LibTIFF Memory Leak Vulnerability in TIFFCMP Utility

A memory leak vulnerability has been identified in LibTIFF version 4.7.0, specifically within the TIFFCMP utility. This issue arises in the functions '_TIFFmallocExt', '_TIFFCheckRealloc', 'TIFFHashSetNew', and 'InitCCITTFax3', located in 'tools/tiffcmp.c'. The vulnerability leads to a significant memory leak when TIFFCMP processes malformed TIFF files, particularly those with invalid directory structures or tag configurations. The leak accumulates as the program fails to release memory allocated during TIFF header parsing and CCITT Fax initialization, eventually causing the program to terminate with a SIGBUS signal, indicating an illegal instruction error. This vulnerability is present in the latest master branch of LibTIFF and can be exploited locally.

Impact

Exploitation of this vulnerability causes a memory leak that the AddressSanitizer tool detects, leading to program termination with a SIGBUS signal, indicating an illegal instruction error.

Reproduction

The vulnerability can be reproduced by using the TIFFCMP utility to compare a crafted TIFF file that exploits the memory leak, such as one with an invalid directory structure or problematic tag values. This can be done by running the 'tiffcmp' command with the malicious TIFF file as an argument, while the tool is built with AddressSanitizer enabled.

Remediation

Users are advised to update to the patched version of LibTIFF, which is available on the official LibTIFF GitLab repository.