oss-sec mailing list archives
Re: CVE requests: LibTIFF
From: Tomas Hoger <thoger () redhat com>
Date: Thu, 1 Jul 2010 10:38:17 +0200
On Wed, 30 Jun 2010 14:58:58 -0400 Dan Rosenberg wrote:
1. OOB read in TIFFExtractData() leading to crash (no reference, originally disclosed by me in this thread, fixed upstream with release 3.9.4 and security fix backported by Ubuntu).
Not really a reference for the issue, but at least for the patch: http://bugzilla.maptools.org/show_bug.cgi?id=2210
2. NULL pointer dereference due to invalid td_stripbytecount leading to crash (distinct from CVE-2010-2443). The upstream changelog entry for 3.9.4 reads: * libtiff/tif_ojpeg.c (OJPEGReadBufferFill): Report an error and avoid a crash if the input file is so broken that the strip offsets are not defined.
This changelog entry refers to td_stripoffset issue (aka CVE-2010-2443) and it first appears in 3.9.3 changelog. td_stripbytecount case is not yet fixed upstream as far as I can tell. References for CVE-2010-2482: https://bugs.launchpad.net/bugs/597246 https://bugzilla.redhat.com/show_bug.cgi?id=603024#c9 http://bugzilla.maptools.org/show_bug.cgi?id=1996#c12
3. OOB read in TIFFRGBAImageGet() leading to crash. Reference: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605
http://bugzilla.maptools.org/show_bug.cgi?id=2216 -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- Re: CVE requests: LibTIFF Tomas Hoger (Jul 01)
- <Possible follow-ups>
- Re: CVE requests: LibTIFF Steven M. Christey (Jul 01)