- Type: hidden command
- Affected versions: none (synthetic backdoor)
When this version of libtiff reads a file, if the offset of the first IFD (Image File Directory)
is 42, all the unused space between the header and the IFD is passed to a system() call.
We can use a valid .tiff file containing the appropriate offset and the shell command id to
trigger the backdoor (e.g., with the backdoored version):
$ ./backdoored/tiff_read_rgba_fuzzer < backdoor-trigger.tiff
uid=0(root) gid=0(root) groups=0(root)