2118863 – (CVE-2022-2868) CVE-2022-2868 libtiff: Invalid crop_width and/or crop_length could cause an out-of-bounds read in reverseSamples16bits()

Bug 2118863 (CVE-2022-2868) - CVE-2022-2868 libtiff: Invalid crop_width and/or crop_length could cause an out-of-bounds read in reverseSamples16bits()

Summary: CVE-2022-2868 libtiff: Invalid crop_width and/or crop_length could cause an o...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-2868
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2118864 2118865 2118866 2118867 2118868 2118880 2118881 2118882 2118883 2140591
Blocks:	2118841
TreeView+	depends on / blocked

Reported:	2022-08-16 23:47 UTC by Todd Cullum
Modified:	2023-09-14 09:52 UTC (History)
CC List:	8 users (show)
Fixed In Version:	libtiff 4.4.0rc1
Doc Type:	If docs needed, set a value
Doc Text:	An improper input validation flaw was found in libtiff's tiffcrop utility. This issue can lead to an out-of-bounds read and cause a crash if an attacker can supply a crafted file to tiffcrop.
Clone Of:
Environment:
Last Closed:	2023-01-14 09:30:36 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:0095	0	None	None	None	2023-01-12 09:17:20 UTC

Description Todd Cullum 2022-08-16 23:47:56 UTC

In libtiff's tiffcrop utility (tools/tiffcrop.c), a crafted file could supply an invalid crop_width and/or crop_length, and since these values were computed prior to the sanity check, invalid values could later cause out-of-bounds reads in reverseSamples16bits().

References:
1. https://gitlab.com/libtiff/libtiff/-/issues/335
2. https://gitlab.com/libtiff/libtiff/-/merge_requests/294/diffs?commit_id=b258ed69a485a9cfb299d9f060eb2a46c54e5903

Comment 1 Todd Cullum 2022-08-16 23:50:58 UTC

Created iv tracking bugs for this issue:

Affects: fedora-35 [bug 2118865]
Affects: fedora-36 [bug 2118866]


Created libtiff tracking bugs for this issue:

Affects: fedora-35 [bug 2118864]
Affects: fedora-36 [bug 2118867]


Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-36 [bug 2118868]

Comment 2 Todd Cullum 2022-08-17 00:05:02 UTC

Created mingw-libtiff tracking bugs for this issue:

Affects: fedora-35 [bug 2118880]

Comment 4 errata-xmlrpc 2023-01-12 09:17:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0095 https://access.redhat.com/errata/RHSA-2023:0095

Comment 5 Product Security DevOps Team 2023-01-14 09:30:34 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2868

Note You need to log in before you can comment on or make changes to this bug.