Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 18 Mar 2017 18:42:51 -0700
From: Alan Coopersmith <>
Subject: Re: CVE-2016-3631 - libtiff 4.0.6 illegel read

On 04/ 8/16 12:12 AM, 张开翔 wrote:
> Details
> =======
> Product: libtiff
> Affected Versions: <= 4.0.6
> Vulnerability Type: Illegel read
> Vendor URL:
> CVE ID: CVE-2016-3631
> Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360
> Introduction
> Illegal read occurs in the cpStrips and cpTiles function in thumbnail.c in thumbnail allows attackers to exploit this issue to cause denial-of-service.

While this CVE is not listed in the libtiff 4.0.7 release notes, that
version appears to resolve it via this release note item:
    'The libtiff tools rgb2ycbcr and thumbnail are only built in the build
     tree for testing.'

I still can't find a bug id specifically for this one in the libtiff bug
tracker, but for the similar CVE-2016-3634 this removal is listed as the
resolution in .

	-Alan Coopersmith-    
	 Oracle Solaris Engineering -

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ