tiffcrop: global-buffer-overflow in _TIFFVGetField(), another attack vector for CVE-2022-34526
Summary
A global buffer overflow occurs when tiffcrop
processes a crafted file. This issue was already patched in !363 (merged), however, this attack vector is not mentioned anywhere, and should at the very least be mentioned in the description for CVE-2022-34526. Giving this issue a separate CVE ID will also work.
Version
user@localhost:~/Downloads/libtiff-v4.4.0/tools> ./tiffcrop -v
Library Release: LIBTIFF, Version 4.4.0
Copyright (c) 1988-1996 Sam Leffler
Copyright (c) 1991-1996 Silicon Graphics, Inc.
Tiffcrop version: 2.5, last updated: 02-09-2022
Tiffcp code: Copyright (c) 1988-1997 Sam Leffler
: Copyright (c) 1991-1997 Silicon Graphics, Inc
Tiffcrop additions: Copyright (c) 2007-2010 Richard Nolde
Steps to reproduce
- Download release 4.4.0.
- Extract the source.
-
cd libtiff-v4.4.0
. - Compile with
CC=gcc CXX=g++ CFLAGS="-ggdb -fsanitize=address" ./configure
and thenmake
. -
cd ./tools
. - Download the poc.zip and move it to the tools folder.
- Reproduce the crash with the following command:
./tiffcrop -i poc.tif a.tif
.
Platform
gcc --version
gcc (SUSE Linux) 12.2.1 20221020 [revision 0aaef83351473e8f4eb774f8f999bbe87a4866d7]
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
uname -r
6.0.8-1-default
uname -a
Linux localhost.localdomain 6.0.8-1-default #1 SMP PREEMPT_DYNAMIC Fri Nov 11 08:02:50 UTC 2022 (1579d93) x86_64 x86_64 x86_64 GNU/Linux
lsb_release -a
LSB Version: n/a
Distributor ID: openSUSE
Description: openSUSE Tumbleweed
Release: 20221112
Codename: n/a
AddressSanitizer Logs (ASAN)
user@localhost:~/Downloads/libtiff-v4.4.0/tools> ./tiffcrop -i poc.tif a.tif
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 317 (0x13d) encountered.
TIFFFetchNormalTag: Warning, Incompatible type for "SubIFD"; tag ignored.
TIFFFetchNormalTag: Warning, incorrect count for field "PageNumber", expected 2, got 240.
TIFFReadDirectory: Warning, Sum of Photometric type-related color channels and ExtraSamples doesn't match SamplesPerPixel. Defining non-color channels as ExtraSamples..
poc.tif: AdobeDeflate compression support is not configured.
poc.tif: AdobeDeflate compression support is not configured.
=================================================================
==2787==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000442000 at pc 0x7fbcb4ee3e6a bp 0x7fff005da320 sp 0x7fff005da318
WRITE of size 4 at 0x000000442000 thread T0
#0 0x7fbcb4ee3e69 in _TIFFVGetField /home/user/Downloads/libtiff-v4.4.0/libtiff/tif_dir.c:1164
#1 0x7fbcb4ee5b1c in TIFFVGetField /home/user/Downloads/libtiff-v4.4.0/libtiff/tif_dir.c:1302
#2 0x7fbcb4ee5988 in TIFFGetField /home/user/Downloads/libtiff-v4.4.0/libtiff/tif_dir.c:1286
#3 0x429e8d in writeCroppedImage /home/user/Downloads/libtiff-v4.4.0/tools/tiffcrop.c:8116
#4 0x40b4e7 in main /home/user/Downloads/libtiff-v4.4.0/tools/tiffcrop.c:2441
#5 0x7fbcb4bf05af in __libc_start_call_main (/lib64/libc.so.6+0x275af)
#6 0x7fbcb4bf0678 in __libc_start_main_impl (/lib64/libc.so.6+0x27678)
#7 0x402584 in _start ../sysdeps/x86_64/start.S:115
0x000000442002 is located 0 bytes to the right of global variable 'predictor' defined in 'tiffcrop.c:436:17' (0x442000) of size 2
SUMMARY: AddressSanitizer: global-buffer-overflow /home/user/Downloads/libtiff-v4.4.0/libtiff/tif_dir.c:1164 in _TIFFVGetField
Shadow bytes around the buggy address:
0x0000800803b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800803c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000800803d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800803e0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0000800803f0: 02 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
=>0x000080080400:[02]f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
0x000080080410: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x000080080420: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x000080080430: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x000080080440: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x000080080450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2787==ABORTING