Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 856478 (CVE-2022-2056, CVE-2022-2057, CVE-2022-2058, CVE-2022-2519, CVE-2022-2520, CVE-2022-2521, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-2953, CVE-2022-3570, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626, CVE-2022-3627, CVE-2022-3970) - <media-libs/tiff-4.5.0: multiple vulnerabilities
Summary: <media-libs/tiff-4.5.0: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-2056, CVE-2022-2057, CVE-2022-2058, CVE-2022-2519, CVE-2022-2520, CVE-2022-2521, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-2953, CVE-2022-3570, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626, CVE-2022-3627, CVE-2022-3970
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://gitlab.com/libtiff/libtiff/-/...
Whiteboard: B3 [glsa?]
Keywords: PullRequest
Depends on: qt-5.15.8-stable
Blocks:
  Show dependency tree
 
Reported: 2022-07-05 04:06 UTC by John Helmert III
Modified: 2023-02-01 16:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 04:06:43 UTC
CVE-2022-2056 (https://gitlab.com/libtiff/libtiff/-/issues/415):

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

CVE-2022-2057 (https://gitlab.com/libtiff/libtiff/-/issues/427):

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

CVE-2022-2058 (https://gitlab.com/libtiff/libtiff/-/issues/428):

Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.

Each has the same fix at URL. Appears unreleased.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 17:53:26 UTC
CVE-2022-2867 (https://bugzilla.redhat.com/show_bug.cgi?id=2118847):

libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.

Issue: https://gitlab.com/libtiff/libtiff/-/issues/352
Patch: https://gitlab.com/libtiff/libtiff/-/commit/bcf28bb7f630f24fa47701a9907013f3548092cd

CVE-2022-2868 (https://bugzilla.redhat.com/show_bug.cgi?id=2118863):

libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop.

Issues: https://gitlab.com/libtiff/libtiff/-/issues/350
https://gitlab.com/libtiff/libtiff/-/issues/351
Patch: https://gitlab.com/libtiff/libtiff/-/commit/7d7bfa4416366ec64068ac389414241ed4730a54

CVE-2022-2869 (https://bugzilla.redhat.com/show_bug.cgi?id=2118869):

libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation.

Issue: https://gitlab.com/libtiff/libtiff/-/issues/335
Patch: https://gitlab.com/libtiff/libtiff/-/commit/b258ed69a485a9cfb299d9f060eb2a46c54e5903
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-29 16:40:31 UTC
CVE-2022-2953 (https://gitlab.com/libtiff/libtiff/-/issues/414):

LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tools/tiffcrop.c:6905, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 48d6ece8.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/48d6ece8389b01129e7d357f0985c8f938ce3da3
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-02 02:01:54 UTC
CVE-2022-2519 (https://gitlab.com/libtiff/libtiff/-/issues/423):

There is a double free or corruption in rotateImage() at tiffcrop.c:8839 found in libtiff 4.4.0rc1

CVE-2022-2520 (https://gitlab.com/libtiff/libtiff/-/issues/424):

A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at tiffcrop.c:8621 that can cause program crash when reading a crafted input.

CVE-2022-2521 (https://gitlab.com/libtiff/libtiff/-/issues/422):

It was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while processing crafted input.

All three patched by: https://gitlab.com/libtiff/libtiff/-/merge_requests/378
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-21 20:50:08 UTC
CVE-2022-3598 (https://gitlab.com/libtiff/libtiff/-/issues/435):

LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit cfbb883b.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff

CVE-2022-3599 (https://gitlab.com/libtiff/libtiff/-/issues/398):

LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit e8131125.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246

CVE-2022-3626 (https://gitlab.com/libtiff/libtiff/-/issues/426):

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047

CVE-2022-3627 (https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047):

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.

Patch: https://gitlab.com/libtiff/libtiff/-/issues/411

CVE-2022-3570 (https://gitlab.com/libtiff/libtiff/-/issues/381):
https://gitlab.com/libtiff/libtiff/-/issues/386

Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact

Patch: https://gitlab.com/libtiff/libtiff/-/commit/bd94a9b383d8755a27b5a1bc27660b8ad10b094c

CVE-2022-3597 (https://gitlab.com/libtiff/libtiff/-/issues/413):

LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.

Patch: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047

All patched but all appear unreleased.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-16 17:08:03 UTC
CVE-2022-3970 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137):

A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to fix this issue. The identifier VDB-213549 was assigned to this vulnerability.

Patch (seems unreleased): https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be
Comment 6 Larry the Git Cow gentoo-dev 2022-12-10 04:10:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d63be024fb77b02effd31c92cd79e55013118447

commit d63be024fb77b02effd31c92cd79e55013118447
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-10 04:09:36 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-10 04:09:36 +0000

    media-libs/tiff: add 4.5.0_rc1 (unkeyworded)
    
    Bug: https://bugs.gentoo.org/856478
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/tiff/Manifest                           |  2 +
 .../tiff-4.5.0_rc1-skip-tools-tests-multilib.patch | 52 +++++++++++++
 media-libs/tiff/tiff-4.5.0_rc1.ebuild              | 89 ++++++++++++++++++++++
 3 files changed, 143 insertions(+)
Comment 7 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2023-01-23 07:46:34 UTC
How do we want to handle media-libs/tiff-compat here?
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-23 14:46:43 UTC
Hm. I suppose it's vulnerable just like media-libs/tiff?
Comment 9 Larry the Git Cow gentoo-dev 2023-01-24 16:12:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70d25ca63199f98c7f5bfb6d9f54023eec9048d1

commit 70d25ca63199f98c7f5bfb6d9f54023eec9048d1
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2023-01-24 14:12:10 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-01-24 16:11:33 +0000

    media-libs/tiff: drop 4.4.0-r1, 4.4.0-r2
    
    Bug: https://bugs.gentoo.org/856478
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-libs/tiff/Manifest                           |   2 -
 .../files/tiff-4.4.0-hylafaxplus-regression.patch  |  34 -------
 .../files/tiff-4.4.0_rc1-skip-thumbnail-test.patch |  32 -------
 media-libs/tiff/tiff-4.4.0-r1.ebuild               |  97 --------------------
 media-libs/tiff/tiff-4.4.0-r2.ebuild               | 102 ---------------------
 5 files changed, 267 deletions(-)
Comment 10 Allen Webb 2023-02-01 16:02:28 UTC
I don't see https://nvd.nist.gov/vuln/detail/CVE-2022-48281 tracked here or in another bug and it affects 4.5.0. Should we start another bug for tiff CVEs?

Upstream libtiff doesn't have a tag newer than 4.5.0 yet, but the fix is fairly small:
https://gitlab.com/libtiff/libtiff/-/commit/d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5
diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
index 14fa18da7dbe6920f1cc5bcf5e079ce080eb43a0..7db69883e6c545fa410bac29325cd8fc036a2168 100644
--- a/tools/tiffcrop.c
+++ b/tools/tiffcrop.c
@@ -8591,7 +8591,7 @@ static int processCropSelections(struct image_data *image,
                     cropsize + NUM_BUFF_OVERSIZE_BYTES);
             else
             {
-                prev_cropsize = seg_buffs[0].size;
+                prev_cropsize = seg_buffs[i].size;
                 if (prev_cropsize < cropsize)
                 {
                     next_buff = _TIFFrealloc(