Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Jun 2009 16:34:07 +0200
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
Subject: CVE Request -- libtiff [was: Re: libtiff buffer
 underflow in LZWDecodeCompat]

Hello Steve,

  could you please allocate a new CVE id for this buffer underwrite

Thanks && regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

On Tue, 2009-06-23 at 17:14 -0600, Vincent Danen wrote:
> * [2009-06-21 17:14:24 -0700] Kees Cook wrote:
> >A crafted TIFF can crash libtiff in LZWDecodeCompat via underflow (different
> >from CVE-2008-2327).
> >
> >Based on discussions[1] and a quick analysis[2], I don't think this is
> >exploitable, but it does lead to crashes in any application using libtiff.
> >I've reported it upstream[3], with the attached patch.
> >
> >Has anyone else looked this over?
> >
> >-Kees
> >
> >[1]
> >[2]
> >[3]
> You saw that a new comment was posted to [3] that points to an earlier
> bug and a different patch, right?  Looks like it was just updated today,
> to point to this bug report from january:
> Also, that report seems to agree with your quick analysis:
> "However, the previous patch does appear to prevent a payload of more than one distinct byte,
> making this effectively useless as a code injection vector. Nonetheless, it
> still is effective at crashing applications that use LibTIFF."
> In fact, I think the reporter of that bug was one of the writers in the
> forum notes you're showing, particularly based on this comment
> where he indicates it isn't exploitable and that he filed a bug:

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ