search menu icon-carat-right cmu-wordmark

CERT Coordination Center

LibTIFF vulnerable to integer overflow via corrupted directory entry count

Vulnerability Note VU#125598

Original Release Date: 2005-01-11 | Last Revised: 2005-05-12

Overview

An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code.

Description

LibTIFF is a library used to encode and decode images in Tag Image File Format (TIFF). A lack of validation on user supplied input may allow buffer overflow to occur. TIFF files contain directory entry header fields to describe the data in the file. If a remote attacker creates a TIFF file with specially crafted directory headers and persuades a user to access that file, an integer overflow will occur that may eventually lead to a heap-based buffer overflow.

Impact

If a remote attacker can persuade a user to access a specially crafted TIFF image, that attacker may be able to execute arbitrary code with the privileges of that user.

Solution

Upgrade or Patch

This issue has been corrected in LibTIFF version 3.7.1. Obtain a patch or upgraded software from your vendor. Recompile statically linked applications.

Do Not Accept TIFF Files from Unknown or Untrusted Sources


Exploitation occurs by accessing a specially crafted TIFF file (typically .tiff or .tif extension). By only accessing TIFF files from trusted or known sources, the chances of exploitation are reduced.

Vendor Information

125598
 
Affected   Unknown   Unaffected

Apple Computer Inc.

Notified:  January 11, 2005 Updated:  May 05, 2005

Status

  Vulnerable

Vendor Statement

This is addressed in Security Update 2005-005. Further information is available at:

http://docs.info.apple.com/article.html?artnum=301528.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Vulnerable

Vendor Statement

Debian GNU/Linux was vulnerable to this problem and has issued an advisory with updated packages: DSA 617[1]. Another vulnerability has been discovered by Dmitry Levin which has been fixed in DSA 626 and has CAN-2004-1183 assigned as unique vulnerability identifier.

For the stable distribution (woody) these problems have been fixed in version 3.5.5-6.woody5.

For the unstable distribution (sid) these problems have been fixed in version 3.6.1-5.

Links:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

http://www.debian.org/security/2004/dsa-617

FreeBSD

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Vulnerable

Vendor Statement

libtiff and other software incorporating libtiff is available in the FreeBSD Ports Collection. Please see

for details regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

http://vuxml.freebsd.org/fc7e6a42-6012-11d9-a9e7-0001020eed82.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  January 11, 2005 Updated:  January 19, 2005

Status

  Vulnerable

Vendor Statement

Red Hat Enterprise Linux ships with a LibTIFF package vulnerable to this issues. New LibTiff packages are now available along with our advisory at the URLs below and by using the Red Hat Network 'up2date' tool.

Red Hat Enterprise Linux (2.1 3):

http://rhn.redhat.com/errata/RHSA-2005-019.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  January 11, 2005 Updated:  March 17, 2005

Status

  Not Vulnerable

Vendor Statement

NEC products are NOT susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  January 11, 2005 Updated:  January 13, 2005

Status

  Not Vulnerable

Vendor Statement

NetBSD does not include libtiff in the Operating System release.

It is available as a third-party package in the pkgsrc system, and was updated to 3.7.1 when the release first became public. A number of graphical programs and desktop environments in pkgsrc depend on libtiff, and so it may well have been installed as part of building another package.

Known vulnerabilities in third-party pkgsrc packages are published in the pkg-vulnerabilities database. NetBSD recommends that users check installed packages against this database regularly using the tools in the security/audit-packages package.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Connectiva

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

EMC Corporation

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer

Notified:  January 11, 2005 Updated:  January 13, 2005

Status

  Unknown

Vendor Statement

For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to


In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to

and follow the steps for registration.

All questions should be refferred to servsec@us.ibm.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM-zSeries

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Immunix

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO-LINUX

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO-UNIX

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TurboLinux

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  January 11, 2005 Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Updated:  January 11, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 37 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was reported by iDefense.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2004-1308
Severity Metric: 7.75
Date Public: 2004-12-21
Date First Published: 2005-01-11
Date Last Updated: 2005-05-12 19:34 UTC
Document Revision: 71

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.