Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Pine.GSO.4.64.1007011345291.18626@faron.mitre.org>
Date: Thu, 1 Jul 2010 13:58:11 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: Tomas Hoger <thoger@...hat.com>
Subject: Re: CVE requests: LibTIFF


Below are some more CVEs from the additional work of one of our analysts 
on this nasty wasty thread.  (Josh, notice the RHEL one).

For CVE, we will typically cover client-side crashers, although many don't 
think those are important enough unless there's evidence of a possibility 
of code execution or some broader problem.  For OSS vendors, I have kind 
of an unspoken, informal agreement that they might not assign CVEs to 
crashers, but we might do so after they get published.

With a library, though, you don't know what that crash is going to affect, 
because it depends on what software is using the library - it could be an 
image server, web spider, cron job, etc. for which a crash has worse 
consequences than just inconvenience.  So, crashers in libraries are 
especially deserving of a CVE.

Personally, I also think that any client that can support multiple 
"sessions" at the same time should also treat crashers as a security 
issue.  e.g. in a web browser, someone may be surfing multiple web pages, 
or in an IRC client, particpating in multiple chats.  An attacker from one 
"thread" could cause a DoS to all other threads.  Technically, IMO, this 
violates a security model in which only the endpoints of a communication 
channel have the "privilege" to close that channel... even if it's really 
low priority for most people.

- Steve


======================================================
Name: CVE-2010-2595
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2595
Reference: CONFIRM:http://bugzilla.maptools.org/show_bug.cgi?id=2208
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=583081

The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in
ImageMagick, does not properly handle invalid ReferenceBlackWhite
values, which allows remote attackers to cause a denial of service
(application crash) via a crafted TIFF image that triggers an array
index error, related to "downsampled OJPEG input."


======================================================
Name: CVE-2010-2596
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2596
Reference: CONFIRM:http://bugzilla.maptools.org/show_bug.cgi?id=2209
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=583081

The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and
3.9.2, as used in tiff2ps, allows remote attackers to cause a denial
of service (assertion failure and application exit) via a crafted TIFF
image, related to "downsampled OJPEG input."


======================================================
Name: CVE-2010-2597
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2597
Reference: CONFIRM:http://bugzilla.maptools.org/show_bug.cgi?id=2215
Reference: CONFIRM:https://bugs.launchpad.net/bugs/593067
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=583081
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=603703

The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2
makes incorrect calls to the TIFFGetField function, which allows
remote attackers to cause a denial of service (application crash) via
a crafted TIFF image, related to "downsampled OJPEG input" and
possibly related to a compiler optimization that triggers a
divide-by-zero error.


======================================================
Name: CVE-2010-2598
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2598
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=583081

LibTIFF in Red Hat Enterprise Linux (RHEL) 3 on x86_64 platforms, as
used in tiff2rgba, attempts to process image data even when the
required compression functionality is not configured, which allows
remote attackers to cause a denial of service via a crafted TIFF
image, related to "downsampled OJPEG input."

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.