Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTilqU-tsABl89fj7Vm1fkW3S3rsxc0Adyx0zQtiu@mail.gmail.com>
Date: Wed, 23 Jun 2010 14:01:14 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE requests: LibTIFF

In the past week, LibTIFF has released new versions upstream (3.9.3,
and soon after, 3.9.4) that address a number of potentially
security-relevant issues, some of which have not been assigned CVE
identifiers.  The following issues will crash (or worse) any
application linked against LibTIFF in the trivial case of viewing a
maliciously crafted image:

1.  Out-of-bounds read in TIFFExtractData() may result in application
crash (no reference, fixed upstream).  Reported by Dan Rosenberg.

2.  Out-of-bounds read in TIFFVGetField() may result in application
crash (https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145).
 The fix for this issue was combined with the fix for CVE-2010-2065,
but it appears to be a separate issue.  Reported by Sauli Pahlman.

3.  Memory corruption in TIFFRGBAImageGet() due to buffer overflow
(https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605).
Reported by Sauli Pahlman.


There is another series of issues that each lead to an application
crash, reported at https://bugzilla.redhat.com/show_bug.cgi?id=583081
by Nicolae Ghimbovschi.  However, these issues may require more user
assistance, such as running specific conversion tools to process TIFF
files, and as such may not need CVE identifiers.  I thought I'd
include them for completeness:

4.  http://bugzilla.maptools.org/show_bug.cgi?id=2207 ("tif_getimage
fails when flipping vertically on 64-bit platforms")

5.  http://bugzilla.maptools.org/show_bug.cgi?id=2208 ("Bogus
ReferenceBlackWhite values can crash libtiff")

6.  http://bugzilla.maptools.org/show_bug.cgi?id=2209 ("Assertion
failure in OJPEGPostDecode") - this one is an assertion failure and
not a segfault, so it might not need a CVE.


Finally, to avoid confusion, the following more serious issues were
also fixed and have already received CVE identifiers:

7.  Integer overflows leading to heap overflow in Fax3SetupState().
Reported by Kevin Finisterre (CVE-2010-1411).

8.  Integer overflow in TIFFFillStrip() leading to heap overflow in
TIFFReadRawStrip1().  Reported by Sauli Pahlman (CVE-2010-2065).

9.  Stack overflow when processing SubjectDistance EXIF tags allows
arbitrary code execution.  Reported by Dan Rosenberg (CVE-2010-2067).

Thanks,
Dan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.