Vulnerability Note VU#539110

LibTIFF vulnerable to integer overflow in the TIFFFetchStrip() routine

Original Release date: 04 May 2005 | Last revised: 23 Aug 2005

Overview

An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code.

Description

LibTIFF is a library used to encode and decode images in Tag Image File Format (TIFF). An integer overflow in the TIFFFetchStripThing() routine within the tif_dirread.c file may allow an attacker to cause a heap-based buffer overflow. A lack of input validation on user-controlled data concerning the size of an TIFF image may allow a remote attacker to manipulate a call to malloc() to create a buffer with insufficient size. When data is copied to this under-sized buffer, a heap-based buffer overflow may occur.

Note that in order to exploit this vulnerability, an attacker must craft a TIFF image with the STRIPOFFSETS flag set.

This vulnerability is believed to related to the integer overflows described in VU#687568.

Impact

If a remote attacker can persuade a user to access a specially crafted TIFF image, that attacker may be able to execute arbitrary code with the privileges of that user.

Solution

Upgrade


This issue has been corrected in LibTIFF versions 3.7.0.

Workarounds


Do Not Accept TIFF Files from Unknown or Untrusted Sources

Exploitation occurs by accessing a specially crafted TIFF file (typically .tiff or .tif extension). By only accessing TIFF files from trusted or known sources, the chances of exploitation are reduced.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected21 Jan 200505 May 2005
Red Hat Inc.Affected21 Jan 200523 Aug 2005
Sun Microsystems Inc.Affected21 Jan 200502 Feb 2005
ConectivaUnknown21 Jan 200524 Jan 2005
Cray Inc.Unknown21 Jan 200524 Jan 2005
DebianUnknown21 Jan 200524 Jan 2005
EMC CorporationUnknown21 Jan 200524 Jan 2005
EngardeUnknown21 Jan 200524 Jan 2005
F5 NetworksUnknown21 Jan 200524 Jan 2005
FreeBSDUnknown21 Jan 200524 Jan 2005
FujitsuUnknown21 Jan 200524 Jan 2005
Hewlett-Packard CompanyUnknown21 Jan 200524 Jan 2005
HitachiUnknown21 Jan 200524 Jan 2005
IBMUnknown21 Jan 200524 Jan 2005
IBM-zSeriesUnknown21 Jan 200524 Jan 2005
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by iDefense Security.

iDefense credits infamous41md with discovering this vulnerability.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: CAN-2004-1307
  • Date Public: 21 Dec 2004
  • Date First Published: 04 May 2005
  • Date Last Updated: 23 Aug 2005
  • Severity Metric: 5.04
  • Document Revision: 73

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.