The libtiff image library tools suffer from integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution.
The libtiff package ships a library, for reading and writing TIFF, as well as a small collection of tools for manipulating TIFF images. The cvt_whole_image function used in the tiff2rgba tool and the tiffcvt function used in the rgb2ycbcr tool do not properly validate the width and height of the image. Specific TIFF images with large width and height can be crafted to trigger the vulnerability.
A patch has been made available by the maintainer and further improved by Tom Lane of Red Hat.
libtiff <= 3.8.2, <= 3.9 (stable), <= 4.0 (development)
libtiff, N/A (patch has been made available and it's expected to be committed to libtiff CVS)
Credit: vulnerability report and PoC code received from Tielei Wang <wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS.
2009-05-22: vulnerability report received 2009-05-22: contacted libtiff maintainer 2009-06-30: report resent to maintainer due to lack of response 2009-07-01: maintainer provides patch 2009-07-04: reporter confirm fixes 2009-07-04: oCERT requests one week embargo for vendor notification 2009-07-04: maintainer confirms embargo 2009-07-07: contacted affected vendors 2009-07-07: assigned CVE 2009-07-07: improved patch contributed by Tom Lane of Red Hat 2009-07-04: reporter acknowledges patch 2009-07-13: advisory release
References: https://bugzilla.redhat.com/attachment.cgi?id=35132 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2347
-- Andrea Barisani | Founder & Project Coordinator oCERT | Open Source Computer Emergency Response Team
<firstname.lastname@example.org> http://www.ocert.org 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E "Pluralitas non est ponenda sine necessitate"