LibTIFF Heap-Use-After-Free Vulnerability in v4.7.0

A heap-use-after-free vulnerability has been identified in LibTIFF versions through 4.7.0. This critical issue occurs in the 'tiffmedian' tool, specifically within the 'get_histogram' function of 'tools/tiffmedian.c'. The vulnerability is triggered when the tool processes a malformed TIFF file, leading to memory being accessed after it has been freed, which can cause a program crash or potentially allow for arbitrary code execution. This vulnerability requires local access to exploit.

Impact

Exploitation of this vulnerability causes a heap-use-after-free condition, which can lead to memory corruption. In this case, the vulnerability was found to be exploitable, with the AddressSanitizer tool reporting a heap-use-after-free error during the execution of the 'tiffmedian' tool on a crafted TIFF file.

Reproduction

The vulnerability can be reproduced by cloning the LibTIFF repository, checking out the 'tiffmedian-707' branch, and building the library with the AFL++ compiler. After compiling LibTIFF with AddressSanitizer enabled, the 'tiffmedian' tool can be run with a proof-of-concept TIFF file that triggers the vulnerability. The AddressSanitizer output will indicate the use-after-free error, confirming the vulnerability has been successfully exploited.

Remediation

Users are advised to update to LibTIFF version 4.7.1 or later, where this vulnerability has been fixed.