Pierluigi Paganini October 28, 2016

Libtiff library is affected by three vulnerabilities but unfortunately one of them, tracked as CVE-2016-8331, is still unpatched.

Libtiff is a library for reading and writing Tagged Image File Format (abbreviated TIFF) files and according to the experts from CISCO Talos it is affected by three vulnerabilities. The bugs could be exploited by hackers to hack a system by using booby-trapped images. The bad news is that only two of three vulnerabilities have been fixed.

The vulnerabilities affect the latest version 4.0.6, released in September.

1. CVE-2016-5652 (TALOS-2016-0187) – LibTIFF tiff2pdf JPEG Compression Tables Heap Buffer Overflow
2. CVE-2016-8331 (TALOS-2016-0190) – LibTIFF FAX IFD Entry Parsing Type Confusion
3. CVE-2016-5875 (TALOS-2016-0205) – LibTIFF PixarLogDecode Heap Buffer Overflow

The Talos post says the company found the bugs in LibTiff – 4.0.6, released in September.

The LibTIFF FAX IFD Entry Parsing Type Confusion affects the LibTIFF code called BadFaxLines specific for fax systems, it could be exploited by using a specifically crafted image that triggers an out of bounds memory error, leading to remote code execution. This vulnerability is still unpatched.

“CVE-2016-8331 occurs during the parsing and handling of TIFF images using the LibTIFF API that is present in the standard build. RFC 2306 defines a series fields used within the TIFF format for use specifically in fax systems which are fully supported by the LibTIFF library.” states the analysis published by CISCO Talos. “The vulnerability exists in the handling of one of these fields, `BadFaxLines`, that can result in a write to out of bounds memory. Attackers can create a specially crafted TIFF file to exploit this vulnerability and execute arbitrary code on affected systems.”

The CVE-2016-5652 is a heap buffer overflow that resides in the Tiff2PDF tool. Attackers can exploit it by using a crafted file that can lead the library crashing.

CVE-2016-5875 is a heap buffer overflow that resides in the way compressed TIFF images in LibTIFF’s PixarLogDecode API are handled.

“To decompress the PixarLog compressed data inside of a TIFF image, LibTIFF uses the Zlib compression library. First, a buffer with the parameters needed to be passed to Zlib are set up with a function call to `PixarLogSetupDecode`. Later this buffer is used when calling the Zlib library function `inflate` which is responsible for the actual decompression. Passing an undersized buffer into the Zlib `inflate` function causes a heap overflow that could be potentially leveraged into remote code execution.” 

The vulnerability was reported by Mathias Svensson, of Google’s Security Team, meanwhile the researcher Evan Rouault of SpatialSys published a fix on GitHub.

that is used to manage JPEG compression for TIFF images. The flaw was reported by the Google’s Security Team, Mathias Svensson. The researcher Evan Rouault of SpatialSys published a fix for the flaw and published the code on GitHub.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – LibTIFF, hacking)