GeeknikH1:181642Internet Bug Bounty: libtiff 4.0.6 heap bufer overflow / out of bounds read (CVE-2016-9273)
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.006 Low
EPSS
Percentile
75.5%
heap buffer overflow affecting libtiff 4.0.6 and possibly earlier. This library is baked into web browsers used by millions and also devices like the PlayStation Portable and the iPhone.
http://bugzilla.maptools.org/show_bug.cgi?id=2587
Reported to vendor on 7 November 2016:
==18669==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200000ef78 at pc 0x407549 bp 0x7ffeeb10bc00 sp 0x7ffeeb10bbf8
READ of size 8 at 0x60200000ef78 thread T0
#0 0x407548 in cpStrips /root/libtiff/tools/tiffsplit.c:246
#1 0x407548 in tiffcp /root/libtiff/tools/tiffsplit.c:227
#2 0x407548 in main /root/libtiff/tools/tiffsplit.c:89
#3 0x7face2437b44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#4 0x40836c (/root/libtiff/tools/tiffsplit+0x40836c)
0x60200000ef78 is located 0 bytes to the right of 8-byte region
[0x60200000ef70,0x60200000ef78)
allocated by thread T0 here:
#0 0x7face2b169f6 in __interceptor_realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x549f6)
#1 0x4a9ea0 in _TIFFCheckRealloc /root/libtiff/libtiff/tif_aux.c:73
#2 0x4a9ea0 in _TIFFCheckMalloc /root/libtiff/libtiff/tif_aux.c:88
SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/libtiff/tools/tiffsplit.c:246 cpStrips
Fixed by vendor on 10 November 2016:
>> 2016-11-10 Even Rouault <even.rouault at spatialys.com>
>> * libtiff/tif_strip.c: make TIFFNumberOfStrips() return the
>> td->td_nstrips value when it is non-zero, instead of recomputing it.
>> This is needed in TIFF_STRIPCHOP mode where td_nstrips is modified.
>> Fixes a read outside of array in tiffsplit
>> (or other utilities using TIFFNumberOfStrips()).
>>
>> /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog
>> new revision: 1.1151; previous revision: 1.1150
>> /cvs/maptools/cvsroot/libtiff/libtiff/tif_strip.c,v <-- libtiff/tif_strip.c
>> new revision: 1.37; previous revision: 1.36
https://github.com/vadz/libtiff/commit/d651abc097d91fac57f33b5f9447d0a9183f58e7
CVE requested via oss-security on 9 November 2016:
http://www.openwall.com/lists/oss-security/2016/11/09/20
CVE assigned 11 November 2016:
http://www.openwall.com/lists/oss-security/2016/11/11/6
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.006 Low
EPSS
Percentile
75.5%