oss-sec mailing list archives
Re: CVE requests: LibTIFF
From: Tomas Hoger <thoger () redhat com>
Date: Thu, 24 Jun 2010 09:03:59 +0200
On Wed, 23 Jun 2010 14:01:14 -0400 Dan Rosenberg wrote:
1. Out-of-bounds read in TIFFExtractData() may result in application crash (no reference, fixed upstream). Reported by Dan Rosenberg.
Do you have any info on this? I don't see anything obviously related in changelog. TIFFExtractData itself and all its uses seem unchanged for years.
2. Out-of-bounds read in TIFFVGetField() may result in application crash (https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145).
This is NULL deref. Another Sauli's test case shows that similar problem can occur with NULL td_stripbytecount few lines below td_stripoffset case addressed in upstream patch.
The fix for this issue was combined with the fix for CVE-2010-2065, but it appears to be a separate issue. Reported by Sauli Pahlman.
Right, not related to what CVE-2010-2065 was assigned to.
3. Memory corruption in TIFFRGBAImageGet() due to buffer overflow (https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605). Reported by Sauli Pahlman.
IIRC, Sauli's file only demonstrates OOB read. Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2216
4. http://bugzilla.maptools.org/show_bug.cgi?id=2207 ("tif_getimage fails when flipping vertically on 64-bit platforms")
CVE-2010-2233 was assigned to this issue. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE requests: LibTIFF Dan Rosenberg (Jun 23)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 24)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 29)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
- Re: CVE requests: LibTIFF Josh Bressers (Jun 30)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 30)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 24)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
- <Possible follow-ups>
- Re: CVE requests: LibTIFF Josh Bressers (Jun 30)