GraphicsMagick / Bugs / #767 CVE-2024-7006: NULL pointer dereference in bundled libtiff (tif

#767 CVE-2024-7006: NULL pointer dereference in bundled libtiff (tif_dirread.c)

Milestone: v1.0_(example)

Status: open

Owner: Bob Friesenhahn

Labels: security (3) libtiff (1) crash (2) CVE (1)

Priority: 5

Updated: 10 hours ago

Created: 1 day ago

Creator: osdj

Private: No

GraphicsMagick bundles libtiff 4.0.3 (from 2012) at tiff/libtiff/. This bundled copy contains a NULL pointer dereference vulnerability (CVE-2024-7006).

Vulnerable functions: TIFFReadDirectoryCheckOrder() and TIFFFetchNormalTag() in tiff/libtiff/tif_dirread.c.

GraphicsMagick's coders/tiff.c calls TIFFReadDirectory() which invokes the vulnerable code path, making this reachable through normal TIFF image processing:

gm convert crafted.tif /tmp/out.png

CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-7006
Type: NULL Pointer Dereference (CWE-476)
Affected File: tiff/libtiff/tif_dirread.c
Bundled Version: libtiff 4.0.3 (from 2012)
Impact: Denial of Service (crash) via crafted TIFF image

Upstream libtiff fix:
https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa24f8

Recommended fix: Update the bundled libtiff from 4.0.3 to a recent version (4.7+). The current bundled copy is 12+ years old and likely contains additional unfixed vulnerabilities.

Verification: Confirmed via Docker build that the vulnerable functions TIFFFetchNormalTag and TIFFReadDirectoryCheckOrder are present in the bundled tiff/libtiff/tif_dirread.c and are called by GraphicsMagick's coders/tiff.c through TIFFReadDirectory().

Discussion

osdj - 1 day ago

Owner is bfriesen（Bob Friesenhahn）

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 23 hours ago

labels: security, libtiff, crash, CVE --> security, libtiff, crash, CVE

assigned_to: Bob Friesenhahn
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Bob Friesenhahn - 23 hours ago

GraphicsMagick default/head provides source code for libtiff 4.7.1. The GraphicsMagick 1.3 branch (and release) is providing source code for libtiff 4.5.1 from 2023. How/where are you finding libtiff code from 2012?

Regardless, even libtiff 4.7.1 (and the latest libtiff release) will be insufficient to correct all known security issues given the many security reports and fixes.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- osdj - 10 hours ago
  
  Thank you for your quick response, Bob.
  
  You are correct about the version discrepancy — my analysis was based on
  the GitHub mirror (github.com/GraphicsMagick/GraphicsMagick), which shows
  libtiff 4.0.3. I should have verified against the official Mercurial source.
  
  I've now checked the timeline:
  
  CVE-2024-7006 was published 2024-08-12
  
  libtiff 4.7.0 (released 2024-09-11) includes the fix
  
  libtiff 4.5.1 (released 2023-06-10) does NOT include the fix
  
  So the default/head branch (libtiff 4.7.1) should be fixed for this
  specific CVE. However, the 1.3 release branch (libtiff 4.5.1) would
  still be affected, as it predates the fix by over a year.
  
  I appreciate your note that even 4.7.1 may not cover all known security
  issues. Thank you for maintaining GraphicsMagick.
  
  Best regards
  
  Last edit: osdj 10 hours ago
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

CVE-2024-7006: NULL pointer dereference in bundled libtiff (tif_dirread.c)

Swiss army knife of image processing

Group

Searches

Help

#767 CVE-2024-7006: NULL pointer dereference in bundled libtiff (tif_dirread.c)

Discussion