More crashes in libtiff
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tiff (Ubuntu) |
Confirmed
|
Low
|
Unassigned |
Bug Description
Binary package hint: libtiff4
I saw your recent USN-954-1 on the full-disclosure mailing list, and I recalled I have more libtiff crashes. I put them here
http://
One is a NULL-ptr deref (DoS), the other two look more likely to be exploitable, but didn't dig deeper.
I sent these testcases around ~2 weeks ago to Frank Warmerdam and Andrey Kiselev, but no response so far.
Tested with your newest
libtiff-tools 3.9.2-2ubuntu0.3
libtiff4 3.9.2-2ubuntu0.3
on Ubuntu lucid amd64
please test with 'tiffinfo -d' (I was told that it's the only recommended way to test the libtiff API for bugs).
What is more, please, please disable support for old-jpeg in libtiff, it's full of well-known and easy to find security bugs.
Example:
$ tiffinfo -d "SIGSEGV.
Segmentation fault (core dumped)
$ gdb /usr/bin/tiffinfo
(gdb) r -d "SIGSEGV.
Starting program: /usr/bin/tiffinfo -d "SIGSEGV.
Program received signal SIGSEGV, Segmentation fault.
memcpy () at ../sysdeps/
267 ../sysdeps/
in ../sysdeps/
(gdb) bt
#0 memcpy () at ../sysdeps/
#1 0x00007ffff7baf7de in ?? () from /usr/lib/
#2 0x00007ffff7baf9b4 in TIFFFillStrip () from /usr/lib/
#3 0x00007ffff7baff64 in TIFFReadEncoded
#4 0x0000000000401cdf in ?? ()
#5 0x0000000000401d98 in ?? ()
#6 0x0000000000401e74 in ?? ()
#7 0x000000000040218e in ?? ()
#8 0x00007ffff7157c4d in __libc_start_main (main=<value optimized out>, argc=<value optimized out>, ubp_av=<value optimized out>, init=<value optimized out>, fini=<value optimized out>, rtld_fini=<value optimized out>,
stack_
#9 0x0000000000401219 in ?? ()
#10 0x00007fffffffe2a8 in ?? ()
#11 0x000000000000001c in ?? ()
#12 0x0000000000000003 in ?? ()
#13 0x00007fffffffe580 in ?? ()
#14 0x00007fffffffe592 in ?? ()
#15 0x00007fffffffe595 in ?? ()
#16 0x0000000000000000 in ?? ()
summary: |
- More crashed in libtiff + More crashes in libtiff |
Changed in tiff (Ubuntu): | |
assignee: | nobody → Kees Cook (kees) |
Here's list of what I've reported:
http:// bugzilla. maptools. org/buglist. cgi?bug_ file_loc= &bug_file_ loc_type= allwordssubstr& bug_id= &bugidtype= include& chfieldfrom= &chfieldto= Now&chfieldvalu e=&email1= robert% 40swiecki. net&email2= &emailassigned_ to2=1&emailcc2= 1&emailreporter 1=1&emailreport er2=1&emailtype 1=substring& emailtype2= substring& field-1- 0-0=reporter& field0- 0-0=noop& keywords= &keywords_ type=allwords& long_desc= &long_desc_ type=allwordssu bstr&query_ format= advanced& remaction= &short_ desc=&short_ desc_type= allwordssubstr& status_ whiteboard= &status_ whiteboard_ type=allwordssu bstr&type- 1-0-0=substring &type0- 0-0=noop& value-1- 0-0=robert% 40swiecki. net&value0- 0-0=&votes= &order= bugs.bug_ id%20desc& query_based_ on=