CVE-2017-16232: ** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to...

The vulnerability CVE-2017-16232 alleges memory leaks in LibTIFF 4.0.8, specifically in tif_open.c, tif_lzw.c, and tif_aux.c. No commit patches (commit_infos) were provided for this analysis. However, an examination of the linked oss-security mailing list discussions, particularly the post from http://www.openwall.com/lists/oss-security/2017/11/01/3, provided an AddressSanitizer (ASAN) trace. This trace details memory allocations within specific LibTIFF library functions that were reported as leaked when a proof-of-concept file was processed using the tiff2bw tool.

The CVE is scoped to the LibTIFF library itself, not the tiff2bw tool. The ASAN trace directly implicates TIFFClientOpen (in tif_open.c), LZWSetupDecode (in tif_lzw.c), and memory utility functions _TIFFCheckRealloc and _TIFFCheckMalloc (in tif_aux.c) as the sources of these un-freed allocations. These functions would appear in a runtime profile during the memory allocation phase when the reported vulnerability is triggered.

The vulnerability's "DISPUTED" status, along with comments from a LibTIFF maintainer suggesting the issue might stem from the tiff2bw tool's memory management (or lack thereof, which is common for command-line utilities), makes definitive attribution complex without patches. However, the ASAN logs offer the most direct evidence available, pointing to these library functions as the allocators of the leaked memory. The confidence for these functions is marked as "medium" due to the disputed nature and the absence of commit patches, but the ASAN trace provides a strong indication of which library functions are involved in the reported memory consumption.