oss-sec mailing list archives
Re: Re: libtiff: multiple heap-based buffer overflow
From: Agostino Sarubbo <ago () gentoo org>
Date: Sun, 01 Jan 2017 21:11:42 +0100
On Sunday 01 January 2017 12:51:35 cve-assign () mitre org wrote:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer -overflowAt the moment, we will assign IDs to the issues listed with a write impact. We will later look at the issues listed with a read or undefined impact, but this has some complexity.
Another example is that a "READ of size 1" within the source code of a command-line tool (not part of the library code that could be used in an arbitrary application) may have no risk.
Yes, we know that sometimes command line tools with issues like READ of size 1 cannot create damage. However, for completeness and for people/packagers that want to have them fixed in they repository, I shared the details as well.
AddressSanitizer: heap-buffer-overflow ... WRITE of size 2048 at tiff-4.0.7/libtiff/tif_next.c:64:9http://bugzilla.maptools.org/show_bug.cgi?id=2624The vendor response was "I cannot reproduce with CVS head. But I reproduce with 4.0.7 so this has been fixed by recent commits. Could you track CVS head for your next fuzzing sessions so as to avoid wasting our time to both of us ?"
For some reasons I like to fuzz on a stable releases. Since libtiff ships some binaries, I take time to test each binary. So, there was a situation where a bug filed against an issue reproducible via tiffcp was fixed from a commit which addressed an issue filed against tiffcrop. But as you have pointed out, there were cases where a commit addressed a READ issue and later on it was discovered that it fixed a WRITE issue too.
If there is additional information from bisection, please let us know.
The commit that addresses the specific issue seems to be 9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a. However the process seems to fails to exit and went into a loop, but that's a different issue and needs to be reported upstream. -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- libtiff: multiple heap-based buffer overflow Agostino Sarubbo (Jan 01)
- Re: libtiff: multiple heap-based buffer overflow cve-assign (Jan 01)
- Re: Re: libtiff: multiple heap-based buffer overflow Agostino Sarubbo (Jan 01)
- Re: libtiff: multiple heap-based buffer overflow Agostino Sarubbo (Mar 25)
- Re: libtiff: multiple heap-based buffer overflow cve-assign (Jan 01)