Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 15 Jun 2016 02:31:43 +0000
From: 张开翔 <zhangkaixiang@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2016-5315: libtiff 4.0.6 tif_dir.c: setByteArray() Read access
 violation

Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: illegel read
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-5315
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Introduction
=======

Read access violation occurred in function setByteArray in tif_dir.c, which allows attackers to result in DoS via a crafted TIFF image.


Here is the stack info:
gdb --args $tool/rgb2ycbcr id31.tif tmpout.tif
--- ---
(gdb) bt
#0  _int_malloc (av=av@...ry=0xb7d91780 <main_arena>, bytes=bytes@...ry=29) at malloc.c:3728
#1  0xb7c3f44f in __GI___libc_malloc (bytes=29) at malloc.c:2914
#2  0xb7faa875 in _TIFFmalloc (s=29) at tif_unix.c:316
#3  0xb7e88d2d in setByteArray (elem_size=1, nmemb=<optimized out>, vp=0xbfffeab0, vpp=<optimized out>) at tif_dir.c:51
#4  _TIFFVSetField (tif=0x804e008, tag=270, ap=<optimized out>) at tif_dir.c:539
#5  0xb7e89fab in TIFFVSetField (tif=0x804e008, tag=270, ap=0xbfffea48 "\260\352\377\277\370\363\004\b") at tif_dir.c:820
#6  0xb7e8a094 in TIFFSetField (tif=0x804e008, tag=270) at tif_dir.c:764
#7  0x0804aa04 in tiffcvt (in=in@...ry=0x804f148, out=out@...ry=0x804e008) at rgb2ycbcr.c:339
(gdb) i r $ebx
ebx            0x86868686        -2038004090



References:
[1] http://www.remotesensing.org/libtiff/

Thank you!
Best Regards,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ