Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • L libtiff
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 157
    • Issues 157
    • List
    • Boards
    • Service Desk
    • Milestones
    • Requirements
  • Merge requests 20
    • Merge requests 20
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • libtiff
  • libtiff
  • Issues
  • #486
Closed
Open
Issue created Nov 15, 2022 by Nitay Meiron@nitay-jfrog

tiffcrop: global-buffer-overflow in _TIFFVGetField(), another attack vector for CVE-2022-34526

Summary

A global buffer overflow occurs when tiffcrop processes a crafted file. This issue was already patched in !363 (merged), however, this attack vector is not mentioned anywhere, and should at the very least be mentioned in the description for CVE-2022-34526. Giving this issue a separate CVE ID will also work.

Version

user@localhost:~/Downloads/libtiff-v4.4.0/tools> ./tiffcrop -v
Library Release: LIBTIFF, Version 4.4.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcrop version: 2.5, last updated: 02-09-2022
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
           : Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde

Steps to reproduce

  1. Download release 4.4.0.
  2. Extract the source.
  3. cd libtiff-v4.4.0.
  4. Compile with CC=gcc CXX=g++ CFLAGS="-ggdb -fsanitize=address" ./configure and then make.
  5. cd ./tools.
  6. Download the poc.zip and move it to the tools folder.
  7. Reproduce the crash with the following command: ./tiffcrop -i poc.tif a.tif.

Platform

gcc --version
gcc (SUSE Linux) 12.2.1 20221020 [revision 0aaef83351473e8f4eb774f8f999bbe87a4866d7]
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

uname -r
6.0.8-1-default

uname -a
Linux localhost.localdomain 6.0.8-1-default #1 SMP PREEMPT_DYNAMIC Fri Nov 11 08:02:50 UTC 2022 (1579d93) x86_64 x86_64 x86_64 GNU/Linux

lsb_release -a
LSB Version:	n/a
Distributor ID:	openSUSE
Description:	openSUSE Tumbleweed
Release:	20221112
Codename:	n/a

AddressSanitizer Logs (ASAN)

user@localhost:~/Downloads/libtiff-v4.4.0/tools> ./tiffcrop -i poc.tif a.tif
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered.
TIFFFetchNormalTag: Warning, Incompatible type for "SubIFD"; tag ignored.
TIFFFetchNormalTag: Warning, incorrect count for field "PageNumber", expected 2, got 240.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
poc.tif: AdobeDeflate compression support is not configured.
poc.tif: AdobeDeflate compression support is not configured.
=================================================================
==2787==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000442000 at pc 0x7fbcb4ee3e6a bp 0x7fff005da320 sp 0x7fff005da318
WRITE of size 4 at 0x000000442000 thread T0
    #0 0x7fbcb4ee3e69 in _TIFFVGetField /home/user/Downloads/libtiff-v4.4.0/libtiff/tif_dir.c:1164
    #1 0x7fbcb4ee5b1c in TIFFVGetField /home/user/Downloads/libtiff-v4.4.0/libtiff/tif_dir.c:1302
    #2 0x7fbcb4ee5988 in TIFFGetField /home/user/Downloads/libtiff-v4.4.0/libtiff/tif_dir.c:1286
    #3 0x429e8d in writeCroppedImage /home/user/Downloads/libtiff-v4.4.0/tools/tiffcrop.c:8116
    #4 0x40b4e7 in main /home/user/Downloads/libtiff-v4.4.0/tools/tiffcrop.c:2441
    #5 0x7fbcb4bf05af in __libc_start_call_main (/lib64/libc.so.6+0x275af)
    #6 0x7fbcb4bf0678 in __libc_start_main_impl (/lib64/libc.so.6+0x27678)
    #7 0x402584 in _start ../sysdeps/x86_64/start.S:115

0x000000442002 is located 0 bytes to the right of global variable 'predictor' defined in 'tiffcrop.c:436:17' (0x442000) of size 2
SUMMARY: AddressSanitizer: global-buffer-overflow /home/user/Downloads/libtiff-v4.4.0/libtiff/tif_dir.c:1164 in _TIFFVGetField
Shadow bytes around the buggy address:
  0x0000800803b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000800803c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000800803d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800803e0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000800803f0: 02 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
=>0x000080080400:[02]f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
  0x000080080410: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x000080080420: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x000080080430: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x000080080440: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x000080080450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2787==ABORTING
Assignee
Assign to
Time tracking