Vulnerability Note VU#687568

LibTIFF contains multiple integer overflows

Original Release date: 01 Dec 2004 | Last revised: 25 Jan 2005

Overview

Multiple integer overflows in the LibTIFF library may allow an attacker to execute arbitrary code.

Description

LibTIFF is a library used to encode and decode images in Tag Image File Format (TIFF) format. A number of potential integer overflow errors exist in the LibTIFF library. A lack of input validation on user-controlled data may allow a remote attacker to manipulate calls to the malloc() routine.

One instance of these vulnerabilities is in the TIFFFetchStripThing()routine within the tif_dirread.c file. A lack of validation on data specifying the size of an TIFF image may allow a remote attacker to manipulte malloc()to create a buffer with insufficient size. When data is copied to this under-sized buffer, a heap-based buffer overflow may occur. In order to exploit this specific attack vector, an attacker must craft a TIFF image with the STRIPOFFSETS flag set.

Please note that other routines may be vulnerable. In addition, any application that uses the LibTIFF library may be affected by this issue. Users are encouraged to contact their vendors to determine if they are vulnerable.

Impact

Depending on the application being used and the attack vector being exploited, potential consequences range from a denial-of-service condition to the execution of arbitrary code with the privileges of the LibTIFF process.

Solution

Apply Patch


Patch or upgrade as specified by your vendor. Users who suspect they are vulnerable are encouraged to check with their vendor to determine the appropriate action to take.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected01 Nov 200401 Dec 2004
HitachiNot Affected01 Nov 200401 Dec 2004
NEC CorporationNot Affected01 Nov 200417 Mar 2005
BSDIUnknown-01 Nov 2004
ConectivaUnknown-01 Nov 2004
Cray Inc.Unknown-01 Nov 2004
DebianUnknown01 Nov 200402 Nov 2004
EMC CorporationUnknown-01 Nov 2004
EngardeUnknown-01 Nov 2004
F5 NetworksUnknown-01 Nov 2004
FreeBSDUnknown-01 Nov 2004
FujitsuUnknown-01 Nov 2004
Hewlett-Packard CompanyUnknown-01 Nov 2004
IBMUnknown-01 Nov 2004
IBM-zSeriesUnknown-01 Nov 2004
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported in Secunia Security Advisory SA12818.


Secunia credits Matthias Clasen for providing information regarding this vulnerability.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: CAN-2004-0886
  • Date Public: 14 Oct 2004
  • Date First Published: 01 Dec 2004
  • Date Last Updated: 25 Jan 2005
  • Severity Metric: 10.33
  • Document Revision: 129

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.