|
Message-ID: <a5c8bd5fcbf94dfe83238915b480add2@imshyb02.MITRE.ORG> Date: Sun, 1 Jan 2017 12:51:35 -0500 From: <cve-assign@...re.org> To: <ago@...too.org> CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com> Subject: Re: libtiff: multiple heap-based buffer overflow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow At the moment, we will assign IDs to the issues listed with a write impact. We will later look at the issues listed with a read or undefined impact, but this has some complexity. One example is that 9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a is a one-symbol code change that fixes both a "READ of size 1" outcome and a "WRITE of size 1" outcome. Another example is that a "READ of size 1" within the source code of a command-line tool (not part of the library code that could be used in an arbitrary application) may have no risk. Apparently all of the issues were public on github.com and/or bugzilla.maptools.org during 2016 and thus they have CVE-2016-##### IDs. It would be useful to include the specific bugzilla.maptools.org URL for each issue. > tiffcrop > https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a > AddressSanitizer: heap-buffer-overflow ... WRITE of size 1 at > tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2 >> 2016-12-03 >> tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so >> that the output buffer is correctly incremented to avoid write outside bounds. >> Reported by Agostino Sarubbo. >> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2620 (see also http://bugzilla.maptools.org/show_bug.cgi?id=2622 Comment #1) Use CVE-2016-10092. > tiffcp > https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec > AddressSanitizer: heap-buffer-overflow ... WRITE of size 16 at > tiff-4.0.7/tools/tiffcp.c:1171:11 >> 2016-12-03 >> tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based >> buffer overflow. >> Reported by Agostino Sarubbo. >> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2610 Use CVE-2016-10093. > tiffcrop > Upstream said that the previous changes, fixes this too. It needs to be > bisected. > AddressSanitizer: heap-buffer-overflow ... WRITE of size 2048 at > tiff-4.0.7/libtiff/tif_next.c:64:9 >> http://bugzilla.maptools.org/show_bug.cgi?id=2624 The vendor response was "I cannot reproduce with CVS head. But I reproduce with 4.0.7 so this has been fixed by recent commits. Could you track CVS head for your next fuzzing sessions so as to avoid wasting our time to both of us ?" If there is additional information from bisection, please let us know. > tiff2pdf > https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c > AddressSanitizer: heap-buffer-overflow ... WRITE of size 2 at > tiff-4.0.7/libtiff/tif_unix.c:340:2 >> 2016-12-20 >> tools/tiff2pdf.c: avoid potential heap-based overflow in >> t2p_readwrite_pdf_image_tile(). >> Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2640 Use CVE-2016-10094 for this off-by-one error. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYaUCIAAoJEHb/MwWLVhi2FXwQAIrGz699cKKw4thb2xMKcfuV P7ZOqAkOVZjx/q9DVODtLym6HLV2X5ZXbaTQRun23rImjbIZ3mVNBEvt3zTXIUUO sVAV2kwmITOj8fxf4khCeNWuTd2dYe2I9a6wQxSD6lJcnWVt7GYSrwmnTcR2yxDy D5HVn3K0VbMddktBM8W+8503WPamCicHFDXbjF+26oxH5yPAx9CvlUwmbsszzAQP XnYxVNmdj5bMxotFJ1yX/VlFKzUaz/q4FAftWVIXQXlsv4Y0eY0ezTkitMIjJnsV TA0jCUXKyhHTykwKklx4UNZf3BLqAIp49kbSeCyJoyR0UbqSrVVLj6OwZuJGgWnj mPK33fViCG1O2couw9y+sh1F2eK3tQAXyCKMdqMaVGzgPzopagRTvK6N2LWQb5rW 6rjR8xjXOBnysm/6QJibP4WPRPzRQqGeh3Wfb7mBrxxHC+UiMOpHh2rF04zRtYnu P+RQB7jOs5p4ALt3l47aBFozjnHOZk3ROLV1HqVqNP3EU0jOoBNAkt24MKdd6Ixi itRg3AqviVXMAcxhJ0lQ7M8CMeFqSYCqa45VRhAtQ08WAQ9Dt4KUiUZFKu4DQHL9 k6u+DNJLmhLWF17ub+eC79dhu99R05TP8maEo2pMuXjwsbKjdWM+BZqGZac3Y/FS 4Kx6/mQjvfUlqCRmFWlO =WRWR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.