oss-sec mailing list archives
Re: CVE-2013-5575 LibTIFF through 3.9.5 integer overflow
From: Huzaifa Sidhpurwala <huzaifas () redhat com>
Date: Mon, 26 Aug 2013 10:35:32 +0530
On 08/24/2013 08:15 PM, cve-assign () mitre org wrote:
http://archives.neohapsis.com/archives/fulldisclosure/2013-08/0247.html http://www.x90c.org/advisories/xadv_2013001_libtiff.txt This apparently only affects older versions but seems different from CVE-2012-1173 and other CVEs, so it is assigned CVE-2013-5575.
There seems to be no vulnerability in here, checkout the exploit code: #include <stdio.h> #include <stdlib.h> #include <string.h> #include "tiffio.h" int tiff_integer_overflow_test(){ TIFF* tif = TIFFOpen("/home/x90c/sample_spp.tif", "r"); int samples = 0; /* * for instance, TIFFGetField library function will * called with malicious samplesperpixel field value * TIFFGetField got segfault! */ TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samples); printf("tiff_poc: tif samplesperpixel field=%d\n", samples); } This is obviously missing a check for the return value of *tif after TIFFOpen(). In the above case, since libtiff isnt able to open the file, it returns a NULL, Our "exploit" code above tried to run TIFFGetField() on it, and results in a "fixed value deference",so this is user-mistake and not a vulnerability. I want to ask to REJECT this CVE. -- Huzaifa Sidhpurwala / Red Hat Security Response Team
Current thread:
- CVE-2013-5575 LibTIFF through 3.9.5 integer overflow cve-assign (Aug 24)
- Re: CVE-2013-5575 LibTIFF through 3.9.5 integer overflow Huzaifa Sidhpurwala (Aug 25)