Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:555304
HistoryDec 01, 2004 - 12:00 a.m.

LibTIFF vulnerable to denial-of-service condition

2004-12-0100:00:00
www.kb.cert.org
10

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.114 Low

EPSS

Percentile

95.2%

JSON

Overview

An Integer overflow in the LibTIFF library may allow a remote attacker to cause a divide-by-zero error that results in a denial-of-service condition.

Description

LibTIFF is a library used to encode and decode images in Tag Image File Format (TIFF) format. An integer overflow in the tif_dirread.c file may allow an attacker to cause a divide-by-zero error. If a remote attacker can persuade a user to access a specially crafted TIFF image with the row bytes field set to zero, that attacker may cause the divide-by-zero error and crash the process that linked to the LibTIFF library.

Any program that uses the LibTIFF library may be affected by this issue. Users are encouraged to contact their vendors to determine if they are vulnerable.

Impact

A remote attacker may be able to cause a divide-by-zero error and crash the process linked to the LibTIFF library.

Solution

Apply Patch

Patch or upgrade as specified by your vendor. Users who suspect they are vulnerable are encouraged to check with their vendor to determine the appropriate action to take.

Vendor Information

555304

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

NEC Corporation __ Not Affected

Notified: November 01, 2004 Updated: March 17, 2005

Status

Not Affected

Vendor Statement

NEC products are NOT susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Apple Computer Inc. Unknown

Notified: November 01, 2004 Updated: May 17, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

BSDI Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Conectiva Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Cray Inc. Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Debian __ Unknown

Notified: November 01, 2004 Updated: November 02, 2004

Status

Unknown

Vendor Statement

Debian GNU/Linux was vulnerable to these problems. The update has been part of DSA 567-1 which was released on October 15th.

For the stable distribution (woody) these problems have been fixed in version 3.5.5-6woody1.

For the unstable distribution (sid) these problems have been fixed in version 3.6.1-2.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

EMC Corporation Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Engarde Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

F5 Networks Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

FreeBSD Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Fujitsu Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Hewlett-Packard Company Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Hitachi Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

IBM Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

IBM eServer Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

IBM-zSeries Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

IMmunix Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Ingrian Networks Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Juniper Networks Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

MandrakeSoft Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

MontaVista Software Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

NETBSD Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Nokia Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Novell Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

OpenBSD Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Openwall GNU/*/Linux Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Red Hat Inc. __ Unknown

Notified: November 01, 2004 Updated: November 01, 2004

Status

Unknown

Vendor Statement

For VU#687568 please see <https://rhn.redhat.com/cve/CAN-2004-0886.html&gt;.

For VU#555304 please see <https://rhn.redhat.com/cve/CAN-2004-0804.html&gt;.

For VU#948752 please see <https://rhn.redhat.com/cve/CAN-2004-0803.html&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SCO Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

SGI Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Sequent Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Sony Corporation Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

SuSE Inc. Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Sun Microsystems Inc. Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

TurboLinux Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Unisys Unknown

Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

Wind River Systems Inc. Unknown

Notified: November 01, 2004 Updated: November 01, 2004

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23555304 Feedback>).

View all 36 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported in Secunia Security Advisory SA12818.Secunia credits Chris Evans and Dmitry V. Levin for providing information regarding this vulnerability.

This document was written by Jeff Gennari.

Other Information

CVE IDs: CVE-2004-0804
Severity Metric: 0.69 Date Public:

Related

openvas 26
slackware 1
gentoo 3
cert 3
securityvulns 4
nessus 22
debian 2
osv 1
redhat 3
centos 3
suse 2
debiancve 4
freebsd 3
ubuntucve 4
cve 4
openvas
openvas
Gentoo Security Advisory GLSA 200412-02 (PDFlib)
2008-09-24 00:00:00
Slackware Advisory SSA:2004-305-02 libtiff
2012-09-11 00:00:00
Gentoo Security Advisory GLSA 200412-17 (kfax)
2008-09-24 00:00:00
slackware
slackware
[slackware-security] libtiff
2004-11-01 08:00:50
gentoo
gentoo
kfax: Multiple overflows in the included TIFF library
2004-12-19 00:00:00
PDFlib: Multiple overflows in the included TIFF library
2004-12-05 00:00:00
tiff: Buffer overflows in image decoding
2004-10-13 00:00:00
cert
cert
LibTIFF contains multiple integer overflows
2004-12-01 00:00:00
LibTIFF contains multiple heap-based buffer overflows
2004-12-01 00:00:00
LibTIFF vulnerable to integer overflow in the TIFFFetchStrip() routine
2005-01-20 00:00:00
securityvulns
securityvulns
KDE Security Advisory: kfax libtiff vulnerabilities
2004-12-10 00:00:00
MDKSA-2004:111 - Updated wxGTK2 packages fix vulnerabilities
2004-10-22 00:00:00
[Full-Disclosure] [ GLSA 200412-02 ] PDFlib: Multiple overflows in the included TIFF library
2004-12-06 00:00:00
nessus
nessus
Debian DSA-567-1 : tiff - heap overflows
2004-11-10 00:00:00
GLSA-200412-17 : kfax: Multiple overflows in the included TIFF library
2004-12-20 00:00:00
Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : libtiff (SSA:2004-305-02)
2005-07-13 00:00:00
debian
debian
[SECURITY] [DSA 567-1] New libtiff packages fix remote code execution
2004-10-15 17:51:16
[SECURITY] [DSA 567-1] New libtiff packages fix remote code execution
2004-10-15 00:00:00
osv
osv
tiff - heap overflows
2004-10-15 00:00:00
redhat
redhat
(RHSA-2004:577) libtiff security update
2004-10-22 00:00:00
(RHSA-2005:021) kdegraphics security update
2005-04-12 00:00:00
(RHSA-2005:354) tetex security update
2005-04-01 00:00:00
centos
centos
tetex security update
2005-04-01 21:29:55
kdegraphics security update
2005-04-12 23:05:10
kdegraphics security update
2005-04-12 16:01:20
suse
suse
remote denial of service in kernel
2004-10-21 07:52:50
local privilege escalation in libtiff
2004-10-22 14:52:41
debiancve
debiancve
CVE-2004-0886
2005-01-27 05:00:00
CVE-2004-0803
2004-12-23 05:00:00
CVE-2004-0804
2004-11-03 05:00:00
freebsd
freebsd
tiff -- multiple integer overflows
2004-10-13 00:00:00
tiff -- RLE decoder heap overflows
2004-10-13 00:00:00
tiff -- divide-by-zero denial-of-service
2002-03-27 00:00:00
ubuntucve
ubuntucve
CVE-2004-0886
2005-01-27 00:00:00
CVE-2004-0803
2004-12-23 00:00:00
CVE-2005-2452
2005-08-03 00:00:00
cve
cve
CVE-2004-0886
2005-01-27 05:00:00
CVE-2004-0803
2004-12-23 05:00:00
CVE-2004-0804
2004-11-03 05:00:00

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.114 Low

EPSS

Percentile

95.2%

JSON
Related for VU:555304
openvas26slackware1gentoo3cert3securityvulns4nessus22debian2osv1redhat3centos3suse2debiancve4freebsd3ubuntucve4cve4