Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 25 Mar 2017 15:11:02 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: libtiff: multiple heap-based buffer overflow

On Sunday 01 January 2017 16:48:02 Agostino Sarubbo wrote:
> Permalink:
> https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-o
> verflow

> # tiffcp -i $FILE /tmp/foo
> ==16440==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x62500000e861 at pc 0x0000004531de bp 0x7ffd2aba5c30 sp 0x7ffd2aba53e0
> READ of size 78490 at 0x62500000e861 thread T0
>     #1 0x7f280456d37b in _tiffWriteProc /tmp/portage/media-
> libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:115:23
This is CVE-2016-10268


> #tiffcp -i $FILE /tmp/foo
> ==10398==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60200000eef4 at pc 0x0000004bc235 bp 0x7fff3ebfa700 sp 0x7fff3ebf9eb0
> READ of size 512 at 0x60200000eef4 thread T0
>      #1 0x7fcaf590cf0d in _TIFFmemcpy /tmp/portage/media-
> libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2
This is CVE-2016-10269

> # tiffcp -i $FILE /tmp/foo
> ==15106==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60200000edd8 at pc 0x7f33918c5de3 bp 0x7ffc5abe6ba0 sp 0x7ffc5abe6b98
> READ of size 8 at 0x60200000edd8 thread T0
>     #0 0x7f33918c5de2 in TIFFFillStrip /tmp/portage/media-
> libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_read.c:523:22
This is CVE-2016-10270

> # tiffcrop -i $FILE /tmp/foo
> ==9181==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x7fd3b2e277f8 at pc 0x7fd3b7a762cc bp 0x7ffffd6e2550 sp 0x7ffffd6e2548
> READ of size 1 at 0x7fd3b2e277f8 thread T0
>     #0 0x7fd3b7a762cb in _TIFFFax3fillruns /tmp/portage/media-
> libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_fax3.c:413:13
This is CVE-2016-10271

> # tiffcrop -i $FILE /tmp/foo
> ==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x62d00000a3fc at pc 0x0000004bc48c bp 0x7ffd6f23c680 sp 0x7ffd6f23be30
> WRITE of size 2048 at 0x62d00000a3fc thread T0
>       #1 0x7fcac5ac0033 in NeXTDecode /tmp/portage/media-
> libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_next.c:64:9
This is CVE-2016-10272



-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.