[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE-2013-5575 LibTIFF through 3.9.5 integer overflow
From: Huzaifa Sidhpurwala <huzaifas () redhat ! com>
Date: 2013-08-26 5:17:32
Message-ID: 521AE21C.9030600 () redhat ! com
[Download RAW message or body]
On 08/24/2013 08:15 PM, cve-assign@mitre.org wrote:
> http://archives.neohapsis.com/archives/fulldisclosure/2013-08/0247.html
> http://www.x90c.org/advisories/xadv_2013001_libtiff.txt
>
> This apparently only affects older versions but seems different from
> CVE-2012-1173 and other CVEs, so it is assigned CVE-2013-5575.
>
>
There seems to be no vulnerability in here, checkout the exploit code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "tiffio.h"
int tiff_integer_overflow_test(){
TIFF* tif = TIFFOpen("/home/x90c/sample_spp.tif", "r");
int samples = 0;
/*
* for instance, TIFFGetField library function will
* called with malicious samplesperpixel field value
* TIFFGetField got segfault!
*/
TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samples);
printf("tiff_poc: tif samplesperpixel field=%d\n", samples);
}
This is obviously missing a check for the return value of *tif after
TIFFOpen(). In the above case, since libtiff isnt able to open the file,
it returns a NULL, Our "exploit" code above tried to run TIFFGetField()
on it, and results in a "fixed value deference",so this is user-mistake
and not a vulnerability.
I want to ask to REJECT this CVE.
--
Huzaifa Sidhpurwala / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic