oss-sec mailing list archives

Re: CVE requests: LibTIFF

From: Tomas Hoger <thoger () redhat com>
Date: Thu, 1 Jul 2010 10:38:17 +0200

On Wed, 30 Jun 2010 14:58:58 -0400 Dan Rosenberg wrote:

1.  OOB read in TIFFExtractData() leading to crash (no reference,
originally disclosed by me in this thread, fixed upstream with release
3.9.4 and security fix backported by Ubuntu).


Not really a reference for the issue, but at least for the patch:
http://bugzilla.maptools.org/show_bug.cgi?id=2210

2.  NULL pointer dereference due to invalid td_stripbytecount leading
to crash (distinct from CVE-2010-2443).  The upstream changelog entry
for 3.9.4 reads:

      * libtiff/tif_ojpeg.c (OJPEGReadBufferFill): Report an error
      and avoid a crash if the input file is so broken that the strip
      offsets are not defined.


This changelog entry refers to td_stripoffset issue (aka CVE-2010-2443)
and it first appears in 3.9.3 changelog.  td_stripbytecount case is not
yet fixed upstream as far as I can tell.

References for CVE-2010-2482:
https://bugs.launchpad.net/bugs/597246
https://bugzilla.redhat.com/show_bug.cgi?id=603024#c9
http://bugzilla.maptools.org/show_bug.cgi?id=1996#c12

3.  OOB read in TIFFRGBAImageGet() leading to crash.  Reference:
https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605


http://bugzilla.maptools.org/show_bug.cgi?id=2216

-- 
Tomas Hoger / Red Hat Security Response Team

Current thread:

Re: CVE requests: LibTIFF Tomas Hoger (Jul 01)
- <Possible follow-ups>
- Re: CVE requests: LibTIFF Steven M. Christey (Jul 01)