Bug 2392784 (CVE-2025-9900)
| Summary: | CVE-2025-9900 libtiff: Libtiff Write-What-Where | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.
By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2423626, 2423627, 2423628, 2423629, 2423630, 2423631, 2423632, 2423633, 2423634 | ||
| Bug Blocks: | |||
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:17651 https://access.redhat.com/errata/RHSA-2025:17651 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:17675 https://access.redhat.com/errata/RHSA-2025:17675 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:17710 https://access.redhat.com/errata/RHSA-2025:17710 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:17740 https://access.redhat.com/errata/RHSA-2025:17740 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:17738 https://access.redhat.com/errata/RHSA-2025:17738 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:17739 https://access.redhat.com/errata/RHSA-2025:17739 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:19113 https://access.redhat.com/errata/RHSA-2025:19113 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:19156 https://access.redhat.com/errata/RHSA-2025:19156 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:19276 https://access.redhat.com/errata/RHSA-2025:19276 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:19906 https://access.redhat.com/errata/RHSA-2025:19906 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:19947 https://access.redhat.com/errata/RHSA-2025:19947 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:20956 https://access.redhat.com/errata/RHSA-2025:20956 This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:20998 https://access.redhat.com/errata/RHSA-2025:20998 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:21061 https://access.redhat.com/errata/RHSA-2025:21061 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:21060 https://access.redhat.com/errata/RHSA-2025:21060 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:21062 https://access.redhat.com/errata/RHSA-2025:21062 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:21407 https://access.redhat.com/errata/RHSA-2025:21407 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:21506 https://access.redhat.com/errata/RHSA-2025:21506 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:21508 https://access.redhat.com/errata/RHSA-2025:21508 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:21507 https://access.redhat.com/errata/RHSA-2025:21507 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2026:0001 https://access.redhat.com/errata/RHSA-2026:0001 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2026:0078 https://access.redhat.com/errata/RHSA-2026:0078 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2026:0076 https://access.redhat.com/errata/RHSA-2026:0076 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2026:0077 https://access.redhat.com/errata/RHSA-2026:0077 |
Write-What-Where in libtiff via TIFFReadRGBAImageOriented The vulnerability resides in the raster decoding logic of libtiff, specifically when processing paletted (indexed color) images with malformed metadata. The function TIFFReadRGBAImageOriented() computes a pointer offset into the raster buffer based on user-controlled image metadata: raster + (rheight - img.height) * rwidth If the attacker supplies a very large value for img.height (e.g., 0xFFFF) and a valid rheight (e.g., 256), this computation results in a large positive offset, causing the raster pointer (cp) passed into functions like put8bitcmaptile() or put1bitbwtile() to point beyond the bounds of the allocated buffer. Inside those functions, memory writes occur like this: *cp++ = PALmap[*pp][0]; • The write address (cp) is attacker-controlled via the offset calculation from img.height. • The value written (PALmap[*pp][0]) is also attacker-controlled: ◦ *pp is dereferenced from pixel data in the image file. ◦ PALmap is constructed from the image's color palette, which the attacker also controls. This constitutes a write-what-where vulnerability with a attacker control. Exploitation of a write-what-where primitive can lead to denial of service or code execution through supply of maliciously crafted files.