Headline
CVE-2023-26966: SEGV at /libtiff/tif_luv.c:961 in uv_encode() (#530) · Issues · libtiff / libtiff · GitLab
libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian TIFF file and specifies the output to be big-endian.
Skip to content
Get started with Code Suggestions, available for free during the beta period.
Code faster and more efficiently with AI-powered code suggestions in VS Code. 13 languages are supported, including JavaScript, Python, Go, Java, and Kotlin. Enable Code Suggestions in your user profile preferences or see the documentation to learn more.
- libtiff
- libtiff
- Issues
- #530
Open Issue created Feb 15, 2023 by Tseng Szu Wei@13579and24680
SEGV at /libtiff/tif_luv.c:961 in uv_encode()
Summary
An SIGSEGV caused when using tiffcrop.
Version
$ ./tools/tiffcrop -v
Library Release: LIBTIFF, Version 4.5.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
$ git log --oneline -1
c861f25c (HEAD -> master, origin/master, origin/HEAD) Merge branch 'tiffcrop_dont_reuse_input_buffer_fix_527' into 'master'
Steps to reproduce****make
git clone https://gitlab.com/libtiff/libtiff.git
cd libtiff
./autogen.sh
./configure
make
run
$ ./tools/tiffcrop -B poc temp
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3120 (0xc30) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 3120 (Tag 3120) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFAdvanceDirectory: Error fetching directory count.
fish: Job 1, './tools/tiffcrop -B poc temp' terminated by signal SIGSEGV (Address boundary error)
Platform
$ uname -a
Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ gcc --version
gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
Copyright (C) 2019 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
ASAN report
./tools/tiffcrop -B poc temp
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3120 (0xc30) encountered.
TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFFetchNormalTag: Defined set_field_type of custom tag 3120 (Tag 3120) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
TIFFAdvanceDirectory: Error fetching directory count.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1381705==ERROR: AddressSanitizer: SEGV on unknown address 0x7f1876003420 (pc 0x7f1c75f78cb0 bp 0x7ffc95fdf630 sp 0x7ffc95fdf600 T0)
==1381705==The signal is caused by a READ memory access.
#0 0x7f1c75f78caf in uv_encode /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:961
#1 0x7f1c75f797b2 in LogLuv24fromXYZ /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:1057
#2 0x7f1c75f79f58 in Luv24fromXYZ /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:1120
#3 0x7f1c75f76522 in LogLuvEncode24 /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:569
#4 0x7f1c75f775c7 in LogLuvEncodeStrip /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:722
#5 0x7f1c75fcb6bb in TIFFWriteEncodedStrip /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_write.c:308
#6 0x563fd6857160 in writeBufferToContigStrips /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:1317
#7 0x563fd688022e in writeCroppedImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:9197
#8 0x563fd685f4d5 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/tiffcrop.c:2834
#9 0x7f1c75a96082 in __libc_start_main ../csu/libc-start.c:308
#10 0x563fd6855b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/tools/.libs/tiffcrop+0x9b6d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tif_luv.c:961 in uv_encode
==1381705==ABORTING
poc
poc
Related news
Ubuntu Security Notice 6290-1 - It was discovered that LibTIFF could be made to write out of bounds when processing certain malformed image files with the tiffcrop utility. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that LibTIFF incorrectly handled certain image files. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.04.
Ubuntu Security Notice 6229-1 - It was discovered that LibTIFF was not properly handling variables used to perform memory management operations when processing an image through tiffcrop, which could lead to a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that LibTIFF was not properly processing numerical values when dealing with little-endian input data, which could lead to the execution of an invalid operation. An attacker could possibly use this issue to cause a denial of service