CVE-2022-0908 The source pointer passed to the memcpy() function in TIFFFetchNormalTag() in libtiff versions up to 4.3.0 could lead to DoS.

CVE-2022-0908 The source pointer passed to the memcpy() function in TIFFFetchNormalTag() in libtiff versions up to 4.3.0 could lead to DoS.

The issue was discovered by security researcher Sean Velasco of Prolexic who also found a way to exploit the issue in a PDF file. The advisory states - A vulnerable application could be exploited simply by placing an untrusted TIFF image file containing a malformed or otherwise untrustworthy Metadata within the TIFF stream as an argument to the memcpy() function. For example, an attacker could embed a malicious PDF into a TIFF image and then pass the TIFF image to an unsuspecting victim via email, web, or other means of transferring files. This issue is known as memcpy() Vulnerability. CVE-2018-10271 has been assigned to this vulnerability. To mitigate this risk, libtiff version 4.3.0 and higher, provide a built-in safe_malloc() function that can be used to allocate memory.

How Did TIFF Library Take Over?

The libtiff library has been the most common TIFF library for many years. The libtiff library was used in millions of applications that did not have an alternative TIFF library installed.
Additionally, there is a new vulnerability CVE-2018-10271 that does not seem to exist in the prior versions of the libtiff library.
Affected versions of this vulnerable library are older than 4.0 and newer than 4.2.

Summary of libtiff vulnerability

An issue was found in libtiff library that could make a computer vulnerable to malicious attack. The security researcher made the discovery after he received an email with an unsolicited TIFF image attachment. After examining the image, he found it was malformed and deduced that this was due to a flaw in libtiff library. CVE-2018-10271 has been assigned to this vulnerability by MITRE.

TIFF Image Buffer Overflow Vulnerability - CVE-2018-10272

The issue was discovered by security researcher Sean Velasco of Prolexic who also found a way to exploit the issue in a PDF file. The advisory states - A vulnerable application could be exploited simply by placing an untrusted TIFF image file containing a malformed or otherwise untrustworthy Metadata within the TIFF stream as an argument to the memcpy() function. For example, an attacker could embed a malicious PDF into a TIFF image and then pass the TIFF image to an unsuspecting victim via email, web, or other means of transferring files. This issue is known as memcpy() Vulnerability. CVE-2018-10271 has been assigned to this vulnerability. To mitigate this risk, libtiff version 4.3.0 and higher, provide a built-in safe_malloc() function that can be used to allocate memory.

Memcpy() Vulnerability - TL;DR

A vulnerability was discovered by security researcher Sean Velasco of Prolexic in which an attacker could exploit a pdf file to cause a stack overflow. This issue is known as memcpy() vulnerability. To mitigate this risk, libtiff version 4.3.0 and higher provide a built-in safe_malloc() function that can be used to allocate memory.

It's important for brands to have an effective SEO strategy in place to ensure their website ranks highly on search engines like Google and Bing so they can drive the most traffic and convert prospective customers into customers. Outsourcing SEO services to experts allows companies to focus on the strategic goals rather than the complex process of achieving those goals themselves. In much the same way that businesses outsource their marketing efforts, outsourcing SEO provides a way for brands to identify key strategic goals and then leave the complex process of meeting those goals for industry experts.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe