Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-30774: heap-buffer-overflow in tiffcrop (#463) · Issues · libtiff / libtiff · GitLab

A vulnerability was found in the libtiff library. This flaw causes a heap buffer overflow issue via the TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values.

CVE
#vulnerability#ubuntu#linux#git#c++#buffer_overflow#docker

Skip to content

Open Issue created Sep 15, 2022 by yuhanghuang@yuhanghuang

heap-buffer-overflow in tiffcrop

Summary

Hello,I use fuzzer to test tiffcrop and fund heap-buffer-overflow,and the issue is different from issue #269 (closed). Because I run #269 (closed)'s poc and didn’t trigger the crash.The following is the details.

Version

latest version

Steps to reproduce

CFLAGS="-fsanitize=address"

CXXFLAGS="-fsanitize=address"

CC=clang

CXX=clang++

./autogen.sh

./configure

./make

Platform

Ubuntu_18.04(docker) clang/clang++ 12.0.1

Bug

root@c511e4bf49bc:/tiffcrop# ./tiffcrop.prefuzz id\:000000\,sig\:06\,src\:000472\,op\:arith8\,pos\:86\,val\:-7\,135076762 dist2.tiff 
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFFetchNormalTag: Warning, ASCII value for tag "InkNames" does not end in null byte. Forcing it to be null.
=================================================================
==1038141==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b1 at pc 0x000000886974 bp 0x7ffc233257d0 sp 0x7ffc23324f80
READ of size 1 at 0x6020000000b1 thread T0
    #0 0x886973 in __interceptor_strlen.part.36 /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372
    #1 0x451896 in writeCroppedImage (/tiffcrop/tiffcrop.prefuzz+0x451896)
    #2 0x41e411 in main (/tiffcrop/tiffcrop.prefuzz+0x41e411)
    #3 0x7fc80f6ddc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #4 0x407ad9 in _start (/tiffcrop/tiffcrop.prefuzz+0x407ad9)

0x6020000000b1 is located 0 bytes to the right of 1-byte region [0x6020000000b0,0x6020000000b1)
allocated by thread T0 here:
    #0 0x8fb3a0 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x67d413 in _TIFFmalloc (/tiffcrop/tiffcrop.prefuzz+0x67d413)
    #2 0x4c4299 in setByteArray (/tiffcrop/tiffcrop.prefuzz+0x4c4299)
    #3 0x522bd8 in _TIFFsetNString (/tiffcrop/tiffcrop.prefuzz+0x522bd8)
    #4 0x4e6bb6 in _TIFFVSetField (/tiffcrop/tiffcrop.prefuzz+0x4e6bb6)
    #5 0x4c4c1d in TIFFVSetField (/tiffcrop/tiffcrop.prefuzz+0x4c4c1d)
    #6 0x4c49b6 in TIFFSetField (/tiffcrop/tiffcrop.prefuzz+0x4c49b6)
    #7 0x564952 in TIFFFetchNormalTag (/tiffcrop/tiffcrop.prefuzz+0x564952)
    #8 0x53b5e4 in TIFFReadDirectory (/tiffcrop/tiffcrop.prefuzz+0x53b5e4)
    #9 0x638ccb in TIFFClientOpen (/tiffcrop/tiffcrop.prefuzz+0x638ccb)
    #10 0x679c1b in TIFFFdOpen (/tiffcrop/tiffcrop.prefuzz+0x679c1b)
    #11 0x67d291 in TIFFOpen (/tiffcrop/tiffcrop.prefuzz+0x67d291)
    #12 0x419d85 in main (/tiffcrop/tiffcrop.prefuzz+0x419d85)
    #13 0x7fc80f6ddc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:372 in __interceptor_strlen.part.36
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa fd fa fa fa 02 fa fa fa fd fa
=>0x0c047fff8010: fa fa fd fa fa fa[01]fa fa fa fd fd fa fa 00 04
  0x0c047fff8020: fa fa 04 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fff8030: fa fa fd fd fa fa 00 04 fa fa fd fd fa fa fd fa
  0x0c047fff8040: fa fa 00 fa fa fa 04 fa fa fa 04 fa fa fa fd fa
  0x0c047fff8050: fa fa 00 fa fa fa fd fa fa fa 00 fa fa fa 04 fa
  0x0c047fff8060: fa fa 02 fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9[id_000000_sig_06_src_000472_op_arith8_pos_86_val_-7_135076762](/uploads/6d485afc5c383af6b1c0c0491fdc259f/id_000000_sig_06_src_000472_op_arith8_pos_86_val_-7_135076762)
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1038141==ABORTING

POC

poc_tiffcrop.zip

Credit

Yuhang Huang (NCNIPC of China) Han Zheng (NCNIPC of China, Hexhive)

Thansk for your time!

Edited Sep 16, 2022 by yuhanghuang

Related news

Apple Security Advisory 10-25-2023-4

Apple Security Advisory 10-25-2023-4 - macOS Sonoma 14.1 addresses bypass, code execution, spoofing, and use-after-free vulnerabilities.

CVE-2023-42861: About the security content of macOS Sonoma 14.1

A logic issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1. An attacker with knowledge of a standard user's credentials can unlock another standard user's locked screen on the same Mac.

RHSA-2023:2340: Red Hat Security Advisory: libtiff security update

An update for libtiff is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3570: A heap-based buffer overflow flaw was found in Libtiff's tiffcrop utility. This issue occurs during the conversion of a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes an out-of-bound access resulting an application crash, eventually leading to a denial of service. * CVE-2022-3597: An out-o...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907