oss-sec mailing list archives
CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks
From: "????" <16362505 () qq com>
Date: Wed, 1 Nov 2017 10:26:56 +0800
------------------ Original ------------------ From: "cve-request"<cve-request () mitre org>; Date: Mon, Oct 30, 2017 08:36 PM To: "zhangjw"<zhangjw () cert org cn>; Cc: "cve-request"<cve-request () mitre org>; Subject: Re: [scr412063] PCRE; LibTIFF -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The two CVE IDs are below. Please note that CVE can cover a memory leak within a library (such as any file in the tiff-4.0.8/libtiff subdirectory), but cannot cover a memory leak in a command-line program. Therefore, please omit reports about a memory leak affecting tools/tiff2bw.c or a different tools/*.c file.
[Suggested description] In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Perl Compatible Regular Expressions ------------------------------------------ [Affected Product Code Base] PCRE - 8.41 ------------------------------------------ [Affected Component] file:pcre_exec.c function match() line 983 and line 2061 ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] A crash file ------------------------------------------ [Discoverer] ZHANG JIAWANG from cncert
Use CVE-2017-16231.
[Suggested description] LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c ------------------------------------------ [Additional Information] /tiff2bw ../../../../libtiff_4.0.8_afl/2bw_output/crashes/poc.tif 222.tif LZWDecode: Not enough data at scanline 0 (short 6442443006 bytes). /usr/local/bin/llvm-symbolizer: /lib/x86_64-linux-gnu/libtinfo.so.5: no version information available (required by /usr/local/bin/llvm-symbolizer) ================================================================= ==25328==ERROR: LeakSanitizer: detected memory leaks Direct leak of 6442451106 byte(s) in 1 object(s) allocated from: #0 0x4bbfd3 in __interceptor_malloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3 #1 0x4e88be in main /home/zzt/Fuzzing/Victims/ASAN/tiff-4.0.8/tools/tiff2bw.c:258:28 #2 0x7f293f0fdabf in __libc_start_main /build/glibc-qbmteM/glibc-2.21/csu/libc-start.c:289 Direct leak of 1137 byte(s) in 1 object(s) allocated from: #0 0x4bbfd3 in __interceptor_malloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3 #1 0x54d6b6 in TIFFClientOpen /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_open.c:119 Indirect leak of 81904 byte(s) in 1 object(s) allocated from: #0 0x4bbfd3 in __interceptor_malloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3 #1 0x5ea2e9 in LZWSetupDecode /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_lzw.c:232 Indirect leak of 2273 byte(s) in 5 object(s) allocated from: #0 0x4bc3d7 in realloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3 #1 0x56f5db in _TIFFCheckRealloc /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:73 #2 0x56f5db in _TIFFCheckMalloc /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:88 Indirect leak of 1240 byte(s) in 2 object(s) allocated from: #0 0x4bc3d7 in realloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3 #1 0x56f430 in _TIFFCheckRealloc /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:73 ------------------------------------------ [Vendor of Product] TIFF Library and Utilities ------------------------------------------ [Affected Product Code Base] LibTIFF tiff2bw - 4.0.8 ------------------------------------------ [Affected Component] multi memory leak vulnerabilities in files as tiff2bw.c tif_open.c and so on ------------------------------------------ [Attack Type] Local ------------------------------------------ [Impact Denial of Service] true ------------------------------------------ [Attack Vectors] to open a poc file ------------------------------------------ [Discoverer] ZHANG JIAWANG from cncert
Use CVE-2017-16232. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJZ9xyjAAoJEHb/MwWLVhi2UroP/28YC8ygYKkoMyb161Vf4KWR 31U5G6fhAy4vogtjc17NQOcAxFElc1hopqgdSBjzsfFKJHhpAlegs5mn7oyMtUfS UoiC92LuiasCi9h2/AS+CBqbh2ZleTpWChvqxjgGM/WFvUJ3jpSexErUrf4x/H+T ZGhNZE1hCuTEkuUo4Yxu/qWdvtlcZ2N2TanrbntA7XaTiar/C8MGgfVf8YrNaj63 PX/XcGV1sQxUVh9M8hudByvejgzXCYdLcrb4XfeFqZUeki2Qjxa2hJYBRAgKUWKZ MwMDzQScI/rKMgsEmPeWrLqw88kiyFIl/V65YY8NYsZrZS8V92JlJQHWfPw/Rs5W JtKDwp5eK5X4FEb9OX/Ox1MEU/Hp/mFl3an/0c+kumKz34Jn2T/SErpdfTml/yTN clTRHbnid3nAlxfI9U7uUszuv8H0rYgV4v4Vsis37K7rS4Kxl2nucUv4T0/9rVtQ O16piFmIkwNuLfJvipJQXR7F2BOLNgZ3hiIDwfOUNnkEKEcRLyo1Dyyft42WufpR tL8JyTonMQqNee3lvgmlz/LHBjnCJafyF/2OSyGmIYubpmUbUWkhsshkYRSIyhaQ /1z7GP7Iez4QkbxhlF+4gxprxtrt+mHbINPRXM4vJQB/RRvvV81DAKjVfoZzeJLM l9qmqrROzVkGXO9eQLkP =PcOO -----END PGP SIGNATURE-----
Attachment:
pcre_poc.txt
Description:
Attachment:
libtiff_poc.tif
Description:
Current thread:
- CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks ???? (Nov 01)
- Re: CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks Bob Friesenhahn (Nov 01)
- Re: CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks Agostino Sarubbo (Nov 01)
- Re: CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks Solar Designer (Nov 01)