{"id":1076,"date":"2017-01-01T17:36:26","date_gmt":"2017-01-01T15:36:26","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1076"},"modified":"2017-07-12T10:41:12","modified_gmt":"2017-07-12T08:41:12","slug":"libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/01\/01\/libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c\/","title":{"rendered":"libtiff: stack-based buffer overflow in _TIFFVGetField (tif_dir.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/libtiff.maptools.org\">Libtiff<\/a> is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.<\/p>\n<p>A crafted tiff file revealed a stack buffer overflow.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># tiffsplit $FILE\r\nTIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered.\r\n=================================================================\r\n==10362==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f3824f00090 at pc 0x7f3829624fbb bp 0x7fffe0eb1da0 sp 0x7fffe0eb1d98\r\nWRITE of size 4 at 0x7f3824f00090 thread T0\r\n    #0 0x7f3829624fba in _TIFFVGetField \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_dir.c:1077:29\r\n    #1 0x7f382960f202 in TIFFVGetField \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_dir.c:1198:6\r\n    #2 0x7f382960f202 in TIFFGetField \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/libtiff\/tif_dir.c:1182\r\n    #3 0x50a719 in tiffcp \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiffsplit.c:183:2\r\n    #4 0x50a719 in main \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiffsplit.c:89\r\n    #5 0x7f382871561f in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.22-r4\/work\/glibc-2.22\/csu\/libc-start.c:289\r\n    #6 0x419a78 in _init (\/usr\/bin\/tiffsplit+0x419a78)\r\n\r\nAddress 0x7f3824f00090 is located in stack of thread T0 at offset 144 in frame\r\n    #0 0x5099cf in main \/tmp\/portage\/media-libs\/tiff-4.0.7\/work\/tiff-4.0.7\/tools\/tiffsplit.c:59\r\n\r\n  This frame has 18 object(s):\r\n    [32, 40) 'bytecounts.i263.i'\r\n    [64, 72) 'bytecounts.i.i'\r\n    [96, 98) 'bitspersample.i'\r\n    [112, 114) 'samplesperpixel.i'\r\n    [128, 130) 'compression.i'\r\n    [144, 146) 'shortv.i' 0x0fe7849d8010: 02 f2[02]f2 00 f2 f2 f2 04 f2 04 f2 04 f2 00 f2\r\n  0x0fe7849d8020: f2 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2\r\n  0x0fe7849d8030: f2 f2 00 f2 f2 f2 02 f3 00 00 00 00 00 00 00 00\r\n  0x0fe7849d8040: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5\r\n  0x0fe7849d8050: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5\r\n  0x0fe7849d8060: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==10362==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n4.0.7<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"\">https:\/\/github.com\/vadz\/libtiff\/commit\/4d4fa0b68ae9ae038959ee4f69ebe288ec892f06<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2016-10095<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00104-libtiff-stackoverflow-_TIFFVGetField\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00104-libtiff-stackoverflow-_TIFFVGetField<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2016-12-04: bug discovered and reported to upstream<br \/>\n2017-01-01: blog post about the issue<br \/>\n2017-01-01: CVE assigned<br \/>\n2017-06-01: upstream released a fix<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"YcMQqn4qWd\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/01\/01\/libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c\/\">libtiff: stack-based buffer overflow in _TIFFVGetField (tif_dir.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/01\/01\/libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c\/embed\/#?secret=YcMQqn4qWd\" data-secret=\"YcMQqn4qWd\" width=\"600\" height=\"338\" title=\"&#8220;libtiff: stack-based buffer overflow in _TIFFVGetField (tif_dir.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. A crafted tiff file revealed a stack buffer overflow. The complete ASan output: # tiffsplit $FILE TIFFReadDirectory: &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/01\/01\/libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-hm","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1076"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1076"}],"version-history":[{"count":5,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1076\/revisions"}],"predecessor-version":[{"id":1937,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1076\/revisions\/1937"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1076"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1076"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1076"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}