A researcher is warning this week of three vulnerabilities, all which can lead to remote code execution, that exist in the LibTIFF library. The library is a set of functions that helps support TIFF image files.
While there hasn’t been an official LibTIFF release that fixes the issues, users can get patches for two of the vulnerabilities via the library’s LibTIFF CVS repository.
Tyler Bohan, a senior research engineer with Cisco Talos, discussed details around all three of the vulnerabilities in a blog post on Tuesday.
The vulnerability that hasn’t been fixed yet (CVE-2016-8331) stems from how TIFF images are parsed and handled using the LibTIFF API. One of the fields, ‘BadFaxLines,’ helps facilitate how the TIFF format is handled in fax systems. While TIFF, or Tagged Image File Format, is mostly used in the graphic arts industry it also factors into how electronic fax systems process images. An attacker could exploit the API vulnerability by using a specially crafted TIFF file and triggering an out of bounds memory situation. From there, they could execute arbitrary code on the affected system.
The second vulnerability (CVE-2016-5875) also exists in an API used by LibTIFF, the PixarLogDecode API, which helps handle compressed TIFF images. To decompress compressed data, the library uses Zlib, a compression library. According to Bohan, if an undersized buffer is passed into Zlib’s ‘inflate’ function, it can cause a heap overflow. That overflow can be manipulated and leveraged into remote code execution, Bohan warns.
Mathias Svensson, of Google’s Security Team, dug up the PixarLogDecode vulnerability in June. It was fixed, at least in LibTIFF’s CVS repository, that same month with a commit to code in Github.
The last vulnerability (CVE-2016-5652) exists in a tool, Tiff2PDF, which comes installed by default with LibTIFF. The problem lies in the way the tool calculates image tile sizes when it’s compressing JPEG image files. Similar to the other two vulnerabilities, if an attacker used a specially crafted TIFF file, they could cause either an out of bounds write or a heap based buffer overflow and lead to code execution.
The vulnerabilities exist in the most recent iteration of the library, version 4.0.6, released on Sept. 25.
It’s unclear when LibTIFF will address the issues with a new release because ownership around the library has been a bit nebulous of late. LibTIFF used to be hosted on libtiff.org but that site hasn’t been updated since 2003. In early September, the owner of remotesensing.org, which used to be the primary LibTIFF page, walked away from the domain. libtiff.maptools.org, a mirror site, along with its Github repository appear to be the most up to date archive of LibTIFF data.
