TIFF files may contain tags with a custom data type. When a TIFF file is opened, special handling may be done with the custom tag, depending on its value. In some cases, the out-of-bounds value was used, which may lead to remote code execution.
In LibreOffice 5.3.3, TIFF images may be opened with malformed tags, which may lead to remote code execution.
CVE-2018-20801 LibreOffice before 5.3.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF file, as demonstrated by a file containing an ImageC87 structure with an invalid length field.
CVE-2018-20802 LibreOffice before 5.3.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF file, as demonstrated by a file containing an ImageC89 structure with an invalid length field.
CVE-2018-20803 LibreOffice before 5.3.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF file, as demonstrated by a file containing an ImageC90 structure with an invalid length field.
CVE-2018-20804 LibreOffice before 5.3.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted T
LibreOffice and Apache OpenOffice
LibreOffice is a free, open-source office productivity suite.
Apache OpenOffice is an office productivity suite based on the OpenOffice software. The two suites share common code and features with minor differences in their user interfaces and feature sets.
After the 2016 Ubuntu 16.04 LTS release, the LibreOffice and Apache OpenOffice suites were updated to version 4.4 with many fixes from upstream projects like KDE Plasma Working Group or Qt which contained security vulnerabilities.
CVE-2018-20801 LibreOffice before 5.3.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF file, as demonstrated by a file containing an ImageC87 structure with an invalid length field.
CVE-2018-20802 LibreOffice before 5.3.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF file, as demonstrated by a file containing an ImageC89 structure with an invalid length field.
CVE-2018-20803 LibreOffice before 5.3.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF file, as demonstrated by a file containing an ImageC90 structure with an invalid length field.
Fixed in LibreOffice 5.3.4
In LibreOffice 5.3.4, invalid TIFF tags were not handled correctly and caused an out of bounds error.
Timeline
Published on: 01/10/2022 14:12:00 UTC
Last modified on: 04/25/2022 16:45:00 UTC
References
- https://gitlab.com/libtiff/libtiff/-/issues/355
- https://gitlab.com/libtiff/libtiff/-/merge_requests/287
- https://lists.debian.org/debian-lts-announce/2022/03/msg00001.html
- https://security.netapp.com/advisory/ntap-20220311-0002/
- https://www.debian.org/security/2022/dsa-5108
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22844