Bug 2248662

Summary: A SEGV found in TIFFReadRGBATileExt
Product: [Fedora] Fedora Reporter: promptfuzz
Component: libtiffAssignee: Michal Hlavinka <mhlavink>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 40CC: mhlavink, mmuzila, nforro, phracek, saroy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
URL: https://gitlab.com/libtiff/libtiff/-/issues/622
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-08-14 06:33:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description promptfuzz 2023-11-08 08:34:05 UTC 
A Segment fault (SEGV) issue found in TIFFReadRGBATileExt could be triggered by passing a craft tiff file.
The SEGV issue could possibly be converted to a Heap-buffer-overflow issue.
Remote attackers could utilize this bug cause deny-of-services or further exploitation.

This bug is fixed in commit: 51558511bdbbc

References:
https://gitlab.com/libtiff/libtiff/-/issues/622
https://gitlab.com/libtiff/libtiff/-/merge_requests/546
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a

Reproducible: Always

Steps to Reproduce:
See in the url.
Actual Results:  
==320426==ERROR: AddressSanitizer: SEGV on unknown address 0x611400002d38 (pc 0x555995f3ba30 bp 0x7fff67a7c2f0 sp 0x7fff67a7baa0 T0)
==320426==The signal is caused by a READ memory access.
    #0 0x555995f3ba30 in __sanitizer::internal_memmove(void*, void const*, unsigned long) /compiler-rt/lib/sanitizer_common/sanitizer_libc.cpp:64:14
    #1 0x555995ebbcef in __interceptor_memmove /compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:882:3
    #2 0x555995f82767 in TIFFReadRGBATileExt /libtiff/tif_getimage.c:3345:9
    #3 0x555995f62b7a in LLVMFuzzerTestOneInput /poc.cc:52:17


Expected Results:  
no crash.
Comment 2 Fedora Admin user for bugzilla script actions 2024-01-29 12:11:51 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Comment 3 Aoife Moloney 2024-02-15 23:03:57 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 40 development cycle.
Changing version to 40.
Comment 4 Michal Hlavinka 2024-08-14 06:33:28 UTC 

*** This bug has been marked as a duplicate of bug 2260112 ***
Comment 5 Red Hat Bugzilla 2024-12-13 04:25:03 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days