oss-sec mailing list archives

Re: CVE requests: LibTIFF

From: Tomas Hoger <thoger () redhat com>
Date: Thu, 24 Jun 2010 15:38:27 +0200

On Thu, 24 Jun 2010 09:16:20 -0400 Dan Rosenberg wrote:

1.  Out-of-bounds read in TIFFExtractData() may result in
application crash (no reference, fixed upstream).  Reported by Dan
Rosenberg.


Do you have any info on this?  I don't see anything obviously
related in changelog.  TIFFExtractData itself and all its uses seem
unchanged for years.


Revision 1.92.2.9 of libtiff/tif_dirread.c added code for ensuring
valid tag type information for each TIFF directory entry.  Prior to
this fix, unknown tag types would result in an out-of-bounds array
index in TIFFExtractData() on any code path using this macro.  Ubuntu
security backported this fix as debian/patches/fix-unknown-tags.patch
in their libtiff4 package.


So the reference is:
  http://bugzilla.maptools.org/show_bug.cgi?id=2210

-- 
Tomas Hoger / Red Hat Security Response Team

Current thread:

CVE requests: LibTIFF Dan Rosenberg (Jun 23)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
  - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 24)
    - Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
    - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
    - Re: CVE requests: LibTIFF Tomas Hoger (Jun 29)
    - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
    - Re: CVE requests: LibTIFF Josh Bressers (Jun 30)
    - Re: CVE requests: LibTIFF Dan Rosenberg (Jun 30)
- <Possible follow-ups>
- Re: CVE requests: LibTIFF Josh Bressers (Jun 30)