======= Summary ======= Name: Apple Mac OS X ImageIO TIFF Integer Overflow Release Date: 28 June 2011 Reference: NGS00057 Discoverer: Dominic Chell Vendor: Apple Vendor Reference: 142522746 Systems Affected: Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6. This issue does not affect systems prior to Mac OS X v10.6 Risk: High Status: Published ======== TimeLine ======== Discovered: 8 March 2011 Released: 8 March 2011 Approved: 8 March 2011 Reported: 8 March 2011 Fixed: 21 March 2011 Published: 28 June 2011 =========== Description =========== A heap overflow is caused by a signedness vulnerability within copyImageBlockSetTiff(). The crash occurs within any application using the framework, including Preview, QuickLook, Safari & Mail. ================= Technical Details ================= exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=movdqa %xmm1,CONSTANT(%rdi,%rcx):instruction_address=0x00007fffffe0088c:access_type=write:access_address=0x00000001159d0000: Crash accessing invalid address. Consider running it again with libgmalloc(3) to see if the log changes. Test case was copyImageBlockSetTiff Process: qlmanage [4763] Path: /System/Library/Frameworks/QuickLook.framework/Versions/A/Resources/quicklookd.app/Contents/MacOS/qlmanage Identifier: qlmanage Version: ??? (???) Code Type: X86-64 (Native) Parent Process: exc_handler [4762] PlugIn Path: /usr/bin/qlmanage PlugIn Identifier: qlmanage PlugIn Version: ??? (???) Date/Time: 2011-03-07 21:47:33.598 +0000 OS Version: Mac OS X 10.6.6 (10J567) Report Version: 6 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000001159d0000 Crashed Thread: 6 =============== Fix Information =============== http://support.apple.com/kb/HT4581 NGS Secure Research http://www.ngssecure.com