LibTIFF multiple vulns

2010.07.09
Credit: Dan Rosenberg
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-119

In the past week, LibTIFF has released new versions upstream (3.9.3, and soon after, 3.9.4) that address a number of potentially security-relevant issues, some of which have not been assigned CVE identifiers. The following issues will crash (or worse) any application linked against LibTIFF in the trivial case of viewing a maliciously crafted image: 1. Out-of-bounds read in TIFFExtractData() may result in application crash (no reference, fixed upstream). Reported by Dan Rosenberg. 2. Out-of-bounds read in TIFFVGetField() may result in application crash (https://bugs.launchpad.net/ubuntu/lucid/+source/tiff/+bug/589145). The fix for this issue was combined with the fix for CVE-2010-2065, but it appears to be a separate issue. Reported by Sauli Pahlman. 3. Memory corruption in TIFFRGBAImageGet() due to buffer overflow (https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605). Reported by Sauli Pahlman. There is another series of issues that each lead to an application crash, reported at https://bugzilla.redhat.com/show_bug.cgi?id=583081 by Nicolae Ghimbovschi. However, these issues may require more user assistance, such as running specific conversion tools to process TIFF files, and as such may not need CVE identifiers. I thought I'd include them for completeness: 4. http://bugzilla.maptools.org/show_bug.cgi?id=2207 ("tif_getimage fails when flipping vertically on 64-bit platforms") 5. http://bugzilla.maptools.org/show_bug.cgi?id=2208 ("Bogus ReferenceBlackWhite values can crash libtiff") 6. http://bugzilla.maptools.org/show_bug.cgi?id=2209 ("Assertion failure in OJPEGPostDecode") - this one is an assertion failure and not a segfault, so it might not need a CVE. Finally, to avoid confusion, the following more serious issues were also fixed and have already received CVE identifiers: 7. Integer overflows leading to heap overflow in Fax3SetupState(). Reported by Kevin Finisterre (CVE-2010-1411). 8. Integer overflow in TIFFFillStrip() leading to heap overflow in TIFFReadRawStrip1(). Reported by Sauli Pahlman (CVE-2010-2065). 9. Stack overflow when processing SubjectDistance EXIF tags allows arbitrary code execution. Reported by Dan Rosenberg (CVE-2010-2067).

References:

https://bugzilla.redhat.com/show_bug.cgi?id=603081
https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/591605
http://www.openwall.com/lists/oss-security/2010/06/30/22
http://secunia.com/advisories/40422
http://marc.info/?l=oss-security&m=127797353202873&w=2
http://marc.info/?l=oss-security&m=127781315415896&w=2
http://marc.info/?l=oss-security&m=127738540902757&w=2
1c34
http://marc.info/?l=oss-security&m=127736307002102&w=2
http://marc.info/?l=oss-security&m=127731610612908&w=2
http://bugzilla.maptools.org/show_bug.cgi?id=2216


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top