[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE requests: LibTIFF
From: Tomas Hoger <thoger () redhat ! com>
Date: 2010-07-01 8:38:17
Message-ID: 20100701103817.10948d59 () redhat ! com
[Download RAW message or body]
On Wed, 30 Jun 2010 14:58:58 -0400 Dan Rosenberg wrote:
> 1. OOB read in TIFFExtractData() leading to crash (no reference,
> originally disclosed by me in this thread, fixed upstream with release
> 3.9.4 and security fix backported by Ubuntu).
Not really a reference for the issue, but at least for the patch:
http://bugzilla.maptools.org/show_bug.cgi?id=2210
> 2. NULL pointer dereference due to invalid td_stripbytecount leading
> to crash (distinct from CVE-2010-2443). The upstream changelog entry
> for 3.9.4 reads:
>
> * libtiff/tif_ojpeg.c (OJPEGReadBufferFill): Report an error
> and avoid a crash if the input file is so broken that the strip
> offsets are not defined.
This changelog entry refers to td_stripoffset issue (aka CVE-2010-2443)
and it first appears in 3.9.3 changelog. td_stripbytecount case is not
yet fixed upstream as far as I can tell.
References for CVE-2010-2482:
https://bugs.launchpad.net/bugs/597246
https://bugzilla.redhat.com/show_bug.cgi?id=603024#c9
http://bugzilla.maptools.org/show_bug.cgi?id=1996#c12
> 3. OOB read in TIFFRGBAImageGet() leading to crash. Reference:
> https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605
http://bugzilla.maptools.org/show_bug.cgi?id=2216
--
Tomas Hoger / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic