Date: Sat, 18 Mar 2017 18:42:51 -0700 From: Alan Coopersmith <alan.coopersmith@...cle.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2016-3631 - libtiff 4.0.6 illegel read On 04/ 8/16 12:12 AM, 张开翔 wrote: > Details > ======= > > Product: libtiff > Affected Versions: <= 4.0.6 > Vulnerability Type: Illegel read > Vendor URL: http://www.libtiff.org/ > CVE ID: CVE-2016-3631 > Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360 > > Introduction > > Illegal read occurs in the cpStrips and cpTiles function in thumbnail.c in thumbnail allows attackers to exploit this issue to cause denial-of-service. While this CVE is not listed in the libtiff 4.0.7 release notes, that version appears to resolve it via this release note item: 'The libtiff tools rgb2ycbcr and thumbnail are only built in the build tree for testing.' I still can't find a bug id specifically for this one in the libtiff bug tracker, but for the similar CVE-2016-3634 this removal is listed as the resolution in http://bugzilla.maptools.org/show_bug.cgi?id=2547 . -- -Alan Coopersmith- alan.coopersmith@...cle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ