oss-sec mailing list archives
CVE-2016-3632 - libtiff 4.0.6 illegel write
From: 张开翔 <zhangkaixiang () 360 cn>
Date: Fri, 8 Apr 2016 07:10:54 +0000
Details ======= Product: libtiff Affected Versions: <= 4.0.6 Vulnerability Type: Illegel write Vendor URL: http://www.remotesensing.org/libtiff/ CVE ID: CVE-2016-3632 Credit: Kaixiang Zhang of the Cloud Security Team, Qihoo 360 Introduction Illegal write occurs in the _TIFFVGetField function in tif_dirinfo.c when using thumbnail command, which allows attackers to exploit this issue to cause denial-of-service or may command excution. libtiff/tif_dir.c:1073 1068 if (fip->field_type == TIFF_ASCII 1069 || fip->field_readcount == TIFF_VARIABLE 1070 || fip->field_readcount == TIFF_VARIABLE2 1071 || fip->field_readcount == TIFF_SPP 1072 || tv->count > 1) { 1073 *va_arg(ap, void **) = tv->value; 1074 ret_val = 1; gdb --args thumbnail _ TIFFVGetField.tif tmpout.tif …… Program received signal SIGSEGV, Segmentation fault. _TIFFVGetField (tif=<optimized out>, tag=<optimized out>, ap=<optimized out>) at tif_dir.c:1073 1073 *va_arg(ap, void **) = tv->value; Missing separate debuginfos, use: dnf debuginfo-install glibc-2.22-10.fc23.x86_64 libjpeg-turbo-1.4.1-2.fc23.x86_64 (gdb) bt #0 _TIFFVGetField (tif=<optimized out>, tag=<optimized out>, ap=<optimized out>) at tif_dir.c:1073 #1 0x00007ffff7a6b5e1 in TIFFGetField (tif=tif@entry=0x60a930, tag=tag@entry=326) at tif_dir.c:1158 #2 0x00000000004034a1 in cpTag (type=TIFF_LONG, count=<optimized out>, tag=<optimized out>, out=<optimized out>, in=<optimized out>) at thumbnail.c:167 #3 cpTags (out=<optimized out>, in=<optimized out>) at thumbnail.c:297 #4 cpIFD (out=<optimized out>, in=<optimized out>) at thumbnail.c:373 #5 main (argc=<optimized out>, argv=<optimized out>) at thumbnail.c:124 (gdb) x/xw ap-4 0xbffff2bc: 0x00000001 References: [1] http://www.remotesensing.org/libtiff/ Thank you! Best Regards,
Current thread:
- CVE-2016-3632 - libtiff 4.0.6 illegel write 张开翔 (Apr 08)