LibTIFF - 'tif_jbig.c' Denial of Service
2017-07-06 02:05:02Source: http://bugzilla.maptools.org/show_bug.cgi?id=2706
Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC”
Triggered by “./tiff2ps $POC” or “./tiff2pdf $POC”
The asan debug information is below:
$./tiff2ps $POC
=================================================================
==26627==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1792 byte(s) in 7 object(s) allocated from:
#0 0x7f7c4f1a19aa in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
#1 0x7f7c4dca72fd (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd)
#2 0x3ea (<unknown module>)
Indirect leak of 170491316224 byte(s) in 223 object(s) allocated from:
#0 0x7f7c4f1a19aa in malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
#1 0x7f7c4dca72fd (/usr/lib/x86_64-linux-gnu/libjbig.so.0+0x12fd)
#2 0x3ea (<unknown module>)
SUMMARY: AddressSanitizer: 170491318016 byte(s) leaked in 230 allocation(s).
Affected version:
<=the Latest version (4.0.8)
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer coll AFL.
Please contact <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="37505659445f425e43565877505a565e5b1954585a">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script> and <a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="395a51585643794d4a50575e514c58175c5d4c175a57">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script> if you need more
info about the team, the tool or the vulnerability.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42300.zip
Fixes
No fixesIn order to submit a new fix you need to be registered.