Date: Wed, 15 Jun 2016 02:32:46 +0000 From: 张开翔 <zhangkaixiang@....cn> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE-2016-5316: libtiff 4.0.6 tif_pixarlog.c: PixarLogCleanup() Segmentation fault Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: illegel read Vendor URL: http://www.remotesensing.org/libtiff/ CVE ID: CVE-2016-5316 Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360 Introduction ======= Segmentation fault ocurrs in PixarLogCleanup() in tif_pixarlog.c when using rgb2ycbcr tool followed a crafted TIFF image. Attackers cound exploit this issue to cause denial-of-service. Here is the stack info: gdb –args ./rgb2ycbcr PixarLogCleanup.tif tmpout.tif --- --- Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x75757575) at malloc.c:2952 2952 if (chunk_is_mmapped (p)) /* release mmapped memory. */ Missing separate debuginfos, use: dnf debuginfo-install libjpeg-turbo-1.4.1-2.fc23.i686 zlib-1.2.8-9.fc23.i686 (gdb) bt #0 __GI___libc_free (mem=0x75757575) at malloc.c:2952 #1 0xb7df0a4c in zcfree () from /usr/lib/libz.so.1 #2 0xb7dedd3e in inflateEnd () from /usr/lib/libz.so.1 #3 0xb7f72044 in PixarLogCleanup (tif=0x804f148) at tif_pixarlog.c:1264 #4 0xb7ec29ae in TIFFReadDirectory (tif=0x804f148) at tif_dirread.c:3412 #5 0x0804942d in main (argc=3, argv=0xbffff3a4) at rgb2ycbcr.c:132 References:  http://www.remotesensing.org/libtiff/ Thank you! Best Regards,
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ