Headline
CVE-2023-0803: tiffcrop: heap-buffer-overflow in extractContigSamplesShifted16bits, tiffcrop.c:3516 (#501) · Issues · libtiff / libtiff · GitLab
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
Skip to content
Open Issue created Dec 07, 2022 by 4ugustus@waugustusContributor
tiffcrop: heap-buffer-overflow in extractContigSamplesShifted16bits, tiffcrop.c:3516
Summary
There is heap-buffer-overflow errors in extractContigSamplesShifted16bits in tools/tiffcrop.c:3516. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.
Version
LIBTIFF, Version master (post 4.4.0), commit id 1bdbd03f (Tue Nov 29 17:02:09 2022 +0000)
Steps to reproduce
# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared
# make -j; make install; make clean
$ ./build_asan/bin/tiffcrop -E right -U in -z 1,1,2048,2048:1,2049,2048,4097 -i poc /tmp/foo
TIFFFetchNormalTag: Warning, Incompatible type for "Orientation"; tag ignored.
TIFFFetchNormalTag: Warning, Incorrect count for "ResolutionUnit"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripOffsets"; tag ignored.
TIFFFetchStripThing: Warning, Incorrect count for "StripByteCounts"; tag ignored.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
ZIPDecode: Decoding error at scanline 0.
: Strip 1: read -1 bytes, strip size 1024.
TIFFFillStrip: Invalid strip byte count 0, strip 1.
: Strip 2: read -1 bytes, strip size 1024.
TIFFFillStrip: Invalid strip byte count 0, strip 2.
: Strip 3: read -1 bytes, strip size 1024.
TIFFFillStrip: Invalid strip byte count 0, strip 3.
: Strip 4: read -1 bytes, strip size 1024.
TIFFFillStrip: Invalid strip byte count 0, strip 4.
: Strip 5: read -1 bytes, strip size 1024.
...
TIFFFillStrip: Invalid strip byte count 0, strip 511.
=================================================================
==145436==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000041c0 at pc 0x56340d1cdb4a bp 0x7ffcf1f74c40 sp 0x7ffcf1f74c30
WRITE of size 1 at 0x6290000041c0 thread T0
#0 0x56340d1cdb49 in extractContigSamplesShifted16bits /root/programs_latest/libtiff/tools/tiffcrop.c:3516
#1 0x56340d1e3251 in extractCompositeRegions /root/programs_latest/libtiff/tools/tiffcrop.c:6801
#2 0x56340d1e6d0a in processCropSelections /root/programs_latest/libtiff/tools/tiffcrop.c:7733
#3 0x56340d1c9bb1 in main /root/programs_latest/libtiff/tools/tiffcrop.c:2511
#4 0x7f5d015e7082 in __libc_start_main ../csu/libc-start.c:308
#5 0x56340d1c060d in _start (/root/programs_latest/libtiff/build_asan/bin/tiffcrop+0x2e60d)
0x6290000041c0 is located 1 bytes to the right of 16319-byte region [0x629000000200,0x6290000041bf)
allocated by thread T0 here:
#0 0x7f5d01f8f808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x56340d26309e in _TIFFmalloc /root/programs_latest/libtiff/libtiff/tif_unix.c:336
#2 0x56340d1c07a0 in limitMalloc /root/programs_latest/libtiff/tools/tiffcrop.c:644
#3 0x56340d1e6a81 in processCropSelections /root/programs_latest/libtiff/tools/tiffcrop.c:7705
#4 0x56340d1c9bb1 in main /root/programs_latest/libtiff/tools/tiffcrop.c:2511
#5 0x7f5d015e7082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/programs_latest/libtiff/tools/tiffcrop.c:3516 in extractContigSamplesShifted16bits
Shadow bytes around the buggy address:
0x0c527fff87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff8830: 00 00 00 00 00 00 00 07[fa]fa fa fa fa fa fa fa
0x0c527fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==145436==ABORTING
Platform
# uname -a
Linux dd189b3c7b86 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
poc.zip
Related news
Red Hat Security Advisory 2023-5447-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
The Migration Toolkit for Containers (MTC) 1.8.0 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-26115: A flaw was found in the Node.js word-wrap module, where it is vulnerable to a denial of service caused by a Regular expression denial of service (ReDoS) issue in the result variable. By sending a specially crafted regex input, a remote attacker can cause a denial of service.
Red Hat Security Advisory 2023-5353-01 - The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Issues addressed include an out of bounds write vulnerability.
Red Hat Security Advisory 2023-3711-01 - The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Issues addressed include buffer overflow, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
Ubuntu Security Notice 5923-1 - It was discovered that LibTIFF could be made to read out of bounds when processing certain malformed image files with the tiffcrop tool. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service. It was discovered that LibTIFF could be made to write out of bounds when processing certain malformed image files with the tiffcrop tool. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service, or possibly execute arbitrary code.
Debian Linux Security Advisory 5361-1 - Several flaws were found in tiffcrop, a program distributed by tiff, the Tag Image File Format (TIFF) library and tools. A specially crafted tiff file can lead to an out-of-bounds write or read resulting in a denial of service.