Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 1 Jan 2017 12:51:35 -0500
From: <cve-assign@...re.org>
To: <ago@...too.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: libtiff: multiple heap-based buffer overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow

At the moment, we will assign IDs to the issues listed with a write
impact. We will later look at the issues listed with a read or
undefined impact, but this has some complexity. One example is that
9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a is a one-symbol code change
that fixes both a "READ of size 1" outcome and a "WRITE of size 1"
outcome. Another example is that a "READ of size 1" within the source
code of a command-line tool (not part of the library code that could
be used in an arbitrary application) may have no risk. Apparently all
of the issues were public on github.com and/or bugzilla.maptools.org
during 2016 and thus they have CVE-2016-##### IDs. It would be useful
to include the specific bugzilla.maptools.org URL for each issue.

> tiffcrop
> https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
> AddressSanitizer: heap-buffer-overflow ... WRITE of size 1 at
> tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2

>> 2016-12-03
>> tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so
>> that the output buffer is correctly incremented to avoid write outside bounds.
>> Reported by Agostino Sarubbo.
>> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620

(see also http://bugzilla.maptools.org/show_bug.cgi?id=2622 Comment #1)

Use CVE-2016-10092.


> tiffcp
> https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
> AddressSanitizer: heap-buffer-overflow ... WRITE of size 16 at
> tiff-4.0.7/tools/tiffcp.c:1171:11

>> 2016-12-03
>> tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
>> buffer overflow.
>> Reported by Agostino Sarubbo.
>> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610

Use CVE-2016-10093.


> tiffcrop
> Upstream said that the previous changes, fixes this too. It needs to be
> bisected.
> AddressSanitizer: heap-buffer-overflow ... WRITE of size 2048 at
> tiff-4.0.7/libtiff/tif_next.c:64:9

>> http://bugzilla.maptools.org/show_bug.cgi?id=2624

The vendor response was "I cannot reproduce with CVS head. But I
reproduce with 4.0.7 so this has been fixed by recent commits. Could
you track CVS head for your next fuzzing sessions so as to avoid
wasting our time to both of us ?"

If there is additional information from bisection, please let us know.


> tiff2pdf
> https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c
> AddressSanitizer: heap-buffer-overflow ... WRITE of size 2 at
> tiff-4.0.7/libtiff/tif_unix.c:340:2

>> 2016-12-20
>> tools/tiff2pdf.c: avoid potential heap-based overflow in
>> t2p_readwrite_pdf_image_tile().
>> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640

Use CVE-2016-10094 for this off-by-one error.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYaUCIAAoJEHb/MwWLVhi2FXwQAIrGz699cKKw4thb2xMKcfuV
P7ZOqAkOVZjx/q9DVODtLym6HLV2X5ZXbaTQRun23rImjbIZ3mVNBEvt3zTXIUUO
sVAV2kwmITOj8fxf4khCeNWuTd2dYe2I9a6wQxSD6lJcnWVt7GYSrwmnTcR2yxDy
D5HVn3K0VbMddktBM8W+8503WPamCicHFDXbjF+26oxH5yPAx9CvlUwmbsszzAQP
XnYxVNmdj5bMxotFJ1yX/VlFKzUaz/q4FAftWVIXQXlsv4Y0eY0ezTkitMIjJnsV
TA0jCUXKyhHTykwKklx4UNZf3BLqAIp49kbSeCyJoyR0UbqSrVVLj6OwZuJGgWnj
mPK33fViCG1O2couw9y+sh1F2eK3tQAXyCKMdqMaVGzgPzopagRTvK6N2LWQb5rW
6rjR8xjXOBnysm/6QJibP4WPRPzRQqGeh3Wfb7mBrxxHC+UiMOpHh2rF04zRtYnu
P+RQB7jOs5p4ALt3l47aBFozjnHOZk3ROLV1HqVqNP3EU0jOoBNAkt24MKdd6Ixi
itRg3AqviVXMAcxhJ0lQ7M8CMeFqSYCqa45VRhAtQ08WAQ9Dt4KUiUZFKu4DQHL9
k6u+DNJLmhLWF17ub+eC79dhu99R05TP8maEo2pMuXjwsbKjdWM+BZqGZac3Y/FS
4Kx6/mQjvfUlqCRmFWlO
=WRWR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.