverflow-_TIFFmemcpy<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiffcrop -i $FILE \/tmp\/foo\r\n==988==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001ccff at pc 0x0000004bc00c bp 0x7fff920da690 sp 0x7fff920d9e40\r\nWRITE of size 1 at 0x62100001ccff thread T0\r\n    #1 0x7f49edd6af0d in _TIFFmemcpy \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_unix.c:340:2\r\n<\/font><\/pre>\n
CVE:<\/strong>
\nCVE-2016-10092<\/p>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/b4b41925115059b49f97432bda0613411df2f686<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00067-libtiff-heapoverflow-tiffcp<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiffcp -i $FILE \/tmp\/foo\r\n==7788==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000edd3 at pc 0x0000004629ac bp 0x7ffe4adf8df0 sp 0x7ffe4adf85a0\r\nREAD of size 1 at 0x60200000edd3 thread T0\r\n    #1 0x50d6a5 in tiffcp \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiffcp.c:784:57\r\n<\/font><\/pre>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nUpstream said that the previous changes, fixes this too. It needs to be bisected.
\nUPDATE:<\/strong>
\nA test on master showed that it isn’t fixed.
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00079-libtiff-heapoverflow-cpSeparateBufToContigBuf<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiffcp -i $FILE \/tmp\/foo\r\n==25645==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f651cc3b800 at pc 0x00000051ef24 bp 0x7ffec0573a70 sp 0x7ffec0573a68\r\nREAD of size 16 at 0x7f651cc3b800 thread T0\r\n    #0 0x51ef23 in cpSeparateBufToContigBuf \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiffcp.c:1209:14\r\n<\/font><\/pre>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/787c0ee906430b772f33ca50b97b8b5ca070faec<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00082-libtiff-heap-overflow-cpStripToTile<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiffcp -i $FILE \/tmp\/foo\r\n==20438==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fef2adde803 at pc 0x00000051befa bp 0x7ffd3ee26b50 sp 0x7ffd3ee26b48\r\nWRITE of size 16 at 0x7fef2adde803 thread T0\r\n    #0 0x51bef9 in cpStripToTile \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiffcp.c:1171:11\r\n<\/font><\/pre>\n
CVE:<\/strong>
\nCVE-2016-10093<\/p>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nUpstream said that the previous changes, fixes this too. It needs to be bisected.
\nFrom the bisect the fix is:
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00103-libtiff-heapoverflow-NeXTDecode<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiffcrop -i $FILE \/tmp\/foo\r\n==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00000a3fc at pc 0x0000004bc48c bp 0x7ffd6f23c680 sp 0x7ffd6f23be30\r\nWRITE of size 2048 at 0x62d00000a3fc thread T0\r\n      #1 0x7fcac5ac0033 in NeXTDecode \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_next.c:64:9\r\n<\/font><\/pre>\n
CVE:<\/strong>
\nCVE-2016-10272<\/p>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nUpstream said that the previous changes, fixes this too. It needs to be bisected.
\nFrom the bisect the fix is:
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00102-libtiff-heapoverflow-_TIFFmemcpy<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiffcrop -i $FILE \/tmp\/foo\r\n==23091==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eed2 at pc 0x0000004629dc bp 0x7fff8d1e2950 sp 0x7fff8d1e2100\r\nREAD of size 1 at 0x60200000eed2 thread T0\r\n   #1 0x53277f in writeCroppedImage \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiffcrop.c:7940:23\r\n<\/font><\/pre>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00108-libtiff-heapoverflow-PSDataBW<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiff2ps $FILE\r\n==32416==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee91 at pc 0x00000051ea78 bp 0x7ffd76b73dd0 sp 0x7ffd76b73dc8\r\nREAD of size 1 at 0x60200000ee91 thread T0\r\n    #0 0x51ea77 in PSDataBW \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiff2ps.c:2703:21\r\n<\/font><\/pre>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00107-libtiff-heapoverflow-PSDataColorContig<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiff2ps $FILE\r\n==31384==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee54 at pc 0x000000518b75 bp 0x7fff437bfdb0 sp 0x7fff437bfda8\r\nREAD of size 1 at 0x60200000ee54 thread T0\r\n    #0 0x518b74 in PSDataColorContig \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiff2ps.c:2470:2\r\n<\/font><\/pre>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/bd9d7670d0224412b3bd146e221658211ece876e<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00101-libtiff-heapoverflow-combineSeparateSamples16bits<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiffcrop -i $FILE \/tmp\/foo\r\n==8016==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eef1 at pc 0x000000530805 bp 0x7ffeb0d41770 sp 0x7ffeb0d41768\r\nREAD of size 1 at 0x60200000eef1 thread T0\r\n    #0 0x530804 in combineSeparateSamples16bits \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiffcrop.c:3913:20\r\n<\/font><\/pre>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nhttps:\/\/github.com\/vadz\/libtiff\/commit\/c7153361a4041260719b340f73f2f76b0969235c<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00112-libtiff-heapoverflow-_TIFFmemcpy<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiff2pdf $FILE -o foo\r\n==31315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ea11 at pc 0x0000004bc10c bp 0x7fffd59abc40 sp 0x7fffd59ab3f0\r\nWRITE of size 2 at 0x60200000ea11 thread T0\r\n    #1 0x7fd49c1adf0d in _TIFFmemcpy \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_unix.c:340:2\r\n<\/font><\/pre>\n
CVE:<\/strong>
\nCVE-2016-10094<\/p>\n
###############################################<\/p>\n
Affected version \/ Tested on:<\/strong>
\n4.0.7
\nFixed version:<\/strong>
\nN\/A
\nCommit fix:<\/strong>
\nN\/A
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00109-libtiff-heapoverflow-putcontig8bitYCbCr44tile<\/a>
\nRelevant part of the stacktrace:<\/strong><\/p>\n
# tiff2rgba $FILE \/tmp\/foo\r\n==20699==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000ed12 at pc 0x7f49ab2c134c bp 0x7ffc7e4eda30 sp 0x7ffc7e4eda28                                                                                                                                      \r\nREAD of size 1 at 0x62500000ed12 thread T0                                                                                                                                                                                                                                     \r\n    #0 0x7f49ab2c134b in putcontig8bitYCbCr44tile \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_getimage.c:1885:28\r\n<\/font><\/pre>\n
Credit:<\/strong>
\nThese bugs were discovered by Agostino Sarubbo of Gentoo.<\/p>\n
Timeline:<\/strong>
\n2016-11-20: started to post the issues to upstream
\n2017-01-01: blog post about the issue
\n2017-01-01: CVE assigned
\n2017-03-24: bisect done, all issues have a commit fix reference<\/p>\n
Note:<\/strong>
\nThese bugs were found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
libtiff: multiple heap-based buffer overflow<\/a><\/p><\/blockquote>\n