oss-sec mailing list archives

Re: CVE requests: LibTIFF

From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Thu, 24 Jun 2010 09:16:20 -0400

Thanks for your help Tomas, it's hard to keep all these issues straight.

On Thu, Jun 24, 2010 at 3:03 AM, Tomas Hoger <thoger () redhat com> wrote:

On Wed, 23 Jun 2010 14:01:14 -0400 Dan Rosenberg wrote:

1.  Out-of-bounds read in TIFFExtractData() may result in application
crash (no reference, fixed upstream).  Reported by Dan Rosenberg.


Do you have any info on this?  I don't see anything obviously related
in changelog.  TIFFExtractData itself and all its uses seem unchanged
for years.


Revision 1.92.2.9 of libtiff/tif_dirread.c added code for ensuring
valid tag type information for each TIFF directory entry.  Prior to
this fix, unknown tag types would result in an out-of-bounds array
index in TIFFExtractData() on any code path using this macro.  Ubuntu
security backported this fix as debian/patches/fix-unknown-tags.patch
in their libtiff4 package.

2.  Out-of-bounds read in TIFFVGetField() may result in application
crash
(https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145).


This is NULL deref.  Another Sauli's test case shows that similar
problem can occur with NULL td_stripbytecount few lines below
td_stripoffset case addressed in upstream patch.

The fix for this issue was combined with the fix for CVE-2010-2065,
but it appears to be a separate issue.  Reported by Sauli Pahlman.


Right, not related to what CVE-2010-2065 was assigned to.

3.  Memory corruption in TIFFRGBAImageGet() due to buffer overflow
(https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605).
Reported by Sauli Pahlman.


IIRC, Sauli's file only demonstrates OOB read.  Upstream bug:
http://bugzilla.maptools.org/show_bug.cgi?id=2216


Sorry, I misread your comment on the Launchpad post - by "buffer
over-read", I now understand that you meant that libtiff attempted to
read well past the boundaries of a buffer, resulting in an
out-of-bounds read and application crash.  My mistake.

4.  http://bugzilla.maptools.org/show_bug.cgi?id=2207 ("tif_getimage
fails when flipping vertically on 64-bit platforms")


CVE-2010-2233 was assigned to this issue.

--
Tomas Hoger / Red Hat Security Response Team

Current thread:

CVE requests: LibTIFF Dan Rosenberg (Jun 23)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
  - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 24)
    - Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
    - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
    - Re: CVE requests: LibTIFF Tomas Hoger (Jun 29)
    - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
    - Re: CVE requests: LibTIFF Josh Bressers (Jun 30)
    - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 30)
- <Possible follow-ups>
- Re: CVE requests: LibTIFF Josh Bressers (Jun 30)