CVE Request: libtiff: Heap-buffer overflow when processing a TIFF image with PixarLog Compression

[Huzaifa Sidhpurwala <huzaifas () redhat com>]

On 09/23/2012 08:29 AM, Solar Designer wrote:

> "libtiff 4.0.3 brings "various memory buffer access fixes". Does it fix
> more than CVE-2012-3401?"
>
> to which I have no answer.  The change log does in fact mention
> "Various memory buffer access fixes." as the very first change listed
> for libtiff.  Perhaps someone should review code changes.

I had a look at the libtiff-4.0.3 commit logs and found one issue which
seems to bring a possibility of heap-based buffer overflow when using a
tiff file with PixarLog compression format.

More details at:
https://bugzilla.redhat.com/show_bug.cgi?id=860198

Though memory overwrite outside the heap-buffer is only a few bytes, one
cannot really overwrite possible arbitrary code execution.

Can a CVE id be please assigned to the above flaw?

Found two other commits which seemed interesting, but i dont think
they could cause arbitrary code execution and i dont want to call
them security flaws.

1. OOB read crash tif_packbits.c
2. Memory not properly initialised in tif_fax3.c. Again this one was
partly fixed in 4.0.2 and completely fixed in 4.0.3

If anyone else wants to investigate these in more details, please be my
guest :)

Thanks!

-- 
Huzaifa Sidhpurwala / Red Hat Security Response Team