SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#539110

LibTIFF vulnerable to integer overflow in the TIFFFetchStrip() routine

Overview

An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code.

I. Description

LibTIFF is a library used to encode and decode images in Tag Image File Format (TIFF). An integer overflow in the TIFFFetchStripThing() routine within the tif_dirread.c file may allow an attacker to cause a heap-based buffer overflow. A lack of input validation on user-controlled data concerning the size of an TIFF image may allow a remote attacker to manipulate a call to malloc() to create a buffer with insufficient size. When data is copied to this under-sized buffer, a heap-based buffer overflow may occur.

Note that in order to exploit this vulnerability, an attacker must craft a TIFF image with the STRIPOFFSETS flag set.

This vulnerability is believed to related to the integer overflows described in VU#687568.

II. Impact

If a remote attacker can persuade a user to access a specially crafted TIFF image, that attacker may be able to execute arbitrary code with the privileges of that user.

III. Solution

Upgrade


This issue has been corrected in LibTIFF versions 3.7.0.

Workarounds

Do Not Accept TIFF Files from Unknown or Untrusted Sources

Exploitation occurs by accessing a specially crafted TIFF file (typically .tiff or .tif extension). By only accessing TIFF files from trusted or known sources, the chances of exploitation are reduced.

Systems Affected

VendorStatusDate Updated
Apple Computer Inc.Vulnerable5-May-2005
ConectivaUnknown24-Jan-2005
Cray Inc.Unknown24-Jan-2005
DebianUnknown24-Jan-2005
EMC CorporationUnknown24-Jan-2005
EngardeUnknown24-Jan-2005
F5 NetworksUnknown24-Jan-2005
FreeBSDUnknown24-Jan-2005
FujitsuUnknown24-Jan-2005
Hewlett-Packard CompanyUnknown24-Jan-2005
HitachiUnknown24-Jan-2005
IBMUnknown24-Jan-2005
IBM-zSeriesUnknown24-Jan-2005
IBM eServerUnknown2-Feb-2005
ImmunixUnknown24-Jan-2005
Ingrian NetworksUnknown24-Jan-2005
Juniper NetworksUnknown24-Jan-2005
MandrakeSoftUnknown24-Jan-2005
Microsoft CorporationUnknown24-Jan-2005
MontaVista SoftwareUnknown24-Jan-2005
NEC CorporationUnknown24-Jan-2005
NetBSDUnknown24-Jan-2005
NokiaUnknown24-Jan-2005
NovellUnknown24-Jan-2005
OpenBSDUnknown24-Jan-2005
Openwall GNU/*/LinuxUnknown24-Jan-2005
Red Hat Inc.Vulnerable23-Aug-2005
SCO LinuxUnknown24-Jan-2005
SCO UnixUnknown24-Jan-2005
SequentUnknown24-Jan-2005
SGIUnknown24-Jan-2005
Sony CorporationUnknown24-Jan-2005
Sun Microsystems Inc.Vulnerable2-Feb-2005
SuSE Inc.Unknown24-Jan-2005
TurboLinuxUnknown24-Jan-2005
UnisysUnknown24-Jan-2005
Wind River Systems Inc.Unknown24-Jan-2005

References


http://securitytracker.com/alerts/2004/Dec/1012651.html
http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities
http://secunia.com/advisories/13607/
http://secunia.com/advisories/15227/

Credit

This vulnerability was reported by iDefense Security.


iDefense credits infamous41md with discovering this vulnerability.

This document was written by Jeff Gennari.

Other Information

Date Public12/21/2004
Date First Published05/04/2005 10:43:19 AM
Date Last Updated08/23/2005
CERT Advisory 
CVE NameCAN-2004-1307
US-CERT Technical Alerts 
Metric5.04
Document Revision73

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2005 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader