Bug 2250332

Summary: libtiff: segmentation fault in TIFFReadRGBATileExt
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in LibTIFF. Under certain conditions, input can be manipulated to attempt access to restricted or invalid memory locations. A remote attacker could use a specially-crafted file to cause a denial of service or further compromise.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-12 10:15:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2250335, 2250336    
Bug Blocks: 2250319    

Description Robb Gatica 2023-11-17 18:28:40 UTC 
A Segment fault (SEGV) issue found in TIFFReadRGBATileExt could be triggered by passing a craft tiff file.
The SEGV issue could possibly be converted to a Heap-buffer-overflow issue.
Remote attackers could utilize this bug cause deny-of-services or further exploitation.

This bug is fixed in commit: 51558511bdbbc

References:
https://gitlab.com/libtiff/libtiff/-/issues/622
https://gitlab.com/libtiff/libtiff/-/merge_requests/546
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a

Reproducible: Always

Steps to Reproduce:
See in the url.
Actual Results:  
==320426==ERROR: AddressSanitizer: SEGV on unknown address 0x611400002d38 (pc 0x555995f3ba30 bp 0x7fff67a7c2f0 sp 0x7fff67a7baa0 T0)
==320426==The signal is caused by a READ memory access.
    #0 0x555995f3ba30 in __sanitizer::internal_memmove(void*, void const*, unsigned long) /compiler-rt/lib/sanitizer_common/sanitizer_libc.cpp:64:14
    #1 0x555995ebbcef in __interceptor_memmove /compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:882:3
    #2 0x555995f82767 in TIFFReadRGBATileExt /libtiff/tif_getimage.c:3345:9
    #3 0x555995f62b7a in LLVMFuzzerTestOneInput /poc.cc:52:17


Expected Results:  
no crash.
Comment 1 Robb Gatica 2023-11-17 18:33:57 UTC 
griffon --profile triage service products-contain-component libtiff
rhel-8 compat-libtiff3
rhel-8 libtiff
rhel-9 libtiff
rhel-br-8 libtiff
rhel-br-8 mingw-libtiff
rhel-br-9 libtiff
rhivos-1 libtiff

depcli -a libtiff
fedora-all/iv=new
fedora-all/libtiff=new
fedora-all/mingw-libtiff=new
fedora-all/tkimg=new
rhel-6/libtiff=new
rhel-7/compat-libtiff3=new
rhel-7/libtiff=new
rhel-8/compat-libtiff3=new
rhel-8/libtiff=new
rhel-9/libtiff=new
rhel-br-8/mingw-libtiff=new
rhivos-1/libtiff=new
Comment 2 Robb Gatica 2023-11-17 18:35:01 UTC 
Created libtiff tracking bugs for this issue:

Affects: fedora-all [bug 2250335]


Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-all [bug 2250336]
Comment 4 TEJ RATHI 2023-12-12 10:15:46 UTC 

*** This bug has been marked as a duplicate of bug 2251344 ***