Vulnerability Note VU#539110
LibTIFF vulnerable to integer overflow in the TIFFFetchStrip() routine
An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code.
LibTIFF is a library used to encode and decode images in Tag Image File Format (TIFF). An integer overflow in the TIFFFetchStripThing() routine within the tif_dirread.c file may allow an attacker to cause a heap-based buffer overflow. A lack of input validation on user-controlled data concerning the size of an TIFF image may allow a remote attacker to manipulate a call to malloc() to create a buffer with insufficient size. When data is copied to this under-sized buffer, a heap-based buffer overflow may occur.
Note that in order to exploit this vulnerability, an attacker must craft a TIFF image with the STRIPOFFSETS flag set.
If a remote attacker can persuade a user to access a specially crafted TIFF image, that attacker may be able to execute arbitrary code with the privileges of that user.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer Inc.||Affected||21 Jan 2005||05 May 2005|
|Red Hat Inc.||Affected||21 Jan 2005||23 Aug 2005|
|Sun Microsystems Inc.||Affected||21 Jan 2005||02 Feb 2005|
|Conectiva||Unknown||21 Jan 2005||24 Jan 2005|
|Cray Inc.||Unknown||21 Jan 2005||24 Jan 2005|
|Debian||Unknown||21 Jan 2005||24 Jan 2005|
|EMC Corporation||Unknown||21 Jan 2005||24 Jan 2005|
|Engarde||Unknown||21 Jan 2005||24 Jan 2005|
|F5 Networks||Unknown||21 Jan 2005||24 Jan 2005|
|FreeBSD||Unknown||21 Jan 2005||24 Jan 2005|
|Fujitsu||Unknown||21 Jan 2005||24 Jan 2005|
|Hewlett-Packard Company||Unknown||21 Jan 2005||24 Jan 2005|
|Hitachi||Unknown||21 Jan 2005||24 Jan 2005|
|IBM||Unknown||21 Jan 2005||24 Jan 2005|
|IBM-zSeries||Unknown||21 Jan 2005||24 Jan 2005|
CVSS Metrics (Learn More)
This vulnerability was reported by iDefense Security.
iDefense credits infamous41md with discovering this vulnerability.
This document was written by Jeff Gennari.
- CVE IDs: CAN-2004-1307
- Date Public: 21 Dec 2004
- Date First Published: 04 May 2005
- Date Last Updated: 23 Aug 2005
- Severity Metric: 5.04
- Document Revision: 73
If you have feedback, comments, or additional information about this vulnerability, please send us email.