Headline
CVE-2022-48281: heap-buffer-overflow /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_unix.c:362 in _TIFFmemset in branch 38a58201 (#488) · Issues · libtiff / libtiff · GitLab
processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., “WRITE of size 307203”) via a crafted TIFF image.
Skip to content
Open Issue created Nov 25, 2022 by Tseng Szu Wei@13579and24680
heap-buffer-overflow /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_unix.c:362 in _TIFFmemset in branch 38a58201
Summary
heap-buffer-overflow /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_unix.c:362 in _TIFFmemset results in SIGSEGV
(Summarize the bug encountered concisely)
Version
a13579@13579 ~/f/report> libtiff/tools/tiffcrop -v
Library Release: LIBTIFF, Version 4.4.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcrop version: 2.5.4, last updated: 27-08-2022
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
(libtiff version)
Steps to reproduce
$ git clone https://gitlab.com/libtiff/libtiff.git
$ cd libtiff/
$ ./autogen.sh
$ ./configure
$ make -j
$ ./tools/tiffcrop -Z 1:3,2:4 -e divided ./poc ./aa
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6712 (0x1a38) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7330 (0x1ca2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7948 (0x1f0c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8566 (0x2176) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 9184 (0x23e0) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 9802 (0x264a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 10420 (0x28b4) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 11038 (0x2b1e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 11656 (0x2d88) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 12274 (0x2ff2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 12494 (0x30ce) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 206 (0xce) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 6712 (Tag 6712) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 7330 (Tag 7330) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 7948 (Tag 7948) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 8566 (Tag 8566) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 9184 (Tag 9184) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 9802 (Tag 9802) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 10420 (Tag 10420) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 11038 (Tag 11038) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 11656 (Tag 11656) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12274 (Tag 12274) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12494 (Tag 12494) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 206 (Tag 206) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
loadImage: Image lacks Photometric interpretation tag.
fish: Job 1, './tools/tiffcrop -Z 1:3,2:4 -e…' terminated by signal SIGSEGV (Address boundary error)
(How one can reproduce the issue - this is very important)
Platform
a13579@13579 ~/f/r/libtiff (master)> gcc --version
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
a13579@13579 ~/f/r/libtiff (master)> uname -r
5.15.0-50-generic
a13579@13579 ~/f/r/libtiff (master)> lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
(Operating system, architecture, compiler details)
Asan report (compile with " ./configure CFLAGS=’-fsanitize=address -g3’ CXXFALGS=’-fsanitize=address -g3’ ")
a13579@13579 ~/f/report [SIGSEGV]> libtiff_asan/tools/tiffcrop -Z 1:3,2:4 -e divided poc /dev/null
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFAdvanceDirectory: Error fetching directory count.
loadImage: Image lacks Photometric interpretation tag.
TIFFWriteDirectoryTagData: IO error writing tag data.
: Failed to write IFD for page number 0.
writeRegions: Unable to write new image.
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 6712 (0x1a38) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7330 (0x1ca2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 7948 (0x1f0c) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 8566 (0x2176) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 9184 (0x23e0) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 9802 (0x264a) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 10420 (0x28b4) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 11038 (0x2b1e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 11656 (0x2d88) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 12274 (0x2ff2) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 12494 (0x30ce) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 206 (0xce) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 6712 (Tag 6712) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 7330 (Tag 7330) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 7948 (Tag 7948) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 8566 (Tag 8566) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 9184 (Tag 9184) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 9802 (Tag 9802) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 10420 (Tag 10420) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 11038 (Tag 11038) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 11656 (Tag 11656) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12274 (Tag 12274) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12494 (Tag 12494) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 206 (Tag 206) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
loadImage: Image lacks Photometric interpretation tag.
=================================================================
==1794501==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000013a03 at pc 0x7f070adcbf3d bp 0x7ffeab2adb40 sp 0x7ffeab2ad2e8
WRITE of size 307203 at 0x62d000013a03 thread T0
#0 0x7f070adcbf3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
#1 0x7f070acfa51b in _TIFFmemset /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_unix.c:362
#2 0x557305d40ef6 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:7826
#3 0x557305d23111 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:2511
#4 0x7f070a7bf082 in __libc_start_main ../csu/libc-start.c:308
#5 0x557305d19b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/.libs/tiffcrop+0x9b6d)
0x62d000013a03 is located 0 bytes to the right of 38403-byte region [0x62d00000a400,0x62d000013a03)
allocated by thread T0 here:
#0 0x7f070ae71808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7f070acfa467 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_unix.c:336
#2 0x557305d19d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:644
#3 0x557305d40d1b in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:7803
#4 0x557305d23111 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:2511
#5 0x7f070a7bf082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
Shadow bytes around the buggy address:
0x0c5a7fffa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a7fffa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a7fffa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a7fffa720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a7fffa730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a7fffa740:[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fffa750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fffa760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fffa770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fffa780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a7fffa790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1794501==ABORTING
poc: poc
Related news
Red Hat Security Advisory 2023-5314-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.1.6 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: A denial of service attack was found in prometheus/client_golang. This flaw allows an attacker to produce a denial of service attack on an HTTP server by exploiting the InstrumentHandlerCounter function in the version below 1.11.1, resulting in a loss of availability. * CVE-2022-41723: A flaw was found in golang. A maliciously crafted HTTP/2 stream cou...
Red Hat Security Advisory 2023-4893-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.
The Migration Toolkit for Containers (MTC) 1.7.12 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24532: A flaw was found in the crypto/internal/nistec golang library. The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars, such as a scalar larger than the order of the curve. This does not impact usages of crypto/ecdsa or crypto/ecdh.
Ubuntu Security Notice 6290-1 - It was discovered that LibTIFF could be made to write out of bounds when processing certain malformed image files with the tiffcrop utility. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that LibTIFF incorrectly handled certain image files. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04.
Red Hat Security Advisory 2023-4289-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.
Red Hat Security Advisory 2023-4286-01 - Red Hat OpenShift Dev Spaces provides a cloud developer workspace server and a browser-based IDE built for teams and organizations. Dev Spaces runs in OpenShift and is well-suited for container-based development.
OpenShift API for Data Protection (OADP) 1.0.11 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-24540: A flaw was found in golang, where not all valid JavaScript white-space characters were considered white space. Due to this issue, templates containing white-space characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
An update is now available for Red Hat OpenShift Logging Subsystem 5.7.3 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-26115: A flaw was found in the Node.js word-wrap module, where it is vulnerable to a denial of service caused by a Regular expression denial of service (ReDoS) issue in the result variable. By sending a specially crafted regex input, a remote attacker can cause a denial of service. * CVE-2023-26136: A flaw was found in the tough-cookie package. Affec...
Red Hat Security Advisory 2023-3711-01 - The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Issues addressed include buffer overflow, out of bounds read, out of bounds write, and use-after-free vulnerabilities.
Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.
Ubuntu Security Notice 5841-1 - It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. This issue was only fixed in Ubuntu 14.04 ESM. It was discovered that LibTIFF was incorrectly accessing a data structure when processing data with the tiffcrop tool, which could lead to a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Debian Linux Security Advisory 5333-1 - Several buffer overflow, divide by zero or out of bounds read/write vulnerabilities were discovered in tiff, the Tag Image File Format (TIFF) library and tools, which may cause denial of service when processing a crafted TIFF image.