oss-sec mailing list archives

CVE requests: LibTIFF

From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Wed, 23 Jun 2010 14:01:14 -0400

In the past week, LibTIFF has released new versions upstream (3.9.3,
and soon after, 3.9.4) that address a number of potentially
security-relevant issues, some of which have not been assigned CVE
identifiers.  The following issues will crash (or worse) any
application linked against LibTIFF in the trivial case of viewing a
maliciously crafted image:

1.  Out-of-bounds read in TIFFExtractData() may result in application
crash (no reference, fixed upstream).  Reported by Dan Rosenberg.

2.  Out-of-bounds read in TIFFVGetField() may result in application
crash (https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145).
 The fix for this issue was combined with the fix for CVE-2010-2065,
but it appears to be a separate issue.  Reported by Sauli Pahlman.

3.  Memory corruption in TIFFRGBAImageGet() due to buffer overflow
(https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605).
Reported by Sauli Pahlman.


There is another series of issues that each lead to an application
crash, reported at https://bugzilla.redhat.com/show_bug.cgi?id=583081
by Nicolae Ghimbovschi.  However, these issues may require more user
assistance, such as running specific conversion tools to process TIFF
files, and as such may not need CVE identifiers.  I thought I'd
include them for completeness:

4.  http://bugzilla.maptools.org/show_bug.cgi?id=2207 ("tif_getimage
fails when flipping vertically on 64-bit platforms")

5.  http://bugzilla.maptools.org/show_bug.cgi?id=2208 ("Bogus
ReferenceBlackWhite values can crash libtiff")

6.  http://bugzilla.maptools.org/show_bug.cgi?id=2209 ("Assertion
failure in OJPEGPostDecode") - this one is an assertion failure and
not a segfault, so it might not need a CVE.


Finally, to avoid confusion, the following more serious issues were
also fixed and have already received CVE identifiers:

7.  Integer overflows leading to heap overflow in Fax3SetupState().
Reported by Kevin Finisterre (CVE-2010-1411).

8.  Integer overflow in TIFFFillStrip() leading to heap overflow in
TIFFReadRawStrip1().  Reported by Sauli Pahlman (CVE-2010-2065).

9.  Stack overflow when processing SubjectDistance EXIF tags allows
arbitrary code execution.  Reported by Dan Rosenberg (CVE-2010-2067).

Thanks,
Dan

Current thread:

CVE requests: LibTIFF Dan Rosenberg (Jun 23)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
  - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 24)
    - Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
    - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
    - Re: CVE requests: LibTIFF Tomas Hoger (Jun 29)
    - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
    - Re: CVE requests: LibTIFF Josh Bressers (Jun 30)
    - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 30)
- <Possible follow-ups>
- Re: CVE requests: LibTIFF Josh Bressers (Jun 30)