[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE requests: LibTIFF
From:       Tomas Hoger <thoger () redhat ! com>
Date:       2010-07-01 8:38:17
Message-ID: 20100701103817.10948d59 () redhat ! com
[Download RAW message or body]

On Wed, 30 Jun 2010 14:58:58 -0400 Dan Rosenberg wrote:

> 1.  OOB read in TIFFExtractData() leading to crash (no reference,
> originally disclosed by me in this thread, fixed upstream with release
> 3.9.4 and security fix backported by Ubuntu).

Not really a reference for the issue, but at least for the patch:
http://bugzilla.maptools.org/show_bug.cgi?id=2210

> 2.  NULL pointer dereference due to invalid td_stripbytecount leading
> to crash (distinct from CVE-2010-2443).  The upstream changelog entry
> for 3.9.4 reads:
> 
> 	* libtiff/tif_ojpeg.c (OJPEGReadBufferFill): Report an error
>       and avoid a crash if the input file is so broken that the strip
> 	offsets are not defined.

This changelog entry refers to td_stripoffset issue (aka CVE-2010-2443)
and it first appears in 3.9.3 changelog.  td_stripbytecount case is not
yet fixed upstream as far as I can tell.

References for CVE-2010-2482:
https://bugs.launchpad.net/bugs/597246
https://bugzilla.redhat.com/show_bug.cgi?id=603024#c9
http://bugzilla.maptools.org/show_bug.cgi?id=1996#c12  

> 3.  OOB read in TIFFRGBAImageGet() leading to crash.  Reference:
> https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605

http://bugzilla.maptools.org/show_bug.cgi?id=2216

-- 
Tomas Hoger / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic