Headline
CVE-2022-0865: tiffcp: Assertion failed in TIFFReadAndRealloc, tif_read.c:99 (#385) · Issues · libtiff / libtiff · GitLab
Reachable Assertion in tiffcp in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 5e180045.
Skip to content
Open Issue created Feb 24, 2022 by 4ugustus@waugustusContributor
tiffcp: Assertion failed in TIFFReadAndRealloc, tif_read.c:99
Summary
There is a reachable assertion-failed crash in _TIFFReadAndRealloc, tif_read.c:99. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. Note that this crash is different from #377 (closed)
Version
573e0252 (Sun Feb 20 14:47:49 2022 +0100)
Steps to reproduce
$ tiffcp poc /tmp/foo
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65046 (0xfe16) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 53693 (0xd1bd) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2449 (0x991) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 52970 (0xceea) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFFetchNormalTag: Warning, ASCII value for tag "Model" does not end in null byte.
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, ASCII value for tag "Tag 65046" does not end in null byte. Forcing it to be null.
TIFFFetchNormalTag: Warning, Incorrect count for "XResolution"; tag ignored.
Fax4Decode: Warning, Line length mismatch at line 1 of strip 0 (got 60704, expected 60703).
Fax4Decode: Warning, Line length mismatch at line 3 of strip 0 (got 60704, expected 60703).
Fax4Decode: Bad code word at line 6 of strip 0 (x 6).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 6, expected 60703).
Fax4Decode: Bad code word at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 8, expected 60703).
Fax4Decode: Uncompressed data (not supported) at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Uncompressed data (not supported) at line 6 of strip 0 (x 60700).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 60700, expected 60703).
Fax4Decode: Uncompressed data (not supported) at line 6 of strip 0 (x 60700).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 60700, expected 60703).
Fax4Decode: Warning, Line length mismatch at line 6 of strip 0 (got 60704, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 54).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 54, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
Fax4Decode: Warning, Premature EOF at line 6 of strip 0 (x 0).
Fax4Decode: Warning, Premature EOL at line 6 of strip 0 (got 0, expected 60703).
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 4 (0x4) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 5 (0x5) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 55941 (0xda85) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 51248 (0xc830) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31350 (0x7a76) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59310 (0xe7ae) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 436 (0x1b4) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 64790 (0xfd16) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2048 (0x800) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6010 (0x177a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 60138 (0xeaea) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 16384 (0x4000) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59904 (0xea00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8832 (0x2280) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59152 (0xe710) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 27651 (0x6c03) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 392 (0x188) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 769 (0x301) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 38573 (0x96ad) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 60159 (0xeaff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6144 (0x1800) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 12076 (0x2f2c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 5327 (0x14cf) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8289 (0x2061) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 34828 (0x880c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31820 (0x7c4c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 62632 (0xf4a8) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 12006 (0x2ee6) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 50183 (0xc407) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3840 (0xf00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 16 (0x10) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31365 (0x7a85) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 252 (0xfc) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 30069 (0x7575) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 18763 (0x494b) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3505 (0xdb1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 9 (0x9) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 1002 (0x3ea) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 770 (0x302) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59925 (0xea15) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 18761 (0x4949) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 32768 (0x8000) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 58339 (0xe3e3) encountered.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 4"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 3"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 5"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect value for "Model"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "DocumentName"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 436"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16384"; tag ignored.
TIFFReadDirectory: Warning, Ignoring ColorMap because BitsPerSample=48>24.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 1" value failed; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "DateTime" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 2"; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 58339"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
tiffcp: tif_read.c:99: TIFFReadAndRealloc: Assertion `(tif->tif_flags & TIFF_MYBUFFER) != 0' failed.
Aborted
Platform
``` $ uname -a Linux wdw-Precision-Tower-3620 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
# MUST install the libjbig support! $ sudo apt install -y libjbig-dev $ CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --disable-shared $ make -j;make install; make clean ```
poc
Edited Feb 24, 2022 by 4ugustus
Related news
Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Red Hat Security Advisory 2023-0470-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1).
An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42920: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing
The Migration Toolkit for Containers (MTC) 1.7.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30630: golang: io/fs: stack exhaustion in G...
Red Hat Advanced Cluster Management for Kubernetes 2.6.3 General Availability release images, which provide security updates, fix bugs, and update container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-41912: crewjam/saml: Authentication bypass when processing SAML responses containing multiple Assertion elements
Red Hat Security Advisory 2022-8889-01 - This is an Openshift Logging bug fix release. Issues addressed include a denial of service vulnerability.
Openshift Logging Bug Fix Release (5.3.14) Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays
Red Hat Security Advisory 2022-8781-01 - Logging Subsystem for Red Hat OpenShift has a security update. Issues addressed include a denial of service vulnerability.
Logging Subsystem 5.5.5 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36518: jackson-databind: denial of service via a large depth of nested objects * CVE-2022-2879: golang: archive/tar: unbounded memory consumption when reading headers * CVE-2022-2880: golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-27664: golang: net/http: handle server errors after sending GOAWAY * CVE-2022-32189: golang: math/b...
Red Hat Security Advisory 2022-8194-01 - The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Issues addressed include buffer overflow, denial of service, and out of bounds read vulnerabilities.
An update for libtiff is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0561: libtiff: Denial of Service via crafted TIFF file * CVE-2022-0562: libtiff: Null source pointer lead to Denial of Service via crafted TIFF file * CVE-2022-0865: libtiff: reachable assertion * CVE-2022-0891: libtiff: heap buffer overflow in extractImageSection * CVE-2022-0908: tiff: Null source pointer passed as an argument to memcpy in TIFFFetchNor...
Red Hat Security Advisory 2022-7585-01 - The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Issues addressed include buffer overflow, denial of service, and out of bounds read vulnerabilities.
An update for libtiff is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0561: libtiff: Denial of Service via crafted TIFF file * CVE-2022-0562: libtiff: Null source pointer lead to Denial of Service via crafted TIFF file * CVE-2022-0865: libtiff: reachable assertion * CVE-2022-0891: libtiff: heap buffer overflow in extractImageSection * CVE-2022-0908: tiff: Null source pointer passed as an argument to memcpy in TIFFFetchNor...
Implemented protections on AWS credentials that were not properly protected.
Ubuntu Security Notice 5421-1 - It was discovered that LibTIFF incorrectly handled certain images. An attacker could possibly use this issue to cause a crash, resulting in a denial of service. This issue only affects Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Chintan Shah discovered that LibTIFF incorrectly handled memory when handling certain images. An attacker could possibly use this issue to cause a crash, resulting in a denial of service, or possibly execute arbitrary code.