Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-0797: Merge branch 'tiffcrop_R270_fix#492' into 'master' (afaabc3e) · Commits · libtiff / libtiff · GitLab

LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.

CVE
#dos#git#auth

Skip to content

Commit afaabc3e authored Feb 05, 2023 by Even Rouault

Browse files

Merge branch ‘tiffcrop_R270_fix#492’ into ‘master’

tiffcrop: Amend rotateImage() not to toggle the input (main) image width and…

Closes #519, #518, #499, #495, #494, #493 et #492

See merge request !465

Pipeline #767977794 passed with stages in 11 minutes and 14 seconds

  • Changes 1
  • Pipelines 1

@@ -296,7 +296,6 @@ struct region

uint32_t width; /* width in pixels */

uint32_t length; /* length in pixels */

uint32_t buffsize; /* size of buffer needed to hold the cropped region */

unsigned char *buffptr; /* address of start of the region */

};

/* Cropping parameters from command line and image data

@@ -577,7 +576,7 @@ static int rotateContigSamples24bits(uint16_t, uint16_t, uint16_t, uint32_t,

static int rotateContigSamples32bits(uint16_t, uint16_t, uint16_t, uint32_t,

uint32_t, uint32_t, uint8_t *, uint8_t *);

static int rotateImage(uint16_t, struct image_data *, uint32_t *, uint32_t *,

unsigned char **, size_t *);

unsigned char **, size_t *, int);

static int mirrorImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,

unsigned char *);

static int invertImage(uint16_t, uint16_t, uint16_t, uint32_t, uint32_t,

@@ -5782,7 +5781,6 @@ static void initCropMasks(struct crop_mask *cps)

cps->regionlist[i].width = 0;

cps->regionlist[i].length = 0;

cps->regionlist[i].buffsize = 0;

cps->regionlist[i].buffptr = NULL;

cps->zonelist[i].position = 0;

cps->zonelist[i].total = 0;

}

@@ -7266,9 +7264,13 @@ static int correct_orientation(struct image_data *image,

(uint16_t)(image->adjustments & ROTATE_ANY));

return (-1);

}

if (rotateImage(rotation, image, &image->width, &image->length,

work_buff_ptr, NULL))

/* Dummy variable in order not to switch two times the

* image->width,->length within rotateImage(),

* but switch xres, yres there. */

uint32_t width = image->width;

uint32_t length = image->length;

if (rotateImage(rotation, image, &width, &length, work_buff_ptr, NULL,

TRUE))

{

TIFFError("correct_orientation", “Unable to rotate image”);

return (-1);

@@ -7377,7 +7379,6 @@ static int extractCompositeRegions(struct image_data *image,

/* These should not be needed for composite images */

crop->regionlist[i].width = crop_width;

crop->regionlist[i].length = crop_length;

crop->regionlist[i].buffptr = crop_buff;

src_rowsize = ((img_width * bps * spp) + 7) / 8;

dst_rowsize = (((crop_width * bps * count) + 7) / 8);

@@ -7640,7 +7641,6 @@ static int extractSeparateRegion(struct image_data *image,

crop->regionlist[region].width = crop_width;

crop->regionlist[region].length = crop_length;

crop->regionlist[region].buffptr = crop_buff;

src = read_buff;

dst = crop_buff;

@@ -8635,7 +8635,8 @@ static int processCropSelections(struct image_data *image,

* accordingly. */

size_t rot_buf_size = 0;

if (rotateImage(crop->rotation, image, &crop->combined_width,

&crop->combined_length, &crop_buff, &rot_buf_size))

&crop->combined_length, &crop_buff, &rot_buf_size,

FALSE))

{

TIFFError("processCropSelections",

“Failed to rotate composite regions by %” PRIu32

@@ -8759,9 +8760,10 @@ static int processCropSelections(struct image_data *image,

* its size individually. Therefore, seg_buffs size needs to be

* updated accordingly. */

size_t rot_buf_size = 0;

if (rotateImage(

crop->rotation, image, &crop->regionlist[i].width,

&crop->regionlist[i].length, &crop_buff, &rot_buf_size))

if (rotateImage(crop->rotation, image,

&crop->regionlist[i].width,

&crop->regionlist[i].length, &crop_buff,

&rot_buf_size, FALSE))

{

TIFFError("processCropSelections",

“Failed to rotate crop region by %” PRIu16

@@ -8905,7 +8907,7 @@ static int createCroppedImage(struct image_data *image, struct crop_mask *crop,

CROP_ROTATE) /* rotate should be last as it can reallocate the buffer */

{

if (rotateImage(crop->rotation, image, &crop->combined_width,

&crop->combined_length, crop_buff_ptr, NULL))

&crop->combined_length, crop_buff_ptr, NULL, TRUE))

{

TIFFError("createCroppedImage",

“Failed to rotate image or cropped selection by %” PRIu16

@@ -9621,7 +9623,8 @@ static int rotateContigSamples32bits(uint16_t rotation, uint16_t spp,

/* Rotate an image by a multiple of 90 degrees clockwise */

static int rotateImage(uint16_t rotation, struct image_data *image,

uint32_t *img_width, uint32_t *img_length,

unsigned char **ibuff_ptr, size_t *rot_buf_size)

unsigned char **ibuff_ptr, size_t *rot_buf_size,

int rot_image_params)

{

int shift_width;

uint32_t bytes_per_pixel, bytes_per_sample;

@@ -9869,11 +9872,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,

*img_width = length;

*img_length = width;

image->width = length;

image->length = width;

res_temp = image->xres;

image->xres = image->yres;

image->yres = res_temp;

/* Only toggle image parameters if whole input image is rotated. */

if (rot_image_params)

{

image->width = length;

image->length = width;

res_temp = image->xres;

image->xres = image->yres;

image->yres = res_temp;

}

break;

case 270:

@@ -9956,11 +9963,15 @@ static int rotateImage(uint16_t rotation, struct image_data *image,

*img_width = length;

*img_length = width;

image->width = length;

image->length = width;

res_temp = image->xres;

image->xres = image->yres;

image->yres = res_temp;

/* Only toggle image parameters if whole input image is rotated. */

if (rot_image_params)

{

image->width = length;

image->length = width;

res_temp = image->xres;

image->xres = image->yres;

image->yres = res_temp;

}

break;

default:

break;

Related news

Red Hat Security Advisory 2023-3711-01

Red Hat Security Advisory 2023-3711-01 - The libtiff packages contain a library of functions for manipulating Tagged Image File Format files. Issues addressed include buffer overflow, out of bounds read, out of bounds write, and use-after-free vulnerabilities.

Ubuntu Security Notice USN-5923-1

Ubuntu Security Notice 5923-1 - It was discovered that LibTIFF could be made to read out of bounds when processing certain malformed image files with the tiffcrop tool. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service. It was discovered that LibTIFF could be made to write out of bounds when processing certain malformed image files with the tiffcrop tool. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcrop to crash, resulting in a denial of service, or possibly execute arbitrary code.

Debian Security Advisory 5361-1

Debian Linux Security Advisory 5361-1 - Several flaws were found in tiffcrop, a program distributed by tiff, the Tag Image File Format (TIFF) library and tools. A specially crafted tiff file can lead to an out-of-bounds write or read resulting in a denial of service.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907