1217356 – (CVE-2023-6228) VUL-1: CVE-2023-6228: tiff: out of bounds read in cpStripToTile() in tiffcp utlitity

Bug 1217356 (CVE-2023-6228) - VUL-1: CVE-2023-6228: tiff: out of bounds read in cpStripToTile() in tiffcp utlitity

Summary: VUL-1: CVE-2023-6228: tiff: out of bounds read in cpStripToTile() in tiffcp u...

Status:	RESOLVED FIXED

Alias:	CVE-2023-6228

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Michael Vetter
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/385714/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-6228:3.3:(AV:L...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-11-21 08:33 UTC by SMASH SMASH
Modified:	2023-11-23 15:00 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2023-11-21 08:33:12 UTC

An issue was found in the tiffcp utility distributed by the libtiff package. Processing a crafted TIFF file may cause a heap-based buffer overflow, resulting in an application crash.

References:
https://gitlab.com/libtiff/libtiff/-/issues/606
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6228

Comment 1 Carlos López 2023-11-21 08:36:39 UTC

Fix:
https://gitlab.com/libtiff/libtiff/-/commit/668d2c1a52fa48658bbf69615924b42b5a059f9e

Comment 2 Michael Vetter 2023-11-21 08:38:56 UTC

tiffcp got removed in tiff 4.6.0.

For earlier versions:
In the mentioned bug they say "without JPEG library, I can reproduce the issue. But with JPEG support enabled there is no segmentation fault.".

We have `BuildRequires:  libjpeg-devel`.

Comment 3 Carlos López 2023-11-21 09:04:43 UTC

(In reply to Michael Vetter from comment #2)
> tiffcp got removed in tiff 4.6.0.
> 
> For earlier versions:
> In the mentioned bug they say "without JPEG library, I can reproduce the
> issue. But with JPEG support enabled there is no segmentation fault.".
> 
> We have `BuildRequires:  libjpeg-devel`.

Thanks for checking. The proof of concept also did not reproduce for any codestreams, with the exception of SUSE:SLE-11:Update, which I did not manage to test because I could not get the package to build. Since we have jpeg support I'll track it as not affected as well.

Comment 4 Carlos López 2023-11-21 09:05:05 UTC

Nothing to do, closing.