Bug 856478 (CVE-2022-2056, CVE-2022-2057, CVE-2022-2058, CVE-2022-2519, CVE-2022-2520, CVE-2022-2521, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-2953, CVE-2022-3570, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626, CVE-2022-3627, CVE-2022-3970, CVE-2023-30086, CVE-2023-30774, CVE-2023-30775)

Comment 1 John Helmert III 2022-08-18 17:53:26 UTC

CVE-2022-2867 (https://bugzilla.redhat.com/show_bug.cgi?id=2118847):

libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.

Issue: https://gitlab.com/libtiff/libtiff/-/issues/352
Patch: https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd

CVE-2022-2868 (https://bugzilla.redhat.com/show_bug.cgi?id=2118863):

libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.

Issues: https://gitlab.com/libtiff/libtiff/-/issues/350
https://gitlab.com/libtiff/libtiff/-/issues/351
Patch: https://gitlab.com/libtiff/libtiff/-/commit/7d7bfa4416366ec64068ac389414241ed4730a54

CVE-2022-2869 (https://bugzilla.redhat.com/show_bug.cgi?id=2118869):

libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation.

Issue: https://gitlab.com/libtiff/libtiff/-/issues/335
Patch: https://gitlab.com/libtiff/libtiff/-/commit/b258ed69a485a9cfb299d9f060eb2a46c54e5903

Comment 2 John Helmert III 2022-08-29 16:40:31 UTC

CVE-2022-2953 (https://gitlab.com/libtiff/libtiff/-/issues/414):

LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tools/tiffcrop.c:6905, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 48d6ece8.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/48d6ece8389b01129e7d357f0985c8f938ce3da3

Comment 3 John Helmert III 2022-09-02 02:01:54 UTC

CVE-2022-2519 (https://gitlab.com/libtiff/libtiff/-/issues/423):

There is a double free or corruption in rotateImage() at tiffcrop.c:8839 found in libtiff 4.4.0rc1

CVE-2022-2520 (https://gitlab.com/libtiff/libtiff/-/issues/424):

A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at tiffcrop.c:8621 that can cause program crash when reading a crafted input.

CVE-2022-2521 (https://gitlab.com/libtiff/libtiff/-/issues/422):

It was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while processing crafted input.

All three patched by: https://gitlab.com/libtiff/libtiff/-/merge_requests/378

Comment 4 John Helmert III 2022-10-21 20:50:08 UTC

CVE-2022-3598 (https://gitlab.com/libtiff/libtiff/-/issues/435):

LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff

CVE-2022-3599 (https://gitlab.com/libtiff/libtiff/-/issues/398):

LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246

CVE-2022-3626 (https://gitlab.com/libtiff/libtiff/-/issues/426):

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047

CVE-2022-3627 (https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047):

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.

Patch: https://gitlab.com/libtiff/libtiff/-/issues/411

CVE-2022-3570 (https://gitlab.com/libtiff/libtiff/-/issues/381):
https://gitlab.com/libtiff/libtiff/-/issues/386

Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact

Patch: https://gitlab.com/libtiff/libtiff/-/commit/bd94a9b383d8755a27b5a1bc27660b8ad10b094c

CVE-2022-3597 (https://gitlab.com/libtiff/libtiff/-/issues/413):

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047

All patched but all appear unreleased.

Comment 5 John Helmert III 2022-11-16 17:08:03 UTC

CVE-2022-3970 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137):

A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.

Patch (seems unreleased): https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be

Comment 6 Larry the Git Cow 2022-12-10 04:10:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d63be024fb77b02effd31c92cd79e55013118447

commit d63be024fb77b02effd31c92cd79e55013118447
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-10 04:09:36 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-10 04:09:36 +0000

    media-libs/tiff: add 4.5.0_rc1 (unkeyworded)
    
    Bug: https://bugs.gentoo.org/856478
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/tiff/Manifest                           |  2 +
 .../tiff-4.5.0_rc1-skip-tools-tests-multilib.patch | 52 +++++++++++++
 media-libs/tiff/tiff-4.5.0_rc1.ebuild              | 89 ++++++++++++++++++++++
 3 files changed, 143 insertions(+)

Comment 7 Michał Górny 2023-01-23 07:46:34 UTC

How do we want to handle media-libs/tiff-compat here?

Comment 8 John Helmert III 2023-01-23 14:46:43 UTC

Hm. I suppose it's vulnerable just like media-libs/tiff?

Comment 9 Larry the Git Cow 2023-01-24 16:12:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70d25ca63199f98c7f5bfb6d9f54023eec9048d1

commit 70d25ca63199f98c7f5bfb6d9f54023eec9048d1
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2023-01-24 14:12:10 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-01-24 16:11:33 +0000

    media-libs/tiff: drop 4.4.0-r1, 4.4.0-r2
    
    Bug: https://bugs.gentoo.org/856478
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/tiff/Manifest                           |   2 -
 .../files/tiff-4.4.0-hylafaxplus-regression.patch  |  34 -------
 .../files/tiff-4.4.0_rc1-skip-thumbnail-test.patch |  32 -------
 media-libs/tiff/tiff-4.4.0-r1.ebuild               |  97 --------------------
 media-libs/tiff/tiff-4.4.0-r2.ebuild               | 102 ---------------------
 5 files changed, 267 deletions(-)

I don't see https://nvd.nist.gov/vuln/detail/CVE-2022-48281 tracked here or in another bug and it affects 4.5.0. Should we start another bug for tiff CVEs?

Upstream libtiff doesn't have a tag newer than 4.5.0 yet, but the fix is fairly small:
https://gitlab.com/libtiff/libtiff/-/commit/d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 14fa18da7dbe6920f1cc5bcf5e079ce080eb43a0..7db69883e6c545fa410bac29325cd8fc036a2168 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image,
                     cropsize + NUM_BUFF_OVERSIZE_BYTES);
             else
             {
-                prev_cropsize = seg_buffs[0].size;
+                prev_cropsize = seg_buffs[i].size;
                 if (prev_cropsize < cropsize)
                 {
                     next_buff = _TIFFrealloc(

Comment 11 John Helmert III 2023-02-20 18:41:11 UTC

(In reply to Allen Webb from comment #10)
> I don't see https://nvd.nist.gov/vuln/detail/CVE-2022-48281 tracked here or
> in another bug and it affects 4.5.0. Should we start another bug for tiff
> CVEs?
> 
> Upstream libtiff doesn't have a tag newer than 4.5.0 yet, but the fix is
> fairly small:
> https://gitlab.com/libtiff/libtiff/-/commit/
> d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5
> diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
> index
> 14fa18da7dbe6920f1cc5bcf5e079ce080eb43a0..
> 7db69883e6c545fa410bac29325cd8fc036a2168 100644
> --- a/tools/tiffcrop.c
> +++ b/tools/tiffcrop.c
> @@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data
> *image,
>                      cropsize + NUM_BUFF_OVERSIZE_BYTES);
>              else
>              {
> -                prev_cropsize = seg_buffs[0].size;
> +                prev_cropsize = seg_buffs[i].size;
>                  if (prev_cropsize < cropsize)
>                  {
>                      next_buff = _TIFFrealloc(

It is bug 891839. For each security bug associated with a CVE, the CVE is added to the alias of the bug, so simply searching the CVE (or any alias) will get you to the bug. There's special cases like CVEs being tracked across multiple cases (those get tracker'd), but that gets you most of the way there.

Comment 12 John Helmert III 2023-05-11 04:35:38 UTC

CVE-2023-30086 (https://gitlab.com/libtiff/libtiff/-/issues/538):

Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of service via the tiffcp function in tiffcp.c.

Fixed in 4.5.0.

Comment 13 John Helmert III 2023-06-09 04:30:51 UTC

CVE-2023-30774 (https://gitlab.com/libtiff/libtiff/-/issues/463):

A vulnerability was found in the libtiff library. This flaw causes a heap buffer overflow issue via the TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values.

CVE-2023-30775 (https://gitlab.com/libtiff/libtiff/-/issues/464):

A vulnerability was found in the libtiff library. This security flaw causes a heap buffer overflow in extractContigSamples32bits, tiffcrop.c.

Patches in 4.5.0.