[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE requests: LibTIFF
From: Dan Rosenberg <dan.j.rosenberg () gmail ! com>
Date: 2010-06-24 13:16:20
Message-ID: AANLkTimibXfiFOLn6vjvEtx3ZBv_pznm-Ruw0v8rzTEH () mail ! gmail ! com
[Download RAW message or body]
Thanks for your help Tomas, it's hard to keep all these issues straight.
On Thu, Jun 24, 2010 at 3:03 AM, Tomas Hoger <thoger@redhat.com> wrote:
> On Wed, 23 Jun 2010 14:01:14 -0400 Dan Rosenberg wrote:
>
>> 1. Out-of-bounds read in TIFFExtractData() may result in application
>> crash (no reference, fixed upstream). Reported by Dan Rosenberg.
>
> Do you have any info on this? I don't see anything obviously related
> in changelog. TIFFExtractData itself and all its uses seem unchanged
> for years.
>
Revision 1.92.2.9 of libtiff/tif_dirread.c added code for ensuring
valid tag type information for each TIFF directory entry. Prior to
this fix, unknown tag types would result in an out-of-bounds array
index in TIFFExtractData() on any code path using this macro. Ubuntu
security backported this fix as debian/patches/fix-unknown-tags.patch
in their libtiff4 package.
>> 2. Out-of-bounds read in TIFFVGetField() may result in application
>> crash
>> (https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145).
>
> This is NULL deref. Another Sauli's test case shows that similar
> problem can occur with NULL td_stripbytecount few lines below
> td_stripoffset case addressed in upstream patch.
>
>> The fix for this issue was combined with the fix for CVE-2010-2065,
>> but it appears to be a separate issue. Reported by Sauli Pahlman.
>
> Right, not related to what CVE-2010-2065 was assigned to.
>
>> 3. Memory corruption in TIFFRGBAImageGet() due to buffer overflow
>> (https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605).
>> Reported by Sauli Pahlman.
>
> IIRC, Sauli's file only demonstrates OOB read. Upstream bug:
> http://bugzilla.maptools.org/show_bug.cgi?id=2216
>
Sorry, I misread your comment on the Launchpad post - by "buffer
over-read", I now understand that you meant that libtiff attempted to
read well past the boundaries of a buffer, resulting in an
out-of-bounds read and application crash. My mistake.
>> 4. http://bugzilla.maptools.org/show_bug.cgi?id=2207 ("tif_getimage
>> fails when flipping vertically on 64-bit platforms")
>
> CVE-2010-2233 was assigned to this issue.
>
> --
> Tomas Hoger / Red Hat Security Response Team
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic