LibTIFF multiple vulns

Credit: Dan Rosenberg
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-119

In the past week, LibTIFF has released new versions upstream (3.9.3, and soon after, 3.9.4) that address a number of potentially security-relevant issues, some of which have not been assigned CVE identifiers. The following issues will crash (or worse) any application linked against LibTIFF in the trivial case of viewing a maliciously crafted image: 1. Out-of-bounds read in TIFFExtractData() may result in application crash (no reference, fixed upstream). Reported by Dan Rosenberg. 2. Out-of-bounds read in TIFFVGetField() may result in application crash ( The fix for this issue was combined with the fix for CVE-2010-2065, but it appears to be a separate issue. Reported by Sauli Pahlman. 3. Memory corruption in TIFFRGBAImageGet() due to buffer overflow ( Reported by Sauli Pahlman. There is another series of issues that each lead to an application crash, reported at by Nicolae Ghimbovschi. However, these issues may require more user assistance, such as running specific conversion tools to process TIFF files, and as such may not need CVE identifiers. I thought I'd include them for completeness: 4. ("tif_getimage fails when flipping vertically on 64-bit platforms") 5. ("Bogus ReferenceBlackWhite values can crash libtiff") 6. ("Assertion failure in OJPEGPostDecode") - this one is an assertion failure and not a segfault, so it might not need a CVE. Finally, to avoid confusion, the following more serious issues were also fixed and have already received CVE identifiers: 7. Integer overflows leading to heap overflow in Fax3SetupState(). Reported by Kevin Finisterre (CVE-2010-1411). 8. Integer overflow in TIFFFillStrip() leading to heap overflow in TIFFReadRawStrip1(). Reported by Sauli Pahlman (CVE-2010-2065). 9. Stack overflow when processing SubjectDistance EXIF tags allows arbitrary code execution. Reported by Dan Rosenberg (CVE-2010-2067).


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top