Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 01 Jan 2017 21:11:42 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: libtiff: multiple heap-based buffer overflow

On Sunday 01 January 2017 12:51:35 cve-assign@...re.org wrote:
> > https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer
> > -overflow
> At the moment, we will assign IDs to the issues listed with a write
> impact. We will later look at the issues listed with a read or
> undefined impact, but this has some complexity. 

> Another example is that a "READ of size 1" within the source
> code of a command-line tool (not part of the library code that could
> be used in an arbitrary application) may have no risk.

Yes, we know that sometimes command line tools with issues like READ of size 1 
cannot create damage.
However, for completeness and for people/packagers that want to have them 
fixed in they repository, I shared the details as well.

> > AddressSanitizer: heap-buffer-overflow ... WRITE of size 2048 at
> > tiff-4.0.7/libtiff/tif_next.c:64:9
> > 
> >> http://bugzilla.maptools.org/show_bug.cgi?id=2624
> 
> The vendor response was "I cannot reproduce with CVS head. But I
> reproduce with 4.0.7 so this has been fixed by recent commits. Could
> you track CVS head for your next fuzzing sessions so as to avoid
> wasting our time to both of us ?"

For some reasons I like to fuzz on a stable releases. Since libtiff ships some 
binaries, I take time to test each binary. So, there was a situation where a 
bug filed against an issue reproducible via tiffcp was fixed from a commit 
which addressed an issue filed against tiffcrop.
But as you have pointed out, there were cases where a commit addressed a READ 
issue and later on it was discovered that it fixed a WRITE issue too.


> If there is additional information from bisection, please let us know.

The commit that addresses the specific issue seems to be 
9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a.
However the process seems to fails to exit and went into a loop, but that's a 
different issue and needs to be reported upstream.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.