libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.

Skip to content

**Get started with Code Suggestions, available for free during the beta period.**

Code faster and more efficiently with AI-powered code suggestions in VS Code. 13 languages are supported, including JavaScript, Python, Go, Java, and Kotlin. Enable Code Suggestions in your user profile preferences or see the documentation to learn more.

*   libtiff
*   libtiff
*   Issues
*   #520

Open Issue created Jan 27, 2023 by **Tseng Szu Wei@13579and24680**

**heap-buffer-overflow in processCropSelections() at /libtiff/tools/tiffcrop.c:8499 (SIGSEGV)**

**Summary**

An SIGSEGV caused when using tiffcrop.

AddressSanitizer reports it as heap-buffer-overflow.

**Version**

    $ ./tools/tiffcrop  -v
    Library Release: LIBTIFF, Version 4.5.0
    Copyright (c) 1988-1996 Sam Leffler
    Copyright (c) 1991-1996 Silicon Graphics, Inc.
    Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
               : Copyright (c) 1991-1997 Silicon Graphics, Inc
    Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
    
    $ git log --oneline -1
    a63e18ca (HEAD -> master, origin/master, origin/HEAD) Merge branch 'add_windows_DLL_versioninfo' into 'master'

**Steps to reproduce****make**

    git clone https://gitlab.com/libtiff/libtiff.git
    cd libtiff
    ./autogen.sh
    ./configure
    make

**run**

    ./tools/tiffcrop -Z 12:50,12:99 -R 270 poc /dev/null
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 12336 (0x3030) encountered.
    TIFFFetchNormalTag: Defined set_field_type of custom tag 12336 (Tag 12336) is TIFF_SETGET_UNDEFINED and thus tag is not read from file.
    TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
    TIFFAdvanceDirectory: Error fetching directory count.
    loadImage: Image lacks Photometric interpretation tag.
    Fax4Decode: Uncompressed data (not supported) at line 0 of strip 0 (x 10).
    
    (... too long ignore)
    
    fish: Job 1, './tools/tiffcrop  -Z 12:50,12:9…' terminated by signal SIGSEGV (Address boundary error)

**Platform**

    $ uname -a
    Linux 13579 5.15.0-56-generic #62~20.04.1-Ubuntu SMP Tue Nov 22 21:24:20 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    
    $ gcc --version
    gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
    Copyright (C) 2019 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

**ASAN report**

    ==3490861==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb40a368a45 at pc 0x7fb40d6e7f3d bp 0x7ffca5726e70 sp 0x7ffca5726618
    WRITE of size 296067 at 0x7fb40a368a45 thread T0
        #0 0x7fb40d6e7f3c in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
        #1 0x7fb40d614fb7 in _TIFFmemset /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:341
        #2 0x560accbdb18a in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8499
        #3 0x560accbbe0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #4 0x7fb40d0d8082 in __libc_start_main ../csu/libc-start.c:308
        #5 0x560accbb4b6d in _start (/home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/.libs/tiffcrop+0x9b6d)
    
    0x7fb40a368a45 is located 0 bytes to the right of 148037-byte region [0x7fb40a344800,0x7fb40a368a45)
    allocated by thread T0 here:
        #0 0x7fb40d78d808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
        #1 0x7fb40d614f03 in _TIFFmalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/libtiff/tif_unix.c:326
        #2 0x560accbb4d00 in limitMalloc /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:710
        #3 0x560accbe005e in rotateImage /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:9605
        #4 0x560accbdb9f3 in processCropSelections /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:8566
        #5 0x560accbbe0e9 in main /home/a13579/fuzz_lib_tiff/report/libtiff_asan/libtiff/tools/tiffcrop.c:2807
        #6 0x7fb40d0d8082 in __libc_start_main ../csu/libc-start.c:308
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
    Shadow bytes around the buggy address:
      0x0ff7014650f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff701465130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0ff701465140: 00 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa
      0x0ff701465150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff701465190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3490861==ABORTING

**poc**

poc

CVE-2023-25433: heap-buffer-overflow in processCropSelections() at /libtiff/tools/tiffcrop.c:8499 (SIGSEGV) (#520) · Issues · libtiff / libtiff · GitLab

An issue was discovered in Weblib Ucopia before 6.0.13. OS Command Injection injection can occur, related to chroot.

��ܥ�!U�sЕ������'��.�yZB<�|�iHF�ҁ!%�m���m/7}�3i��<�vD�|;�눩|�u\`H U)�����3��������9�;��p)P����!� 6��Un��?��PHˋ�i\[e ���a�v� �e?�5�<�F>b�\],a��w�KÓ8�K�\` �1�:�F�ţl�"�5�9�F~R�Y�p0O���|2 �IAa���s0|��b�p!����b�c#?&�ϓ88흷 i��������e�o�E,�����L�1�͋�P���$f�s8���b�/�N�B�\]qp���s0����"-ҡ9���A�/c�\[o���%�����dR�HD�\_��\[��ՒW���K%�l�(��eڈ��M�0N{�?�D�a��8���W����K%�l�(�Xeڈ �PdJ,O�Ȓ��~�%�z��tRUȎ�b�O��@:�Cq�)q��.�8��-�b�u1�$ن7t�� Y�ȨM���7p��a��"�6j��k\]1I����8H��Z� "�e��%�+-y�F��v{��Q^E��L qȷ���'�%�r}�{-V��(iQE�� �Ƿaψ�8H�8HKw�t���z,&�Ea��ڰ���0�jL�.,q��Wư���K:d�'=�J�o�����������2��K�e���<��m\_�y8�%�!�f�y�1>-u��2�����!T�e�$�qTQ���o������j���Ϟc�$z��w/ q���yc�z�e,u�/I�6\_�F@bi��Ak�\`I��n�,�F'o��"�?�A�V~�K�$/�9s��;�n��uce���.���pp�Z$���Kp�߮UƎ����Fuq0Y{�P(�R�,Mؐa� \_��c��\`K\\o�����d��>�MV�i�=\\dG

CVE-2022-44720

 Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. When switching from a project visibility that allows restricted users to `Private without restricted`, restricted users that are project administrators keep this access right. Restricted users that were project administrators before the visibility switch keep the possibility to access the project and do some administration actions. This issue has been resolved in Tuleap version 14.9.99.63. Users are advised to upgrade. There are no known workarounds for this issue.

**Public**

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

Tuleap tuleap/stable

**stable**

**Clone or download**

Files Commits Pull requests 0

The requested resource cannot be found.

CVE-2023-35938: Git - Tuleap

A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry's Notification API and receive metadata about the issue including the RID of the issue, severity, internal UUID of the author, and the user-defined title of the issue.

CVE-2023-30946: Palantir | Trust and Security Portal

A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0.

CVE-2023-30955: Palantir | Trust and Security Portal

Sealos is an open source cloud operating system distribution based on the Kubernetes kernel. In versions of Sealos prior to 4.2.0 an improper configuration of role based access control (RBAC) permissions resulted in an attacker being able to obtain cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster. This issue has been addressed in version 4.2.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Affected versions**

< 4.2.0

**Description**

**Summary**

Improper configuration of RBAC permissions resulted in obtaining cluster control permissions, which could control the entire cluster deployed with Sealos, as well as hundreds of pods and other resources within the cluster.

**Details**

detail's is disable by publish.

**PoC**

detail's is disable by publish.

**Impact**

*   sealos public cloud user
*   CWE-287 Improper Authentication

CVE-2023-33190: Improper configuration of RBAC permissions obtaining cluster control permissions

ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to reflected Cross-Site Scripting (XSS).

CVE-2023-36484

Telegram v9.6.3 on iOS allows attackers to hide critical information on the User Interface via calling the function SFSafariViewController.

CVE-2023-34658

A possible out-of-bounds read and write (due to an improper length check of shared memory) was discovered in Arm NN Android-NN-Driver before 23.02.

This site uses cookies to store information on your computer. By continuing to use our site, you consent to our cookies. If you are not happy with the use of these cookies, please review our Cookie Policy to learn how they can be disabled. By disabling cookies, some features of the site will not work

CVE-2023-26085: Arm Security Center

ILIAS 7.21 allows stored Cross Site Scripting (XSS).