Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 15 Jun 2016 02:32:46 +0000
From: 张开翔 <zhangkaixiang@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2016-5316: libtiff 4.0.6  tif_pixarlog.c:  PixarLogCleanup()
 Segmentation fault


Details
=======

Product: libtiff
Affected Versions: <= 4.0.6
Vulnerability Type: illegel read
Vendor URL: http://www.remotesensing.org/libtiff/
CVE ID: CVE-2016-5316
Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360

Introduction
=======

Segmentation fault ocurrs in PixarLogCleanup() in tif_pixarlog.c when using rgb2ycbcr tool followed a crafted TIFF image. Attackers cound exploit this issue to cause denial-of-service.


Here is the stack info:
gdb –args ./rgb2ycbcr PixarLogCleanup.tif tmpout.tif
--- ---
Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x75757575) at malloc.c:2952
2952           if (chunk_is_mmapped (p))                       /* release mmapped memory. */
Missing separate debuginfos, use: dnf debuginfo-install libjpeg-turbo-1.4.1-2.fc23.i686 zlib-1.2.8-9.fc23.i686
(gdb) bt
#0  __GI___libc_free (mem=0x75757575) at malloc.c:2952
#1  0xb7df0a4c in zcfree () from /usr/lib/libz.so.1
#2  0xb7dedd3e in inflateEnd () from /usr/lib/libz.so.1
#3  0xb7f72044 in PixarLogCleanup (tif=0x804f148) at tif_pixarlog.c:1264
#4  0xb7ec29ae in TIFFReadDirectory (tif=0x804f148) at tif_dirread.c:3412
#5  0x0804942d in main (argc=3, argv=0xbffff3a4) at rgb2ycbcr.c:132


References:
[1] http://www.remotesensing.org/libtiff/

Thank you!
Best Regards,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ