Bug 2313704 (CVE-2024-9029)
| Summary: | CVE-2024-9029 freeimage: Heap buffer overflow in tiff_read_iptc_profile | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the freeimage library. Processing a crafted image can cause a buffer over-read of 1 byte in the read_iptc_profile function in the Source/Metadata/IPTC.cpp file because the size of the profile is not being sanitized, causing a crash in the application linked to the library, resulting in a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2313705, 2313706, 2313707 | ||
| Bug Blocks: | |||
While doing fuzzing with AFL++ & Sydr. I found heap buffer overflow in read_iptc_profile: ==376632==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000091 at pc 0x000000730e1d bp 0x7fffffffda90 sp 0x7fffffffda88 READ of size 1 at 0x602000000091 thread T0 [Detaching after fork from child process 376675] #0 0x730e1c in read_iptc_profile /freeimage-svn/FreeImage/trunk/Source/Metadata/IPTC.cpp:74:7 #1 0x654cae in tiff_read_iptc_profile(tiff*, FIBITMAP*) /freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginTIFF.cpp:790:10 #2 0x654cae in ReadMetadata(FreeImageIO*, void*, tiff*, FIBITMAP*) /freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginTIFF.cpp:871:2 #3 0x64e5a2 in Load(FreeImageIO*, void*, int, int, void*) /freeimage-svn/FreeImage/trunk/Source/FreeImage/PluginTIFF.cpp:2320:3 #4 0x508deb in FreeImage_LoadFromHandle /freeimage-svn/FreeImage/trunk/Source/FreeImage/Plugin.cpp:386:24 #5 0x4ff0bb in FreeImage_LoadFromMemory /freeimage-svn/FreeImage/trunk/Source/FreeImage/MemoryIO.cpp:88:10 #6 0x4e0505 in LLVMFuzzerTestOneInput /load_from_memory_tiff_fuzzer.cc:35:26 #7 0x4e00c4 in main /afl.cc:36:9 #8 0x7ffff7a730b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #9 0x425fbd in _start (/load_from_memory_tiff_afl+0x425fbd) In File /freeimage-svn/FreeImage/trunk/Source/Metadata/IPTC.cpp:74 71 // find start of the BIM portion of the binary data 72 size_t offset = 0; 73 while(offset < length - 1) { --->74 if((profile[offset] == 0x1C) && (profile[offset+1] == 0x02)) 75 break; 76 offset++; 77 } 78 79 // for each tag 80 while (offset < length) { 81 82 // identifies start of a tag