Re: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318

2016-09-15 Thread Brian May
Raphael Hertzog writes: >> What does the TIFFReadDirectoryFindFieldInfo function do? What >> situations is TIFFReadDirectoryFindFieldInfo unsuccessful? > > I don't know. It searches for the field in the tiff file. As I guessed. Which confused me (and still does), if the field is not there, how

Re: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318

2016-09-15 Thread Raphael Hertzog
On Thu, 15 Sep 2016, Brian May wrote: > What does the TIFFReadDirectoryFindFieldInfo function do? What > situations is TIFFReadDirectoryFindFieldInfo unsuccessful? I don't know. > You could perhaps mitigate by requiring an extra parameter that declares > the number of options you are parsing, how

Re: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318

2016-09-15 Thread Raphael Hertzog
On Thu, 15 Sep 2016, Brian May wrote: > Salvatore Bonaccorso writes: > > > Minor comment: if you are sure that those are duplicates you might try > > to contact MITRE to made them aware. > > I was just going based on what others have said, e.g. in the linked > reports. Would hope that one of the

Re: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318

2016-09-15 Thread Brian May
Raphael Hertzog writes: > I agree on all this but somehow I have the feeling that we can still > do better for example by blacklisting tags that are known to use a single > extension and refusing to handle them as custom > > My problem is that I'm not sure that we have a comprehensive list of suc

Re: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318

2016-09-15 Thread Brian May
Salvatore Bonaccorso writes: > Minor comment: if you are sure that those are duplicates you might try > to contact MITRE to made them aware. I was just going based on what others have said, e.g. in the linked reports. Would hope that one of them has already contacted MITRE... -- Brian May

Re: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318

2016-09-14 Thread Salvatore Bonaccorso
Hi Brian, On Wed, Sep 14, 2016 at 08:26:06AM +1000, Brian May wrote: > CVE-2015-7554 / http://bugzilla.maptools.org/show_bug.cgi?id=2564 > > Duplicate: > > CVE-2016-5318 / http://bugzilla.maptools.org/show_bug.cgi?id=2561 Minor comment: if you are sure that those are duplicates you might try to

Re: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318

2016-09-14 Thread Raphael Hertzog
Hi, On Wed, 14 Sep 2016, Brian May wrote: > CVE-2015-7554 / http://bugzilla.maptools.org/show_bug.cgi?id=2564 > > Duplicate: > > CVE-2016-5318 / http://bugzilla.maptools.org/show_bug.cgi?id=2561 > > What would be considered an acceptable fix here? It looks like a proper > fix is not available w

tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318

2016-09-13 Thread Brian May
CVE-2015-7554 / http://bugzilla.maptools.org/show_bug.cgi?id=2564 Duplicate: CVE-2016-5318 / http://bugzilla.maptools.org/show_bug.cgi?id=2561 What would be considered an acceptable fix here? It looks like a proper fix is not available without changing the API due to limitations in the stdarg.h