Bug 1201723 - (CVE-2022-34266) VUL-0: CVE-2022-34266: tiff: invalid range may be passed as an argument to the memset() function
(CVE-2022-34266)
VUL-0: CVE-2022-34266: tiff: invalid range may be passed as an argument to th...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/337783/
CVSSv3.1:SUSE:CVE-2022-34266:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-20 14:44 UTC by Gianluca Gabrielli
Modified: 2022-08-24 09:18 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
mvetter: needinfo? (rfrohl)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2022-07-20 14:44:25 UTC
The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows
attackers to cause a denial of service (application crash), a different
vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an
invalid range may be passed as an argument to the memset() function within
TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to
segfault after use of an uninitialized resource.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34266
https://alas.aws.amazon.com/AL2/ALAS-2022-1814.html
https://alas.aws.amazon.com/
Comment 1 Gianluca Gabrielli 2022-07-20 14:47:55 UTC
Please ignore the above description mentioning the CVE-2022-0562 which was solved via bsc#1195965. 

This issue is meant to track CVE-2022-34266 with the following description:

A flaw was found in libtiff-4.0.3-35.amzn2.0.1 as packaged on Amazon Linux 2. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault. Actors can use this issue to potentially cause a Denial of Service condition. (CVE-2022-34266)
Comment 2 Gianluca Gabrielli 2022-07-20 14:58:58 UTC
I think the fixing commit is eecb0712 [0].

[0] https://gitlab.com/libtiff/libtiff/-/commit/eecb0712f4c3a5b449f70c57988260a667ddbdef
Comment 3 Gianluca Gabrielli 2022-07-20 15:06:44 UTC
Affected packages:
 - SUSE:SLE-12:Update/tiff
 - SUSE:SLE-15:Update/tiff

Not affected:
 - SUSE:SLE-11:Update/tiff

Already fixed:
 - openSUSE:Factory/tiff
Comment 4 Michael Vetter 2022-08-01 07:49:14 UTC
> Affected packages:
> - SUSE:SLE-12:Update/tiff
> - SUSE:SLE-15:Update/tiff

Did you test this? Because:

(In reply to Gianluca Gabrielli from comment #2)
> I think the fixing commit is eecb0712 [0].
> 
> [0]
> https://gitlab.com/libtiff/libtiff/-/commit/
> eecb0712f4c3a5b449f70c57988260a667ddbdef

This commit is already backported in tiff-CVE-2022-0561.patch, which is present in both SLE12 and SLE15. At least they were added on 6th May. Did the version you tested include this?
Comment 5 Michael Vetter 2022-08-01 09:23:29 UTC
> A flaw was found in libtiff-4.0.3-35.amzn2.0.1 as packaged on Amazon Linux 2. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c.  This will cause TIFFFetchStripThing() to segfault.

This sounds to me exactly like the fix for bsc#1195964 / CVE-2022-0561. In commit https://gitlab.com/libtiff/libtiff/-/commit/eecb0712f4c3a5b449f70c57988260a667ddbdef they write:

> TIFFFetchStripThing(): avoid calling memcpy() with a null source pointer and size of zero (fixes #362)

And in issue 362 they write https://gitlab.com/libtiff/libtiff/-/issues/362#note_849306001 :

> This issue has assigned CVE-2022-0561 and CVE-2022-0562.

When looking for a reproducer I only found the one mentioned at https://gitlab.com/libtiff/libtiff/-/issues/362 and couldn't find any for CVE-2022-34266 specifically.

Are we sure CVE-2022-34266 is not a duplicate for CVE-2022-0561 or an Amazon specific thing?
Comment 6 Robert Frohl 2022-08-03 11:00:22 UTC
filled CVE-2022-34266 as duplicate of CVE-2022-0561 with mitre
Comment 7 Michael Vetter 2022-08-03 15:27:52 UTC
Fix is at https://build.suse.de/project/show/home:mvetter:tiff-CVE-2022-34526
Containing the fix for CVE-2022-34526 and the changelog entry/renaming of patch for the already fixed CVE-2022-34266/CVE-2022-0561

SLE11 SR#276971
SLE12 SR#276972
SLE15 SR#276973
Comment 9 Robert Frohl 2022-08-04 07:31:38 UTC
(In reply to Michael Vetter from comment #7)
> Fix is at https://build.suse.de/project/show/home:mvetter:tiff-CVE-2022-34526
> Containing the fix for CVE-2022-34526 and the changelog entry/renaming of
> patch for the already fixed CVE-2022-34266/CVE-2022-0561
> 
> SLE11 SR#276971
> SLE12 SR#276972
> SLE15 SR#276973

please do not rename until we get feedback from MITRE, what ever they decide to duplicate should not be used anymore. Maybe we are lucky and the re-name is not needed.