tiff / CVE-2018-15209

To: debian-lts@lists.debian.org
Subject: tiff / CVE-2018-15209
From: Brian May <bam@debian.org>
Date: Tue, 14 Aug 2018 17:27:29 +1000
Message-id: <[🔎] 87tvnxflwe.fsf@silverfish.pri>

I have been trying to reproduce this bug (buffer overflow), but instead
I get increasing memory usage until my computer crashes. With versions
from Jessie, Stretch, and Sid. So maybe another security issue?

I note that CVE-2017-11613 and CVE-2018-5784 can use unbounded
memory. However these are marked as fixed everywhere but Stretch.

As far as I can tell, the relevant code is:

        uint64* newcounts;

        ...

        newcounts = (uint64*) _TIFFCheckMalloc(tif, nstrips, sizeof (uint64),
                                "for chopped \"StripByteCounts\" array");

        ...

        for (strip = 0; strip < nstrips; strip++) {
                ...
                newcounts[strip] = stripbytes;
                ...
        }

However, I cannot see how this could cause a buffer overflow
condition. We appear to allocate nstrips uint64, and then use nstrips
uint64.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: tiff / CVE-2018-15209
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: src:wpa overlap in Debian LTS?\
Next by Date: Apache2 CVE-2016-4975
Previous by thread: July Report
Next by thread: Re: tiff / CVE-2018-15209
Index(es):
- Date
- Thread