CUPS and libcupsfilters Out-of-Bounds Read/Write Vulnerability in TIFF Processing

A vulnerability allowing out-of-bounds read and write operations has been identified in CUPS-Filters versions through 1.28.17 and in libcupsfilters versions 2.0.0 prior to 2.1.1. The issue arises in the 'imagetoraster' filter when processing TIFF files. The vulnerability is triggered by a mismatch between the allocated pixel buffer size and the size expected by the processing function, leading to unauthorized memory access. This flaw can be exploited by sending a print job with a specially crafted TIFF file and specific print options to manipulate the output format.

Impact

Exploitation of this vulnerability causes heap-buffer-overflows, which can lead to memory corruption.

Reproduction

The vulnerability can be reproduced by invoking the 'imagetoraster' filter with a crafted TIFF file that exploits the out-of-bounds memory access. This can be done by using the 'print-color-mode=monochrome' option to force a bytes-per-pixel value of 1, while the image is processed as if it had 3 bytes per pixel. The TIFF file must be prepared to include the necessary tags to trigger the vulnerability, such as setting the photometric interpretation to 'Separated' for CMYK images.

Remediation

Users can update to CUPS-Filters versions later than 1.28.17 or to libcupsfilters versions 2.1.1 or later.