Internet Bug Bounty: libtiff 4.0.6 segfault / read outside of buffer (CVE-2016-9297)

2016-11-1419:35:30

geeknik

hackerone.com

EPSS

0.008

Percentile

82.2%

JSON

segfault and read outside of buffer in libtiff 4.0.6 and possibly earlier. This library is baked into web browsers used by millions and also devices like the PlayStation Portable and the iPhone.

http://bugzilla.maptools.org/show_bug.cgi?id=2590

Reported to the vendor on 7 November 2016:

ASAN:SIGSEGV
=================================================================
==6884==ERROR: AddressSanitizer: SEGV on unknown address 0x7faf9b2d2000 (pc
0x7faf999ecd10 sp 0x7ffe26e325b8 bp 0x7faf9b2d1fff T0)
    #0 0x7faf999ecd0f in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x81d0f)
    #1 0x7faf999d52ee in _IO_fputs (/lib/x86_64-linux-gnu/libc.so.6+0x6a2ee)
    #2 0x490376 in _TIFFPrintField /root/libtiff/libtiff/tif_print.c:127
    #3 0x490376 in TIFFPrintDirectory /root/libtiff/libtiff/tif_print.c:647
    #4 0x405545 in tiffinfo /root/libtiff/tools/tiffinfo.c:463
    #5 0x405545 in main /root/libtiff/tools/tiffinfo.c:152
    #6 0x7faf9998cb44 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #7 0x40648c (/root/libtiff/tools/tiffinfo+0x40648c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 strlen
==6884==ABORTING

Fixed by the vendor on 11 November 2016:

2016-11-11 Even Rouault &lt;even.rouault at spatialys.com&gt;
* libtiff/tif_dirread.c: in TIFFFetchNormalTag(), make sure that values of tags with 
TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access are null terminated, to 
avoid potential read outside buffer in _TIFFPrintField().

CVE requested on 12 November 2016:
http://www.openwall.com/lists/oss-security/2016/11/12/2

CVE assigned on 14 November 2016:
http://www.openwall.com/lists/oss-security/2016/11/14/7