You need to log in before you can comment on or make changes to this bug.
Created an attachment (id=860) [details] The vulnerability is triggered by ./tiff2pdf $FILE The vulnerability is triggered by ./tiff2pdf $FILE Description of problem: In LibTIFF 4.0.9, there is a Use-After-Free(UAF) bug in the t2p_writeproc function in tools/tiff2pdf.c. This UAF bug can lead to harmful damages. For example, a crafted TIFF document can trigger an out-of-bounds write in t2pWriteFile, an invalid free in TIFFFreeDirectory, memory corruption in t2p_writeproc. It probably could cause arbitrary code execution. Version-Release number of selected component (if applicable): LibTIFF 4.0.9 How reproducible: The vulnerability is triggered by ./tiff2pdf $FILE Target OS: Ubuntu 16.04 32bit Steps to Reproduce: 1. Build the LibTIFF 4.0.9 source code with ASAN(AddressSanitizer) 2. Run tiff2pdf file with the attached POC file 3. Crashed :^( Actual results: ==48156==ERROR: AddressSanitizer: heap-use-after-free on address 0xf47024d0 at pc 0x080e3ebd bp 0xffa85548 sp 0xffa85120 READ of size 32 at 0xf47024d0 thread T0 #0 0x80e3ebc in fwrite (/home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf+0x80e3ebc) #1 0x8165c8c in t2p_writeproc /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:405:21 #2 0x8167fd3 in t2pWriteFile /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:379:10 #3 0x8167fd3 in t2p_write_pdf_stream /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:3989 #4 0x8167fd3 in t2p_write_pdf_transfer_stream /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:5017 #5 0x8167fd3 in t2p_write_pdf /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:5497 #6 0x81639fb in main /home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf.c:808:2 #7 0xf74ab636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #8 0x8062d57 in _start (/home/zdi/dataset/libtiff-Release-v4-0-9/tools/tiff2pdf+0x8062d57)
Let me know if a CVE needs to be assigned to this. I'm unaware if libtiff already has a process for assignment -- I do not want to duplicate anything. Thank you.
(In reply to comment #1) > Let me know if a CVE needs to be assigned to this. I'm unaware if libtiff > already has a process for assignment -- I do not want to duplicate anything. > > Thank you. Yes, I want this bug to be assigned CVE as "Hwiwon Lee@ADD"
with master ae0bed1fe530a82faf2e9ea1775109dbf301a971 I don't have a crash but the following : [...] tiff2pdf.c:4970:8: runtime error: division by zero SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior tiff2pdf.c:4970:8 in tiff2pdf.c:4971:8: runtime error: division by zero SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior tiff2pdf.c:4971:8 in [...] tiff2pdf.c:5101:7: runtime error: division by zero SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior tiff2pdf.c:5101:7 in tiff2pdf.c:5102:7: runtime error: division by zero SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior tiff2pdf.c:5102:7 in https://gitlab.com/libtiff/libtiff/blob/master/tools/tiff2pdf.c#L4967 https://gitlab.com/libtiff/libtiff/blob/master/tools/tiff2pdf.c#L5098
Bugzilla is no longer used for tracking libtiff issues. Remaining open tickets, such as this one, have been migrated to the libtiff GitLab instance at https://gitlab.com/libtiff/libtiff/issues . The migrated tickets have their summary prefixed with [BZ#XXXX] where XXXX is the initial Bugzilla issue number.
