Vulnerability Note VU#687568
LibTIFF contains multiple integer overflows
Overview
Multiple integer overflows in the LibTIFF library may allow an attacker to execute arbitrary code.
Description
LibTIFF is a library used to encode and decode images in Tag Image File Format (TIFF) format. A number of potential integer overflow errors exist in the LibTIFF library. A lack of input validation on user-controlled data may allow a remote attacker to manipulate calls to the malloc() routine. One instance of these vulnerabilities is in the TIFFFetchStripThing()routine within the tif_dirread.c file. A lack of validation on data specifying the size of an TIFF image may allow a remote attacker to manipulte malloc()to create a buffer with insufficient size. When data is copied to this under-sized buffer, a heap-based buffer overflow may occur. In order to exploit this specific attack vector, an attacker must craft a TIFF image with the STRIPOFFSETS flag set. |
Impact
Depending on the application being used and the attack vector being exploited, potential consequences range from a denial-of-service condition to the execution of arbitrary code with the privileges of the LibTIFF process. |
Solution
Apply Patch
|
Systems Affected (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Apple Computer Inc. | Affected | 01 Nov 2004 | 01 Dec 2004 |
Hitachi | Not Affected | 01 Nov 2004 | 01 Dec 2004 |
NEC Corporation | Not Affected | 01 Nov 2004 | 17 Mar 2005 |
BSDI | Unknown | - | 01 Nov 2004 |
Conectiva | Unknown | - | 01 Nov 2004 |
Cray Inc. | Unknown | - | 01 Nov 2004 |
Debian | Unknown | 01 Nov 2004 | 02 Nov 2004 |
EMC Corporation | Unknown | - | 01 Nov 2004 |
Engarde | Unknown | - | 01 Nov 2004 |
F5 Networks | Unknown | - | 01 Nov 2004 |
FreeBSD | Unknown | - | 01 Nov 2004 |
Fujitsu | Unknown | - | 01 Nov 2004 |
Hewlett-Packard Company | Unknown | - | 01 Nov 2004 |
IBM | Unknown | - | 01 Nov 2004 |
IBM-zSeries | Unknown | - | 01 Nov 2004 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | N/A | N/A |
Temporal | N/A | N/A |
Environmental | N/A | N/A |
References
- http://secunia.com/advisories/12818/
- http://www.ciac.org/ciac/bulletins/p-015.shtml
- http://securitytracker.com/alerts/2004/Oct/1011674.html
- http://seclists.org/lists/bugtraq/2004/Oct/0135.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886
- http://www.osvdb.org/displayvuln.php?osvdb_id=10751
- http://securitytracker.com/alerts/2004/Dec/1012651.html
- http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities
Credit
This vulnerability was reported in Secunia Security Advisory SA12818.
Secunia credits Matthias Clasen for providing information regarding this vulnerability.
This document was written by Jeff Gennari.
Other Information
- CVE IDs: CAN-2004-0886
- Date Public: 14 Oct 2004
- Date First Published: 01 Dec 2004
- Date Last Updated: 25 Jan 2005
- Severity Metric: 10.33
- Document Revision: 129
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.