Bug 603024
| Summary: | libtiff: OJPEGReadBufferFill() NULL pointer deref | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Tomas Hoger <thoger> | ||||||||
| Component: | libtiff | Assignee: | Tom Lane <tgl> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Martin Cermak <mcermak> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 6.0 | CC: | azelinka, hhorak, mcermak | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | libtiff-3.9.4-1.el6 | Doc Type: | Bug Fix | ||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2010-11-10 21:04:37 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Tomas Hoger
2010-06-11 10:30:34 UTC
Created attachment 423231 [details] Reproducer Test file from https://bugs.launchpad.net/bugs/589145 Adding as private for now, while Launchpad bug is private. Created attachment 423232 [details]
Upstream patch
With the patch applied, this file still crashes rgb2ycbcr. Crash seems similar to bug #583081. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. (In reply to comment #3) > With the patch applied, this file still crashes rgb2ycbcr. Crash seems similar > to bug #583081. There's no crash after applying patch from: http://bugzilla.maptools.org/show_bug.cgi?id=2207 Proposed patch looks sane to me. This appears to be just a null-pointer-dereference crash and not exploitable for ACE, but still possibly should be considered a security issue on DoS grounds. (In reply to comment #2) > Created an attachment (id=423232) [details] > Upstream patch This patch is included in new upstream version 3.9.3: * libtiff/tif_ojpeg.c (OJPEGReadBufferFill): Report an error and avoid a crash if the input file is so broken that the strip offsets are not defined. Opening bug, original launchpad bug is now public, and fix is included in tiff 3.9.3 (see comment #7). Created attachment 425925 [details] Extra check for td_stripbytecount There's similar problem with td_stripbytecount that can be NULL few lines below the td_stripoffset check added in upstream patch. Attached fix extends check to td_stripbytecount and return error in a similar way to upstream patch in comment #2. Re comment #9: I've included that patch in the Fedora packages just posted. RHEL-6 build is awaiting ACKs on a couple of other bugs. (In reply to comment #11) > Re comment #9: I've included that patch in the Fedora packages just posted. > RHEL-6 build is awaiting ACKs on a couple of other bugs. Can you upstream bug for that issue too? I don't have an account in their BZ. TY! Oh, reported in http://bugzilla.maptools.org/show_bug.cgi?id=1996 already. => VERIFIED Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |