[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] tiff2pdf: Heap-based buffer overflow due to improper initialization of T2P contex
From:       Solar Designer <solar () openwall ! com>
Date:       2012-09-23 2:59:47
Message-ID: 20120923025947.GA6812 () openwall ! com
[Download RAW message or body]

On Thu, Jul 19, 2012 at 08:15:59AM +0530, Huzaifa Sidhpurwala wrote:
> I found the following flaw in the tiff2pdf tool, shipped with libtiff:
> 
> A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF
> image to a PDF document conversion tool, of libtiff, a library of
> functions for manipulating TIFF (Tagged Image File Format) image format
> files, performed write of TIFF image content into particular PDF
> document file, when not properly initialized T2P context struct pointer
> has been provided by tiff2pdf (application requesting the conversion)
> as one of parameters for the routine performing the write. A remote
> attacker could provide a specially-crafted TIFF image format file, that
> when processed by tiff2pdf would lead to tiff2pdf executable crash or,
> potentially, arbitrary code execution with the privileges of the user
> running the tiff2pdf binary.
> 
> This issue has been assigned CVE-2012-3401.
> 
> Reference:
> https://bugzilla.redhat.com/show_bug.cgi?id=837577
> 
> The relevant patch for the issue has been applied to upstream
> libtiff-4.0.2 branch

This is finally patched in 4.0.3:

http://www.remotesensing.org/libtiff/v4.0.3.html

Frank Denis additionally noted:

http://twitter.com/jedisct1/status/249699555115945984

"libtiff 4.0.3 brings "various memory buffer access fixes". Does it fix
more than CVE-2012-3401?"

to which I have no answer.  The change log does in fact mention
"Various memory buffer access fixes." as the very first change listed
for libtiff.  Perhaps someone should review code changes.

Alexander
[prev in list] [next in list] [prev in thread] [next in thread]