2118869 – (CVE-2022-2869) CVE-2022-2869 libtiff: tiffcrop.c has uint32_t underflow which leads to out of bounds read and write in extractContigSamples8bits()

Bug 2118869 (CVE-2022-2869) - CVE-2022-2869 libtiff: tiffcrop.c has uint32_t underflow which leads to out of bounds read and write in extractContigSamples8bits()

Summary: CVE-2022-2869 libtiff: tiffcrop.c has uint32_t underflow which leads to out o...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-2869
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2118871 2118872 2118873 2118874 2118875 2118876 2118877 2118878 2118879 2140590
Blocks:	2118841
TreeView+	depends on / blocked

Reported:	2022-08-16 23:59 UTC by Todd Cullum
Modified:	2023-01-14 10:00 UTC (History)
CC List:	8 users (show)
Fixed In Version:	libtiff 4.4.0rc1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in libtiff's tiffcrop tool that has a uint32_t underflow, which leads to an out-of-bounds read and write in the extractContigSamples8bits routine. This flaw allows an attacker who supplies a crafted file to tiffcrop to trick a user into opening the crafted file with tiffcrop, causing a crash or potential further exploitations.
Clone Of:
Environment:
Last Closed:	2023-01-14 10:00:35 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:0095	0	None	None	None	2023-01-12 09:17:23 UTC

Description Todd Cullum 2022-08-16 23:59:57 UTC

In libtiff's tiffcrop (tools/tiffcrop.c) utility, there is a uint32_t underflow that leads to an out-of-bounds read and write. A crafted file could trigger this flaw when certain command line arguments are also supplied.

References:
1. https://gitlab.com/libtiff/libtiff/-/issues/352
2. https://gitlab.com/libtiff/libtiff/-/merge_requests/294/diffs?commit_id=bcf28bb7f630f24fa47701a9907013f3548092cd

Comment 1 Todd Cullum 2022-08-17 00:04:02 UTC

Created iv tracking bugs for this issue:

Affects: fedora-35 [bug 2118872]
Affects: fedora-36 [bug 2118874]


Created libtiff tracking bugs for this issue:

Affects: fedora-35 [bug 2118871]
Affects: fedora-36 [bug 2118875]


Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-35 [bug 2118873]
Affects: fedora-36 [bug 2118876]

Comment 3 errata-xmlrpc 2023-01-12 09:17:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0095 https://access.redhat.com/errata/RHSA-2023:0095

Comment 4 Product Security DevOps Team 2023-01-14 10:00:33 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2869

Note You need to log in before you can comment on or make changes to this bug.