Bug 1202466 – VUL-0: CVE-2022-2867: tiff: uint32_t underflow leads to out of bounds read and write in tiffcrop.c

Bug 1202466 - (CVE-2022-2867) VUL-0: CVE-2022-2867: tiff: uint32_t underflow leads to out of bounds read and write in tiffcrop.c

(CVE-2022-2867)
Summary:	VUL-0: CVE-2022-2867: tiff: uint32_t underflow leads to out of bounds read an...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/339971/
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-2867:3.3:(AV:L...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-08-17 07:03 UTC by Hu
Modified:	2022-12-20 11:27 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
QA reproducer (323 bytes, image/tiff) 2022-08-17 07:04 UTC, Hu	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hu 2022-08-17 07:03:07 UTC

rh#2118847

In libtiff's tiffcrop utility, a uint32_t underflow results in an out-of-bounds read and write in extractContigSamples8bits and extractContigSamplesShifted32bits of tiffcrop.c.

References:
https://gitlab.com/libtiff/libtiff/-/issues/350
https://gitlab.com/libtiff/libtiff/-/issues/351
https://gitlab.com/libtiff/libtiff/-/merge_requests/294/diffs?commit_id=7d7bfa4416366ec64068ac389414241ed4730a54

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2118847
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2867

Comment 1 Hu 2022-08-17 07:04:41 UTC

Created attachment 860824 [details]
QA reproducer

tiffcrop -i -E b -Z 0:0,1:1 poc out

Should segfault on sle15, tiff 4.0.9

Comment 2 Hu 2022-08-17 07:05:01 UTC

Affected (segfaults with poc):
- SUSE:SLE-12:Update/tiff  4.0.9
- SUSE:SLE-15:Update/tiff  4.0.9

Not Affected (already contains fixing commits):
- openSUSE:Factory/tiff    4.4.0

Not Affected (does not contain tiffcrop.c):
- SUSE:SLE-11:Update/tiff  3.8.2

Comment 5 Michael Vetter 2022-10-17 13:03:33 UTC

SLE12: SR#282475
SLE15: SR#282476

Comment 7 Michael Vetter 2022-10-20 08:09:17 UTC

SRs accepted.

Comment 8 Swamp Workflow Management 2022-10-20 16:20:26 UTC

SUSE-SU-2022:3679-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1201723,1201971,1202026,1202466,1202467,1202468,1202968,1202971,1202973
CVE References: CVE-2022-0561,CVE-2022-2519,CVE-2022-2520,CVE-2022-2521,CVE-2022-2867,CVE-2022-2868,CVE-2022-2869,CVE-2022-34266,CVE-2022-34526
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    tiff-4.0.9-44.56.1
SUSE OpenStack Cloud 9 (src):    tiff-4.0.9-44.56.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    tiff-4.0.9-44.56.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    tiff-4.0.9-44.56.1
SUSE Linux Enterprise Server 12-SP5 (src):    tiff-4.0.9-44.56.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    tiff-4.0.9-44.56.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    tiff-4.0.9-44.56.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    tiff-4.0.9-44.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2022-10-21 16:23:16 UTC

SUSE-SU-2022:3690-1: An update that fixes 9 vulnerabilities is now available.

Category: security (important)
Bug References: 1201723,1201971,1202026,1202466,1202467,1202468,1202968,1202971,1202973
CVE References: CVE-2022-0561,CVE-2022-2519,CVE-2022-2520,CVE-2022-2521,CVE-2022-2867,CVE-2022-2868,CVE-2022-2869,CVE-2022-34266,CVE-2022-34526
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    tiff-4.0.9-150000.45.16.1
openSUSE Leap 15.4 (src):    tiff-4.0.9-150000.45.16.1
openSUSE Leap 15.3 (src):    tiff-4.0.9-150000.45.16.1
SUSE Manager Server 4.1 (src):    tiff-4.0.9-150000.45.16.1
SUSE Manager Retail Branch Server 4.1 (src):    tiff-4.0.9-150000.45.16.1
SUSE Manager Proxy 4.1 (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Server for SAP 15 (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Server 15-LTSS (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Micro 5.3 (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise Micro 5.2 (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    tiff-4.0.9-150000.45.16.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    tiff-4.0.9-150000.45.16.1
SUSE Enterprise Storage 7 (src):    tiff-4.0.9-150000.45.16.1
SUSE Enterprise Storage 6 (src):    tiff-4.0.9-150000.45.16.1
SUSE CaaS Platform 4.0 (src):    tiff-4.0.9-150000.45.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Hu 2022-12-20 11:27:49 UTC

done