Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 25 Mar 2017 15:11:02 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: libtiff: multiple heap-based buffer overflow

On Sunday 01 January 2017 16:48:02 Agostino Sarubbo wrote:
> Permalink:
> https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-o
> verflow

> # tiffcp -i $FILE /tmp/foo
> ==16440==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x62500000e861 at pc 0x0000004531de bp 0x7ffd2aba5c30 sp 0x7ffd2aba53e0
> READ of size 78490 at 0x62500000e861 thread T0
>     #1 0x7f280456d37b in _tiffWriteProc /tmp/portage/media-
> libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:115:23
This is CVE-2016-10268


> #tiffcp -i $FILE /tmp/foo
> ==10398==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60200000eef4 at pc 0x0000004bc235 bp 0x7fff3ebfa700 sp 0x7fff3ebf9eb0
> READ of size 512 at 0x60200000eef4 thread T0
>      #1 0x7fcaf590cf0d in _TIFFmemcpy /tmp/portage/media-
> libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2
This is CVE-2016-10269

> # tiffcp -i $FILE /tmp/foo
> ==15106==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x60200000edd8 at pc 0x7f33918c5de3 bp 0x7ffc5abe6ba0 sp 0x7ffc5abe6b98
> READ of size 8 at 0x60200000edd8 thread T0
>     #0 0x7f33918c5de2 in TIFFFillStrip /tmp/portage/media-
> libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_read.c:523:22
This is CVE-2016-10270

> # tiffcrop -i $FILE /tmp/foo
> ==9181==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x7fd3b2e277f8 at pc 0x7fd3b7a762cc bp 0x7ffffd6e2550 sp 0x7ffffd6e2548
> READ of size 1 at 0x7fd3b2e277f8 thread T0
>     #0 0x7fd3b7a762cb in _TIFFFax3fillruns /tmp/portage/media-
> libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_fax3.c:413:13
This is CVE-2016-10271

> # tiffcrop -i $FILE /tmp/foo
> ==29649==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x62d00000a3fc at pc 0x0000004bc48c bp 0x7ffd6f23c680 sp 0x7ffd6f23be30
> WRITE of size 2048 at 0x62d00000a3fc thread T0
>       #1 0x7fcac5ac0033 in NeXTDecode /tmp/portage/media-
> libs/tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_next.c:64:9
This is CVE-2016-10272



-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ