Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 01 Jan 2017 21:11:42 +0100
From: Agostino Sarubbo <ago@...too.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: Re: libtiff: multiple heap-based buffer overflow

On Sunday 01 January 2017 12:51:35 cve-assign@...re.org wrote:
> > https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer
> > -overflow
> At the moment, we will assign IDs to the issues listed with a write
> impact. We will later look at the issues listed with a read or
> undefined impact, but this has some complexity. 

> Another example is that a "READ of size 1" within the source
> code of a command-line tool (not part of the library code that could
> be used in an arbitrary application) may have no risk.

Yes, we know that sometimes command line tools with issues like READ of size 1 
cannot create damage.
However, for completeness and for people/packagers that want to have them 
fixed in they repository, I shared the details as well.

> > AddressSanitizer: heap-buffer-overflow ... WRITE of size 2048 at
> > tiff-4.0.7/libtiff/tif_next.c:64:9
> > 
> >> http://bugzilla.maptools.org/show_bug.cgi?id=2624
> 
> The vendor response was "I cannot reproduce with CVS head. But I
> reproduce with 4.0.7 so this has been fixed by recent commits. Could
> you track CVS head for your next fuzzing sessions so as to avoid
> wasting our time to both of us ?"

For some reasons I like to fuzz on a stable releases. Since libtiff ships some 
binaries, I take time to test each binary. So, there was a situation where a 
bug filed against an issue reproducible via tiffcp was fixed from a commit 
which addressed an issue filed against tiffcrop.
But as you have pointed out, there were cases where a commit addressed a READ 
issue and later on it was discovered that it fixed a WRITE issue too.


> If there is additional information from bisection, please let us know.

The commit that addresses the specific issue seems to be 
9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a.
However the process seems to fails to exit and went into a loop, but that's a 
different issue and needs to be reported upstream.

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.