Bug 2118847 (CVE-2022-2867)

Summary: CVE-2022-2867 libtiff: uint32_t underflow leads to out of bounds read and write in tiffcrop.c
Product: [Other] Security Response Reporter: Todd Cullum <tcullum>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: erik-fedora, mike, mmuzila, neuro-sig, nforro, phracek, rh-spice-bugs, sanjay.ankur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: libtiff 4.4.0rc1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libtiff's tiffcrop utility that has a uint32_t underflow that can lead to an out-of-bounds read and write. This flaw allows an attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters)to cause a crash or, in some cases, further exploitation.
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-14 09:00:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2118850, 2118851, 2118852, 2118853, 2118854, 2118855, 2118856, 2118857, 2118858, 2140589    
Bug Blocks: 2118841    

Description Todd Cullum 2022-08-16 23:11:21 UTC
In libtiff's tiffcrop utility, a uint32_t underflow results in an out-of-bounds read and write in extractContigSamples8bits and extractContigSamplesShifted32bits of tiffcrop.c.


Comment 1 Todd Cullum 2022-08-16 23:26:20 UTC
Created iv tracking bugs for this issue:

Affects: fedora-35 [bug 2118851]
Affects: fedora-36 [bug 2118853]

Created libtiff tracking bugs for this issue:

Affects: fedora-35 [bug 2118850]
Affects: fedora-36 [bug 2118854]

Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-35 [bug 2118852]
Affects: fedora-36 [bug 2118855]

Comment 3 errata-xmlrpc 2023-01-12 09:17:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0095 https://access.redhat.com/errata/RHSA-2023:0095

Comment 4 Product Security DevOps Team 2023-01-14 09:00:35 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):