10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.129 Low
EPSS
Percentile
95.5%
An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code.
LibTIFF is a library used to encode and decode images in Tag Image File Format (TIFF). A lack of validation on user supplied input may allow buffer overflow to occur. TIFF files contain directory entry header fields to describe the data in the file. If a remote attacker creates a TIFF file with specially crafted directory headers and persuades a user to access that file, an integer overflow will occur that may eventually lead to a heap-based buffer overflow.
If a remote attacker can persuade a user to access a specially crafted TIFF image, that attacker may be able to execute arbitrary code with the privileges of that user.
Upgrade or Patch
This issue has been corrected in LibTIFF version 3.7.1. Obtain a patch or upgraded software from your vendor. Recompile statically linked applications.
Do Not Accept TIFF Files from Unknown or Untrusted Sources
Exploitation occurs by accessing a specially crafted TIFF file (typically .tiff or .tif extension). By only accessing TIFF files from trusted or known sources, the chances of exploitation are reduced.
125598
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 11, 2005 Updated: May 05, 2005
Affected
This is addressed in Security Update 2005-005. Further information is available at:
<http://docs.info.apple.com/article.html?artnum=301528>.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Affected
Debian GNU/Linux was vulnerable to this problem and has issued an advisory with updated packages: DSA 617[1]. Another vulnerability has been discovered by Dmitry Levin which has been fixed in DSA 626 and has CAN-2004-1183 assigned as unique vulnerability identifier.
For the stable distribution (woody) these problems have been fixed in version 3.5.5-6.woody5.
For the unstable distribution (sid) these problems have been fixed in version 3.6.1-5.
Links:
1. <http://www.debian.org/security/2004/dsa-617>
2. <http://www.debian.org/security/2005/dsa-626>
The vendor has not provided us with any further information regarding this vulnerability.
<http://www.debian.org/security/2004/dsa-617>
Notified: January 11, 2005 Updated: January 11, 2005
Affected
libtiff and other software incorporating libtiff is available in the FreeBSD Ports Collection. Please see
<http://vuxml.freebsd.org/fc7e6a42-6012-11d9-a9e7-0001020eed82.html>
for details regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
<http://vuxml.freebsd.org/fc7e6a42-6012-11d9-a9e7-0001020eed82.html>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 19, 2005
Affected
Red Hat Enterprise Linux ships with a LibTIFF package vulnerable to this issues. New LibTiff packages are now available along with our advisory at the URLs below and by using the Red Hat Network ‘up2date’ tool.
Red Hat Enterprise Linux (2.1 3):
<http://rhn.redhat.com/errata/RHSA-2005-019.html>
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: March 17, 2005
Not Affected
NEC products are NOT susceptible to this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 13, 2005
Not Affected
NetBSD does not include libtiff in the Operating System release.
It is available as a third-party package in the pkgsrc system, and was updated to 3.7.1 when the release first became public. A number of graphical programs and desktop environments in pkgsrc depend on libtiff, and so it may well have been installed as part of building another package.
Known vulnerabilities in third-party pkgsrc packages are published in the pkg-vulnerabilities database. NetBSD recommends that users check installed packages against this database regularly using the tools in the security/audit-packages package.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 13, 2005
Unknown
For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to
https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=
In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to
<http://app-06.www.ibm.com/servers/resourcelink>
and follow the steps for registration.
All questions should be refferred to [email protected].
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Notified: January 11, 2005 Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
Updated: January 11, 2005
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23125598 Feedback>).
View all 37 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was reported by iDefense.
This document was written by Jeff Gennari.
CVE IDs: | CVE-2004-1308 |
---|---|
Severity Metric: | 7.75 Date Public: |