CVE-2017-16231: PCRE 8.41 match() stack overflow; CVE-2017-16232: LibTIFF 4.0.8 memory leaks

["????" <16362505 () qq com>]

------------------ Original ------------------
From:  "cve-request"<cve-request () mitre org>;
Date:  Mon, Oct 30, 2017 08:36 PM
To:  "zhangjw"<zhangjw () cert org cn>; 
Cc:  "cve-request"<cve-request () mitre org>; 
Subject:  Re: [scr412063] PCRE; LibTIFF

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The two CVE IDs are below. Please note that CVE can cover a memory
leak within a library (such as any file in the tiff-4.0.8/libtiff
subdirectory), but cannot cover a memory leak in a command-line
program. Therefore, please omit reports about a memory leak affecting
tools/tiff2bw.c or a different tools/*.c file.


> [Suggested description]
> In PCRE 8.41,
> after compiling, a pcretest load test PoC produces a crash overflow
> in the function match() in pcre_exec.c because of a self-recursive call.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Buffer Overflow
>
> ------------------------------------------
>
> [Vendor of Product]
> Perl Compatible Regular Expressions
>
> ------------------------------------------
>
> [Affected Product Code Base]
> PCRE - 8.41
>
> ------------------------------------------
>
> [Affected Component]
> file:pcre_exec.c
> function match() line 983 and line 2061
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> A crash file
>
> ------------------------------------------
>
> [Discoverer]
> ZHANG JIAWANG from cncert

Use CVE-2017-16231.


> [Suggested description]
> LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow
> attackers to cause a denial of service (memory consumption), as demonstrated
> by tif_open.c, tif_lzw.c, and tif_aux.c
>
> ------------------------------------------
>
> [Additional Information]
> /tiff2bw ../../../../libtiff_4.0.8_afl/2bw_output/crashes/poc.tif 222.tif
> LZWDecode: Not enough data at scanline 0 (short 6442443006 bytes).
> /usr/local/bin/llvm-symbolizer: /lib/x86_64-linux-gnu/libtinfo.so.5: no version information available (required by 
> /usr/local/bin/llvm-symbolizer)
>
> =================================================================
> ==25328==ERROR: LeakSanitizer: detected memory leaks
>
> Direct leak of 6442451106 byte(s) in 1 object(s) allocated from:
>     #0 0x4bbfd3 in __interceptor_malloc 
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
>     #1 0x4e88be in main /home/zzt/Fuzzing/Victims/ASAN/tiff-4.0.8/tools/tiff2bw.c:258:28
>     #2 0x7f293f0fdabf in __libc_start_main /build/glibc-qbmteM/glibc-2.21/csu/libc-start.c:289
>
> Direct leak of 1137 byte(s) in 1 object(s) allocated from:
>     #0 0x4bbfd3 in __interceptor_malloc 
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
>     #1 0x54d6b6 in TIFFClientOpen /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_open.c:119
>
> Indirect leak of 81904 byte(s) in 1 object(s) allocated from:
>     #0 0x4bbfd3 in __interceptor_malloc 
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
>     #1 0x5ea2e9 in LZWSetupDecode /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_lzw.c:232
>
> Indirect leak of 2273 byte(s) in 5 object(s) allocated from:
>     #0 0x4bc3d7 in realloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
>     #1 0x56f5db in _TIFFCheckRealloc /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:73
>     #2 0x56f5db in _TIFFCheckMalloc /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:88
>
> Indirect leak of 1240 byte(s) in 2 object(s) allocated from:
>     #0 0x4bc3d7 in realloc /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
>     #1 0x56f430 in _TIFFCheckRealloc /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:73
>
> ------------------------------------------
>
> [Vendor of Product]
> TIFF Library and Utilities
>
> ------------------------------------------
>
> [Affected Product Code Base]
> LibTIFF tiff2bw - 4.0.8
>
> ------------------------------------------
>
> [Affected Component]
> multi memory leak vulnerabilities in files as tiff2bw.c tif_open.c and so on
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> to open a poc file
>
> ------------------------------------------
>
> [Discoverer]
> ZHANG JIAWANG from cncert

Use CVE-2017-16232.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZ9xyjAAoJEHb/MwWLVhi2UroP/28YC8ygYKkoMyb161Vf4KWR
31U5G6fhAy4vogtjc17NQOcAxFElc1hopqgdSBjzsfFKJHhpAlegs5mn7oyMtUfS
UoiC92LuiasCi9h2/AS+CBqbh2ZleTpWChvqxjgGM/WFvUJ3jpSexErUrf4x/H+T
ZGhNZE1hCuTEkuUo4Yxu/qWdvtlcZ2N2TanrbntA7XaTiar/C8MGgfVf8YrNaj63
PX/XcGV1sQxUVh9M8hudByvejgzXCYdLcrb4XfeFqZUeki2Qjxa2hJYBRAgKUWKZ
MwMDzQScI/rKMgsEmPeWrLqw88kiyFIl/V65YY8NYsZrZS8V92JlJQHWfPw/Rs5W
JtKDwp5eK5X4FEb9OX/Ox1MEU/Hp/mFl3an/0c+kumKz34Jn2T/SErpdfTml/yTN
clTRHbnid3nAlxfI9U7uUszuv8H0rYgV4v4Vsis37K7rS4Kxl2nucUv4T0/9rVtQ
O16piFmIkwNuLfJvipJQXR7F2BOLNgZ3hiIDwfOUNnkEKEcRLyo1Dyyft42WufpR
tL8JyTonMQqNee3lvgmlz/LHBjnCJafyF/2OSyGmIYubpmUbUWkhsshkYRSIyhaQ
/1z7GP7Iez4QkbxhlF+4gxprxtrt+mHbINPRXM4vJQB/RRvvV81DAKjVfoZzeJLM
l9qmqrROzVkGXO9eQLkP
=PcOO
-----END PGP SIGNATURE-----

Attachment: pcre_poc.txt
Description:

Attachment: libtiff_poc.tif
Description: