Write-What-Where in libtiff via TIFFReadRGBAImageOriented The vulnerability resides in the raster decoding logic of libtiff, specifically when processing paletted (indexed color) images with malformed metadata. The function TIFFReadRGBAImageOriented() computes a pointer offset into the raster buffer based on user-controlled image metadata: raster + (rheight - img.height) * rwidth If the attacker supplies a very large value for img.height (e.g., 0xFFFF) and a valid rheight (e.g., 256), this computation results in a large positive offset, causing the raster pointer (cp) passed into functions like put8bitcmaptile() or put1bitbwtile() to point beyond the bounds of the allocated buffer. Inside those functions, memory writes occur like this: *cp++ = PALmap[*pp][0]; • The write address (cp) is attacker-controlled via the offset calculation from img.height. • The value written (PALmap[*pp][0]) is also attacker-controlled: ◦ *pp is dereferenced from pixel data in the image file. ◦ PALmap is constructed from the image's color palette, which the attacker also controls. This constitutes a write-what-where vulnerability with a attacker control. Exploitation of a write-what-where primitive can lead to denial of service or code execution through supply of maliciously crafted files.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:17651 https://access.redhat.com/errata/RHSA-2025:17651
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:17675 https://access.redhat.com/errata/RHSA-2025:17675
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:17710 https://access.redhat.com/errata/RHSA-2025:17710
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:17740 https://access.redhat.com/errata/RHSA-2025:17740
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:17738 https://access.redhat.com/errata/RHSA-2025:17738
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:17739 https://access.redhat.com/errata/RHSA-2025:17739
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:19113 https://access.redhat.com/errata/RHSA-2025:19113
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:19156 https://access.redhat.com/errata/RHSA-2025:19156
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:19276 https://access.redhat.com/errata/RHSA-2025:19276
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:19906 https://access.redhat.com/errata/RHSA-2025:19906
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:19947 https://access.redhat.com/errata/RHSA-2025:19947
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:20956 https://access.redhat.com/errata/RHSA-2025:20956
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:20998 https://access.redhat.com/errata/RHSA-2025:20998
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:21061 https://access.redhat.com/errata/RHSA-2025:21061
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:21060 https://access.redhat.com/errata/RHSA-2025:21060
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:21062 https://access.redhat.com/errata/RHSA-2025:21062
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:21407 https://access.redhat.com/errata/RHSA-2025:21407
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:21506 https://access.redhat.com/errata/RHSA-2025:21506
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:21508 https://access.redhat.com/errata/RHSA-2025:21508
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:21507 https://access.redhat.com/errata/RHSA-2025:21507