Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 18 Mar 2017 18:42:51 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-3631 - libtiff 4.0.6 illegel read

On 04/ 8/16 12:12 AM, 张开翔 wrote:
> Details
> =======
>
> Product: libtiff
> Affected Versions: <= 4.0.6
> Vulnerability Type: Illegel read
> Vendor URL: http://www.libtiff.org/
> CVE ID: CVE-2016-3631
> Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360
>
> Introduction
>
> Illegal read occurs in the cpStrips and cpTiles function in thumbnail.c in thumbnail allows attackers to exploit this issue to cause denial-of-service.

While this CVE is not listed in the libtiff 4.0.7 release notes, that
version appears to resolve it via this release note item:
    'The libtiff tools rgb2ycbcr and thumbnail are only built in the build
     tree for testing.'

I still can't find a bug id specifically for this one in the libtiff bug
tracker, but for the similar CVE-2016-3634 this removal is listed as the
resolution in http://bugzilla.maptools.org/show_bug.cgi?id=2547 .

-- 
	-Alan Coopersmith-              alan.coopersmith@...cle.com
	 Oracle Solaris Engineering - http://blogs.oracle.com/alanc

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ