Headline
CVE-2022-3597: tiffcrop: heap-buffer-overflow in _TIFFmemcpy, tif_unix.c:346 (different from #411) (#413) · Issues · libtiff / libtiff · GitLab
LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.
There is a heap buffer overflow in _TIFFmemcpy in libtiff/tif_unix.c:346. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.
# CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared
# make -j; make install; make clean
# ./build_asan/bin/tiffcrop -Z 1:4,3:3 -R 90 -H 300 -i poc /tmp/foo
IFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 48 (0x30) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 4617 (0x1209) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6656 (0x1a00) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8240 (0x2030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31350 (0x7a76) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 59310 (0xe7ae) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 15904 (0x3e20) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 15626 (0x3d0a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 2313 (0x909) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 29812 (0x7474) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 27137 (0x6a01) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 65396 (0xff74) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 24014 (0x5dce) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 10088 (0x2768) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 31868 (0x7c7c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 18761 (0x4949) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61695 (0xf0ff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 52224 (0xcc00) encountered.
TIFFFetchNormalTag: Warning, Incorrect count for "PhotometricInterpretation"; tag ignored.
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 15626" value failed; tag ignored.
TIFFFetchNormalTag: Warning, ASCII value for tag "DocumentName" contains null byte in value; value incorrectly truncated during reading due to implementation limitations.
TIFFFetchNormalTag: Warning, Incorrect count for "YResolution"; tag ignored.
TIFFReadDirectory: Warning, Ignoring ColorMap since BitsPerSample tag not found.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
TIFFAdvanceDirectory: Error fetching directory link.
loadImage: Image lacks Photometric interpretation tag.
LZWPreDecode: Warning, Old-style LZW codes, convert file.
output_tiffcrop_random_3/default/crashes/id:000000,sig:11,src:003379,time:11040083,execs:8056393,op:havoc,rep:2: LZWDecode: Corrupted LZW table at scanline 0.
=================================================================
==1900940==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb6375ff457 at pc 0x7fb63c2b7733 bp 0x7ffda7b642a0 sp 0x7ffda7b63a48
READ of size 112648 at 0x7fb6375ff457 thread T0
#0 0x7fb63c2b7732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
#1 0x561892042b49 in _TIFFmemcpy /root/programs/libtiff/libtiff/tif_unix.c:346
#2 0x561891fc8b24 in extractImageSection /root/programs/libtiff/tools/tiffcrop.c:6826
#3 0x561891fc9eb3 in writeImageSections /root/programs/libtiff/tools/tiffcrop.c:7093
#4 0x561891fb00c8 in main /root/programs/libtiff/tools/tiffcrop.c:2451
#5 0x7fb63ace3c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#6 0x561891fa6ab9 in _start (/root/programs/libtiff/build_asan/bin/tiffcrop+0x2bab9)
0x7fb6375ff457 is located 0 bytes to the right of 1182807-byte region [0x7fb6374de800,0x7fb6375ff457)
allocated by thread T0 here:
#0 0x7fb63c31cb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x561892042a77 in _TIFFmalloc /root/programs/libtiff/libtiff/tif_unix.c:314
#2 0x561891fa6c6d in limitMalloc /root/programs/libtiff/tools/tiffcrop.c:627
#3 0x561891fc60b9 in loadImage /root/programs/libtiff/tools/tiffcrop.c:6220
#4 0x561891faf9ae in main /root/programs/libtiff/tools/tiffcrop.c:2374
#5 0x7fb63ace3c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Shadow bytes around the buggy address:
0x0ff746eb7e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff746eb7e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff746eb7e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff746eb7e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff746eb7e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff746eb7e80: 00 00 00 00 00 00 00 00 00 00[07]fa fa fa fa fa
0x0ff746eb7e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff746eb7ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff746eb7eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff746eb7ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff746eb7ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1900940==ABORTING
# uname -a
Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/LinuxRelated news
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
An update for libtiff is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3570: A heap-based buffer overflow flaw was found in Libtiff's tiffcrop utility. This issue occurs during the conversion of a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes an out-of-bound access resulting an application crash, eventually leading to a denial of service. * CVE-2022-3597: An out-o...
Debian Linux Security Advisory 5333-1 - Several buffer overflow, divide by zero or out of bounds read/write vulnerabilities were discovered in tiff, the Tag Image File Format (TIFF) library and tools, which may cause denial of service when processing a crafted TIFF image.