oss-sec mailing list archives
Re: CVE requests: LibTIFF
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Tue, 29 Jun 2010 12:36:27 -0400
On Tue, Jun 29, 2010 at 12:27 PM, Tomas Hoger <thoger () redhat com> wrote:
On Tue, 29 Jun 2010 08:05:25 -0400 Dan Rosenberg wrote:On request, I'm re-posting the issues which I think actually deserve CVE ids.I believe the disagreement here is caused by different opinions on what should be and what does not need to be called security.
I agree that it's a fine line between security and stability issues. In these cases, since simply viewing a TIFF image will crash any application linked against libtiff, and given a past record of DoS issues in image libraries (and libtiff in particular) receiving CVEs, I see no reason why these bugs should be treated any differently. In any case, I leave that decision to those who assign CVEs.
2. A NULL pointer derefrence in TIFFVGetField() may result in application crash (https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145).This got CVE-2010-2443 from Mitre few days ago. But I guess you're going to (or should?) ask for one more for td_stripbytecount case I pointed out in one of the previous replies (split due to different fixed-in version). Sauli's fuzzer to blame for the discovery again ;).
In that case, we've got three CVE-pending issues, each of which have been described in more detail in previous posts: 1. OOB read in TIFFExtractData() leading to crash. 2. NULL pointer dereference due to invalid td_stripbytecount leading to crash (distinct from CVE-2010-2443). 3. OOB read in TIFFRGBAImageGet() leading to crash. -Dan
-- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE requests: LibTIFF Dan Rosenberg (Jun 23)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 24)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 29)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
- Re: CVE requests: LibTIFF Josh Bressers (Jun 30)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 30)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 24)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
- <Possible follow-ups>
- Re: CVE requests: LibTIFF Josh Bressers (Jun 30)