Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 23 Jun 2010 14:01:14 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE requests: LibTIFF

In the past week, LibTIFF has released new versions upstream (3.9.3,
and soon after, 3.9.4) that address a number of potentially
security-relevant issues, some of which have not been assigned CVE
identifiers.  The following issues will crash (or worse) any
application linked against LibTIFF in the trivial case of viewing a
maliciously crafted image:

1.  Out-of-bounds read in TIFFExtractData() may result in application
crash (no reference, fixed upstream).  Reported by Dan Rosenberg.

2.  Out-of-bounds read in TIFFVGetField() may result in application
crash (https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145).
 The fix for this issue was combined with the fix for CVE-2010-2065,
but it appears to be a separate issue.  Reported by Sauli Pahlman.

3.  Memory corruption in TIFFRGBAImageGet() due to buffer overflow
(https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605).
Reported by Sauli Pahlman.


There is another series of issues that each lead to an application
crash, reported at https://bugzilla.redhat.com/show_bug.cgi?id=583081
by Nicolae Ghimbovschi.  However, these issues may require more user
assistance, such as running specific conversion tools to process TIFF
files, and as such may not need CVE identifiers.  I thought I'd
include them for completeness:

4.  http://bugzilla.maptools.org/show_bug.cgi?id=2207 ("tif_getimage
fails when flipping vertically on 64-bit platforms")

5.  http://bugzilla.maptools.org/show_bug.cgi?id=2208 ("Bogus
ReferenceBlackWhite values can crash libtiff")

6.  http://bugzilla.maptools.org/show_bug.cgi?id=2209 ("Assertion
failure in OJPEGPostDecode") - this one is an assertion failure and
not a segfault, so it might not need a CVE.


Finally, to avoid confusion, the following more serious issues were
also fixed and have already received CVE identifiers:

7.  Integer overflows leading to heap overflow in Fax3SetupState().
Reported by Kevin Finisterre (CVE-2010-1411).

8.  Integer overflow in TIFFFillStrip() leading to heap overflow in
TIFFReadRawStrip1().  Reported by Sauli Pahlman (CVE-2010-2065).

9.  Stack overflow when processing SubjectDistance EXIF tags allows
arbitrary code execution.  Reported by Dan Rosenberg (CVE-2010-2067).

Thanks,
Dan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.