lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Dec 2014 23:15:24 +0200 From: Paris Zoumpouloglou <pariszoump@...il.com> To: fulldisclosure@...lists.org Subject: Re: [FD] CVE-2014-9330: Libtiff integer overflow in bmp2tiff It's true utilities are pretty buggy. I've stumbled upon many duplicate bugs in the tracker, probably because of all the afl action :) What is also worth noting (I didn't notice at first) is that the latest available stable source code of libtiff (found here http://download.osgeo.org/libtiff/) hasn't been updated since 2012. Since then many bugs have been reported which have been fixed in the CVS repo and distribution packages but no one has changed the the archives. On 12/22/2014 09:48 PM, Michal Zalewski wrote: >> Fuzzing bmp2tiff, using the afl-fuzzer, revealed an integer overflow issue >> related to the dimensions of the input BMP image. > It's probably worth noting that although the bundled utilities are > pretty buggy, there are also several bugs affecting the libtiff > library itself that can be hit with afl if you clean up the > utility-level bugs first; these affect ImageMagick and any tools that > rely on libtiff to display untrusted images. > > I reported some privately to the maintainers few weeks ago (before > your report, in fact), but haven't had a lot of success so far. > There's at least one other person who did the same. > > /mz > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists