Headline
CVE-2022-3570: tools/tiffcrop.c:3142 - Heap Buffer overflow in extractContigSamples32bits (#386) · Issues · libtiff / libtiff · GitLab
Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact
Summary -(Summarize the bug encountered concisely)
There is a Heap buffer overflow in /tools/tiffcrop.c:3142 in extractContigSamples32bits function
Version - (libtiff version)
root@ubuntu:/home/libtiff/tools# ./tiffcrop -v
Library Release: LIBTIFF, Version 4.3.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcrop version: 2.4, last updated: 12-13-2010
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
Steps to reproduce - (How one can reproduce the issue - this is very important)
Clone the latest source from the gitlab repository - git clone https://gitlab.com/libtiff/libtiff.git
cd libtiff
compile the source using the following command :
CC=gcc CXX=g++ CFLAGS="-ggdb -fsanitize=address,undefined -fno-sanitize-recover=all" CXXFLAGS="-ggdb -fsanitize=address,undefined -fno-sanitize-recover=all" LDFLAGS="-fsanitize=address,undefined -fno-sanitize-recover=all -lm" ./configure --disable-shared
Reproduce the crash with the following commmand :
./tiffcrop -i -E l -H 10 -V 10 -S 8:4 -R 270 poc.tif a.tif
Platform - (Operating system, architecture, compiler details)
gcc --version
gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
uname -r
5.13.0-28-generic
uname -a
Linux ubuntu 5.13.0-28-generic #31~20.04.1-Ubuntu SMP Wed Jan 19 14:08:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
Address Sanitizer Logs ( ASAN )
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 57568 (0xe0e0) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1028 (0x404) encountered. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFFetchNormalTag: Warning, ASCII value for tag “Model” does not end in null byte. TIFFReadDirectory: Warning, TIFF directory is missing required “StripByteCounts” field, calculating from imagelength. TIFFAdvanceDirectory: Error fetching directory count. loadImage: Image lacks Photometric interpretation tag. ================================================================= ==2014==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000210 at pc 0x55bbcdc5bb9a bp 0x7fff3dbae7c0 sp 0x7fff3dbae7b0 READ of size 4 at 0x602000000210 thread T0 #0 0x55bbcdc5bb99 in extractContigSamples32bits /home/targets/libtiff/tools/tiffcrop.c:3142 #1 0x55bbcdc70529 in extractContigSamplesToBuffer /home/targets/libtiff/tools/tiffcrop.c:3627 #2 0x55bbcdc70529 in writeBufferToSeparateStrips /home/targets/libtiff/tools/tiffcrop.c:1218 #3 0x55bbcdc7d4b9 in writeSingleSection /home/targets/libtiff/tools/tiffcrop.c:7377 #4 0x55bbcdc3ce20 in writeImageSections /home/targets/libtiff/tools/tiffcrop.c:7104 #5 0x55bbcdc3ce20 in main /home/targets/libtiff/tools/tiffcrop.c:2451 #6 0x7f20439f70b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #7 0x55bbcdc434ed in _start (/home/targets/libtiff/tools/tiffcrop+0x324ed)
0x602000000213 is located 0 bytes to the right of 3-byte region [0x602000000210,0x602000000213) allocated by thread T0 here: #0 0x7f2043e3abc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8) #1 0x55bbcdc3d94d in createImageSection /home/targets/libtiff/tools/tiffcrop.c:7402 #2 0x55bbcdc3d94d in writeImageSections /home/targets/libtiff/tools/tiffcrop.c:7090 #3 0x55bbcdc3d94d in main /home/targets/libtiff/tools/tiffcrop.c:2451
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/targets/libtiff/tools/tiffcrop.c:3142 in extractContigSamples32bits Shadow bytes around the buggy address: 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 02 fa fa fa fd fa 0x0c047fff8010: fa fa fd fa fa fa fd fa fa fa 02 fa fa fa fd fa 0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa 00 fa fa fa 00 fa 0x0c047fff8030: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 04 =>0x0c047fff8040: fa fa[03]fa fa fa 02 fa fa fa 02 fa fa fa 06 fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2014==ABORTING
Related news
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
An update for libtiff is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3570: A heap-based buffer overflow flaw was found in Libtiff's tiffcrop utility. This issue occurs during the conversion of a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes an out-of-bound access resulting an application crash, eventually leading to a denial of service. * CVE-2022-3597: An out-o...
Debian Linux Security Advisory 5333-1 - Several buffer overflow, divide by zero or out of bounds read/write vulnerabilities were discovered in tiff, the Tag Image File Format (TIFF) library and tools, which may cause denial of service when processing a crafted TIFF image.
Ubuntu Security Notice 5705-1 - Chintan Shah discovered that LibTIFF incorrectly handled memory in certain conditions. An attacker could trick a user into processing a specially crafted image file and potentially use this issue to allow for information disclosure or to cause the application to crash. It was discovered that LibTIFF incorrectly handled memory in certain conditions. An attacker could trick a user into processing a specially crafted tiff file and potentially use this issue to cause a denial of service.