Date: Thu, 24 Jun 2010 09:16:20 -0400 From: Dan Rosenberg <dan.j.rosenberg@...il.com> To: Tomas Hoger <thoger@...hat.com> Cc: oss-security@...ts.openwall.com Subject: Re: CVE requests: LibTIFF Thanks for your help Tomas, it's hard to keep all these issues straight. On Thu, Jun 24, 2010 at 3:03 AM, Tomas Hoger <thoger@...hat.com> wrote: > On Wed, 23 Jun 2010 14:01:14 -0400 Dan Rosenberg wrote: > >> 1. Out-of-bounds read in TIFFExtractData() may result in application >> crash (no reference, fixed upstream). Reported by Dan Rosenberg. > > Do you have any info on this? I don't see anything obviously related > in changelog. TIFFExtractData itself and all its uses seem unchanged > for years. > Revision 184.108.40.206 of libtiff/tif_dirread.c added code for ensuring valid tag type information for each TIFF directory entry. Prior to this fix, unknown tag types would result in an out-of-bounds array index in TIFFExtractData() on any code path using this macro. Ubuntu security backported this fix as debian/patches/fix-unknown-tags.patch in their libtiff4 package. >> 2. Out-of-bounds read in TIFFVGetField() may result in application >> crash >> (https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145). > > This is NULL deref. Another Sauli's test case shows that similar > problem can occur with NULL td_stripbytecount few lines below > td_stripoffset case addressed in upstream patch. > >> The fix for this issue was combined with the fix for CVE-2010-2065, >> but it appears to be a separate issue. Reported by Sauli Pahlman. > > Right, not related to what CVE-2010-2065 was assigned to. > >> 3. Memory corruption in TIFFRGBAImageGet() due to buffer overflow >> (https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605). >> Reported by Sauli Pahlman. > > IIRC, Sauli's file only demonstrates OOB read. Upstream bug: > http://bugzilla.maptools.org/show_bug.cgi?id=2216 > Sorry, I misread your comment on the Launchpad post - by "buffer over-read", I now understand that you meant that libtiff attempted to read well past the boundaries of a buffer, resulting in an out-of-bounds read and application crash. My mistake. >> 4. http://bugzilla.maptools.org/show_bug.cgi?id=2207 ("tif_getimage >> fails when flipping vertically on 64-bit platforms") > > CVE-2010-2233 was assigned to this issue. > > -- > Tomas Hoger / Red Hat Security Response Team >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.