oss-sec mailing list archives
Re: CVE requests: LibTIFF
From: Josh Bressers <bressers () redhat com>
Date: Wed, 30 Jun 2010 15:49:10 -0400 (EDT)
----- "Dan Rosenberg" <dan.j.rosenberg () gmail com> wrote:
There are three issues that I think are CVE-worthy and have not been assigned:
Thanks for the help Dan. Here goes:
1. OOB read in TIFFExtractData() leading to crash (no reference, originally disclosed by me in this thread, fixed upstream with release 3.9.4 and security fix backported by Ubuntu).
CVE-2010-2481
2. NULL pointer dereference due to invalid td_stripbytecount leading to crash (distinct from CVE-2010-2443). The upstream changelog entry for 3.9.4 reads: * libtiff/tif_ojpeg.c (OJPEGReadBufferFill): Report an error and avoid a crash if the input file is so broken that the strip offsets are not defined.
CVE-2010-2482
3. OOB read in TIFFRGBAImageGet() leading to crash. Reference: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605
CVE-2010-2483 Thanks. -- JB
Current thread:
- CVE requests: LibTIFF Dan Rosenberg (Jun 23)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 24)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 29)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 29)
- Re: CVE requests: LibTIFF Josh Bressers (Jun 30)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 30)
- Re: CVE requests: LibTIFF Dan Rosenberg (Jun 24)
- Re: CVE requests: LibTIFF Tomas Hoger (Jun 24)
- <Possible follow-ups>
- Re: CVE requests: LibTIFF Josh Bressers (Jun 30)