LibTiff Mailing List

• TIFF and LibTiff Mailing List Archive
• August 2013

• Previous Thread
• Next Thread

• Previous by Thread
• Next by Thread

• Previous by Date
• Next by Date

Contact

The TIFF Mailing List Homepage
Archive maintained by AWare Systems

Thread

2013.08.01 09:21 "[Tiff] Vulnerabilities in libtiff 4.0.3", by Pedro Ribeiro

2013.09.20 16:09 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Lee Howard

2013.09.20 16:24 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Bob Friesenhahn

2013.09.20 16:34 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Lee Howard

2013.09.20 16:59 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Olivier Paquet

2013.09.20 17:05 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Bob Friesenhahn

2013.09.20 17:02 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Bob Friesenhahn

2013.09.20 17:21 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Lee Howard

2013.09.24 06:55 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Albert Cahalan

2013.09.20 16:24 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Bob Friesenhahn

Justification:

Use of sprintf to write into a 2048 character buffer. The input is the filename, which might be over 2048 if crafted by a malicious user. However I could not determine this as the code is not easy to navigate.

This appears to be resolved already in CVS since the code now uses snprintf() instead of sprintf():

           snprintf(buf, sizeof(buf), "YCbCr conversion of %s",

Please be aware that snprintf is not assured to null-terminate the destination string. Is this being handled by subsequent statements or is the problem only changed?

Bob
--
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/