Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 25 Sep 2012 14:36:32 +0530
From: Huzaifa Sidhpurwala <huzaifas@...hat.com>
To: oss-security@...ts.openwall.com, Kurt Seifried <kseifried@...hat.com>
Subject: CVE Request: libtiff: Heap-buffer overflow when processing a TIFF
 image with PixarLog Compression

On 09/23/2012 08:29 AM, Solar Designer wrote:

> "libtiff 4.0.3 brings "various memory buffer access fixes". Does it fix
> more than CVE-2012-3401?"
> 
> to which I have no answer.  The change log does in fact mention
> "Various memory buffer access fixes." as the very first change listed
> for libtiff.  Perhaps someone should review code changes.
> 

I had a look at the libtiff-4.0.3 commit logs and found one issue which
seems to bring a possibility of heap-based buffer overflow when using a
tiff file with PixarLog compression format.

More details at:
https://bugzilla.redhat.com/show_bug.cgi?id=860198

Though memory overwrite outside the heap-buffer is only a few bytes, one
cannot really overwrite possible arbitrary code execution.

Can a CVE id be please assigned to the above flaw?

Found two other commits which seemed interesting, but i dont think
they could cause arbitrary code execution and i dont want to call
them security flaws.

1. OOB read crash tif_packbits.c
2. Memory not properly initialised in tif_fax3.c. Again this one was
partly fixed in 4.0.2 and completely fixed in 4.0.3

If anyone else wants to investigate these in more details, please be my
guest :)

Thanks!

-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ