[oCERT-2009-012] libtiff tools integer overflows

Type securityvulns
Reporter Securityvulns
Modified 2009-07-14T00:00:00


2009-012 libtiff tools integer overflows


The libtiff image library tools suffer from integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution.

The libtiff package ships a library, for reading and writing TIFF, as well as a small collection of tools for manipulating TIFF images. The cvt_whole_image function used in the tiff2rgba tool and the tiffcvt function used in the rgb2ycbcr tool do not properly validate the width and height of the image. Specific TIFF images with large width and height can be crafted to trigger the vulnerability.

A patch has been made available by the maintainer and further improved by Tom Lane of Red Hat.

Affected version:

libtiff <= 3.8.2, <= 3.9 (stable), <= 4.0 (development)

Fixed version:

libtiff, N/A (patch has been made available and it's expected to be committed to libtiff CVS)

Credit: vulnerability report and PoC code received from Tielei Wang <wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS.

CVE: CVE-2009-2347


2009-05-22: vulnerability report received 2009-05-22: contacted libtiff maintainer 2009-06-30: report resent to maintainer due to lack of response 2009-07-01: maintainer provides patch 2009-07-04: reporter confirm fixes 2009-07-04: oCERT requests one week embargo for vendor notification 2009-07-04: maintainer confirms embargo 2009-07-07: contacted affected vendors 2009-07-07: assigned CVE 2009-07-07: improved patch contributed by Tom Lane of Red Hat 2009-07-04: reporter acknowledges patch 2009-07-13: advisory release

References: https://bugzilla.redhat.com/attachment.cgi?id=35132 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2347

Permalink: http://www.ocert.org/advisories/ocert-2009-012.html

-- Andrea Barisani | Founder & Project Coordinator oCERT | Open Source Computer Emergency Response Team

<lcars@ocert.org> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"