CVE Request -- libtiff [was: Re: [oss-security] libtiff buffer underflow in LZWDecodeCompat]

[Jan Lieskovsky <jlieskov () redhat com>]

Hello Steve,

  could you please allocate a new CVE id for this buffer underwrite
flaw? 

Thanks && regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

On Tue, 2009-06-23 at 17:14 -0600, Vincent Danen wrote:
> * [2009-06-21 17:14:24 -0700] Kees Cook wrote:
>
> > A crafted TIFF can crash libtiff in LZWDecodeCompat via underflow (different
> > from CVE-2008-2327).
> >
> > Based on discussions[1] and a quick analysis[2], I don't think this is
> > exploitable, but it does lead to crashes in any application using libtiff.
> > I've reported it upstream[3], with the attached patch.
> >
> > Has anyone else looked this over?
> >
> > -Kees
> >
> > [1] http://www.lan.st/showthread.php?t=1856&page=3
> > [2] https://bugs.launchpad.net/bugs/380149
> > [3] http://bugzilla.maptools.org/show_bug.cgi?id=2065
>
> You saw that a new comment was posted to [3] that points to an earlier
> bug and a different patch, right?  Looks like it was just updated today,
> to point to this bug report from january:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1985
>
> Also, that report seems to agree with your quick analysis:
>
> "However, the previous patch does appear to prevent a payload of more than one distinct byte,
> making this effectively useless as a code injection vector. Nonetheless, it
> still is effective at crashing applications that use LibTIFF."
>
> In fact, I think the reporter of that bug was one of the writers in the
> lan.st forum notes you're showing, particularly based on this comment
> where he indicates it isn't exploitable and that he filed a bug:
>
> http://www.lan.st/showpost.php?p=13094&postcount=58