Vulnerability Note VU#539110
LibTIFF vulnerable to integer overflow in the TIFFFetchStrip() routine
Overview
An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code.
Description
LibTIFF is a library used to encode and decode images in Tag Image File Format (TIFF). An integer overflow in the TIFFFetchStripThing() routine within the tif_dirread.c file may allow an attacker to cause a heap-based buffer overflow. A lack of input validation on user-controlled data concerning the size of an TIFF image may allow a remote attacker to manipulate a call to malloc() to create a buffer with insufficient size. When data is copied to this under-sized buffer, a heap-based buffer overflow may occur. Note that in order to exploit this vulnerability, an attacker must craft a TIFF image with the STRIPOFFSETS flag set. |
Impact
If a remote attacker can persuade a user to access a specially crafted TIFF image, that attacker may be able to execute arbitrary code with the privileges of that user. |
Solution
Upgrade
|
Workarounds
|
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Apple Computer Inc. | Affected | 21 Jan 2005 | 05 May 2005 |
| Red Hat Inc. | Affected | 21 Jan 2005 | 23 Aug 2005 |
| Sun Microsystems Inc. | Affected | 21 Jan 2005 | 02 Feb 2005 |
| Conectiva | Unknown | 21 Jan 2005 | 24 Jan 2005 |
| Cray Inc. | Unknown | 21 Jan 2005 | 24 Jan 2005 |
| Debian | Unknown | 21 Jan 2005 | 24 Jan 2005 |
| EMC Corporation | Unknown | 21 Jan 2005 | 24 Jan 2005 |
| Engarde | Unknown | 21 Jan 2005 | 24 Jan 2005 |
| F5 Networks | Unknown | 21 Jan 2005 | 24 Jan 2005 |
| FreeBSD | Unknown | 21 Jan 2005 | 24 Jan 2005 |
| Fujitsu | Unknown | 21 Jan 2005 | 24 Jan 2005 |
| Hewlett-Packard Company | Unknown | 21 Jan 2005 | 24 Jan 2005 |
| Hitachi | Unknown | 21 Jan 2005 | 24 Jan 2005 |
| IBM | Unknown | 21 Jan 2005 | 24 Jan 2005 |
| IBM-zSeries | Unknown | 21 Jan 2005 | 24 Jan 2005 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://securitytracker.com/alerts/2004/Dec/1012651.html
- http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities
- http://secunia.com/advisories/13607/
- http://secunia.com/advisories/15227/
Credit
This vulnerability was reported by iDefense Security.
iDefense credits infamous41md with discovering this vulnerability.
This document was written by Jeff Gennari.
Other Information
- CVE IDs: CAN-2004-1307
- Date Public: 21 Dec 2004
- Date First Published: 04 May 2005
- Date Last Updated: 23 Aug 2005
- Severity Metric: 5.04
- Document Revision: 73
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.