bugtraq - NGS00057 Technical Advisory: Apple Mac OS X ImageIO Integer Overflow

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <7E45577E4E72EC42BB3F8560D57E755134936A76@manexchprd01>
Date: Tue, 28 Jun 2011 14:18:35 +0000
From: "Research@...Secure" <research@...secure.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: NGS00057 Technical Advisory: Apple Mac OS X ImageIO Integer Overflow

=======
Summary
=======
Name: Apple Mac OS X ImageIO TIFF Integer Overflow
Release Date: 28 June 2011
Reference: NGS00057
Discoverer: Dominic Chell <dominic.chell@...secure.com>
Vendor: Apple
Vendor Reference: 142522746
Systems Affected: Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6. This issue does not affect systems prior to Mac OS X v10.6
Risk: High
Status: Published

========
TimeLine
========
Discovered:  8 March 2011
Released:  8 March 2011
Approved:  8 March 2011
Reported:  8 March 2011
Fixed: 21 March 2011
Published: 28 June 2011

===========
Description
===========
A heap overflow is caused by a signedness vulnerability within copyImageBlockSetTiff().
The crash occurs within any application using the framework, including Preview, QuickLook, Safari & Mail.

=================
Technical Details
=================
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movdqa	%xmm1,CONSTANT(%rdi,%rcx):instruction_address=0x00007fffffe0088c:access_type=write:access_address=0x00000001159d0000:
Crash accessing invalid address.  Consider running it again with libgmalloc(3) to see if the log changes.
Test case was copyImageBlockSetTiff

Process:         qlmanage [4763]
Path:            /System/Library/Frameworks/QuickLook.framework/Versions/A/Resources/quicklookd.app/Contents/MacOS/qlmanage
Identifier:      qlmanage
Version:         ??? (???)
Code Type:       X86-64 (Native)
Parent Process:  exc_handler [4762]

PlugIn Path:       /usr/bin/qlmanage
PlugIn Identifier: qlmanage
PlugIn Version:    ??? (???)

Date/Time:       2011-03-07 21:47:33.598 +0000
OS Version:      Mac OS X 10.6.6 (10J567)
Report Version:  6

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000001159d0000
Crashed Thread:  6

===============
Fix Information
===============
http://support.apple.com/kb/HT4581

NGS Secure Research
http://www.ngssecure.com