Re: CVE requests: LibTIFF

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

On Tue, Jun 29, 2010 at 12:27 PM, Tomas Hoger <thoger () redhat com> wrote:
> On Tue, 29 Jun 2010 08:05:25 -0400 Dan Rosenberg wrote:
>
> > On request, I'm re-posting the issues which I think actually deserve
> > CVE ids.
>
> I believe the disagreement here is caused by different opinions on what
> should be and what does not need to be called security.

I agree that it's a fine line between security and stability issues.
In these cases, since simply viewing a TIFF image will crash any
application linked against libtiff, and given a past record of DoS
issues in image libraries (and libtiff in particular) receiving CVEs,
I see no reason why these bugs should be treated any differently.  In
any case, I leave that decision to those who assign CVEs.

> > 2.  A NULL pointer derefrence in TIFFVGetField() may result in
> > application crash
> > (https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145).
>
> This got CVE-2010-2443 from Mitre few days ago.  But I guess you're
> going to (or should?) ask for one more for td_stripbytecount case I
> pointed out in one of the previous replies (split due to different
> fixed-in version).  Sauli's fuzzer to blame for the discovery again ;).

In that case, we've got three CVE-pending issues, each of which have
been described in more detail in previous posts:

1.  OOB read in TIFFExtractData() leading to crash.

2.  NULL pointer dereference due to invalid td_stripbytecount leading
to crash (distinct from CVE-2010-2443).

3.  OOB read in TIFFRGBAImageGet() leading to crash.

-Dan

> --
> Tomas Hoger / Red Hat Security Response Team