Headline
CVE-2023-25433: heap-buffer-overflow in processCropSelections() at /libtiff/tools/tiffcrop.c:8499 (SIGSEGV) (#520) · Issues · libtiff / libtiff · GitLab
libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.
Skip to content
Get started with Code Suggestions, available for free during the beta period.
Code faster and more efficiently with AI-powered code suggestions in VS Code. 13 languages are supported, including JavaScript, Python, Go, Java, and Kotlin. Enable Code Suggestions in your user profile preferences or see the documentation to learn more.
- libtiff
- libtiff
- Issues
- #520
Open Issue created Jan 27, 2023 by Tseng Szu Wei@13579and24680
heap-buffer-overflow in processCropSelections() at /libtiff/tools/tiffcrop.c:8499 (SIGSEGV)
Summary
An SIGSEGV caused when using tiffcrop.
AddressSanitizer reports it as heap-buffer-overflow.
Version
$ ./tools/tiffcrop -v
Library Release: LIBTIFF, Version 4.5.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
$ git log --oneline -1
a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'
Steps to reproduce****make
git clone https://gitlab.com/libtiff/libtiff.git
cd libtiff
./autogen.sh
./configure
make
run
./tools/tiffcrop -Z 12:50,12:99 -R 270 poc /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
Fax4Decode: Uncompressed data (not supported) at line 0 of strip 0 (x 10).
(... too long ignore)
fish: Job 1, './tools/tiffcrop -Z 12:50,12:9…' terminated by signal SIGSEGV (Address boundary error)
Platform
$ uname -a
Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ gcc --version
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
ASAN report
==3490861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb40a368a45 at pc 0x7fb40d6e7f3d bp 0x7ffca5726e70 sp 0x7ffca5726618
WRITE of size 296067 at 0x7fb40a368a45 thread T0
#0 0x7fb40d6e7f3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
#1 0x7fb40d614fb7 in _TIFFmemset /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:341
#2 0x560accbdb18a in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8499
#3 0x560accbbe0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
#4 0x7fb40d0d8082 in __libc_start_main ../csu/libc-start.c:308
#5 0x560accbb4b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)
0x7fb40a368a45 is located 0 bytes to the right of 148037-byte region [0x7fb40a344800,0x7fb40a368a45)
allocated by thread T0 here:
#0 0x7fb40d78d808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7fb40d614f03 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:326
#2 0x560accbb4d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:710
#3 0x560accbe005e in rotateImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:9605
#4 0x560accbdb9f3 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8566
#5 0x560accbbe0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
#6 0x7fb40d0d8082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
Shadow bytes around the buggy address:
0x0ff7014650f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff701465100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff701465110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff701465120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff701465130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff701465140: 00 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa
0x0ff701465150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff701465160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff701465170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff701465180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff701465190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3490861==ABORTING
poc
poc
Related news
Ubuntu Security Notice 6290-1 - It was discovered that LibTIFF could be made to write out of bounds when processing certain malformed image files with the tiffcrop utility. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that LibTIFF incorrectly handled certain image files. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04.
Ubuntu Security Notice 6229-1 - It was discovered that LibTIFF was not properly handling variables used to perform memory management operations when processing an image through tiffcrop, which could lead to a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that LibTIFF was not properly processing numerical values when dealing with little-endian input data, which could lead to the execution of an invalid operation. An attacker could possibly use this issue to cause a denial of service