Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 1 Jan 2017 12:51:35 -0500
From: <>
To: <>
CC: <>, <>
Subject: Re: libtiff: multiple heap-based buffer overflow

Hash: SHA256


At the moment, we will assign IDs to the issues listed with a write
impact. We will later look at the issues listed with a read or
undefined impact, but this has some complexity. One example is that
9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a is a one-symbol code change
that fixes both a "READ of size 1" outcome and a "WRITE of size 1"
outcome. Another example is that a "READ of size 1" within the source
code of a command-line tool (not part of the library code that could
be used in an arbitrary application) may have no risk. Apparently all
of the issues were public on and/or
during 2016 and thus they have CVE-2016-##### IDs. It would be useful
to include the specific URL for each issue.

> tiffcrop
> AddressSanitizer: heap-buffer-overflow ... WRITE of size 1 at
> tiff-4.0.7/work/tiff-4.0.7/libtiff/tif_unix.c:340:2

>> 2016-12-03
>> tools/tiffcrop.c: fix readContigStripsIntoBuffer() in -i (ignore) mode so
>> that the output buffer is correctly incremented to avoid write outside bounds.
>> Reported by Agostino Sarubbo.
>> Fixes

(see also Comment #1)

Use CVE-2016-10092.

> tiffcp
> AddressSanitizer: heap-buffer-overflow ... WRITE of size 16 at
> tiff-4.0.7/tools/tiffcp.c:1171:11

>> 2016-12-03
>> tools/tiffcp.c: fix uint32 underflow/overflow that can cause heap-based
>> buffer overflow.
>> Reported by Agostino Sarubbo.
>> Fixes

Use CVE-2016-10093.

> tiffcrop
> Upstream said that the previous changes, fixes this too. It needs to be
> bisected.
> AddressSanitizer: heap-buffer-overflow ... WRITE of size 2048 at
> tiff-4.0.7/libtiff/tif_next.c:64:9


The vendor response was "I cannot reproduce with CVS head. But I
reproduce with 4.0.7 so this has been fixed by recent commits. Could
you track CVS head for your next fuzzing sessions so as to avoid
wasting our time to both of us ?"

If there is additional information from bisection, please let us know.

> tiff2pdf
> AddressSanitizer: heap-buffer-overflow ... WRITE of size 2 at
> tiff-4.0.7/libtiff/tif_unix.c:340:2

>> 2016-12-20
>> tools/tiff2pdf.c: avoid potential heap-based overflow in
>> t2p_readwrite_pdf_image_tile().
>> Fixes

Use CVE-2016-10094 for this off-by-one error.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.