Security Advisory SA43593 - LibTIFF Multiple Vulnerabilities

Secunia

Blog

Secunia Advisory SA43593

LibTIFF Multiple Vulnerabilities

Secunia Advisory

SA43593

Release Date

2011-03-03

Last Update

2011-04-13

Popularity

3,181 views

Comments

0 comments

Criticality level

Moderately critical

Impact

System access

Where

From remote

Authentication level

This information is available to Secunia VIM customers

Report reliability

This information is available to Secunia VIM customers

Solution Status

Vendor Patch

Systems affected

This information is available to Secunia VIM customers

Approve distribution

This information is available to Secunia VIM customers

Remediation status

Secunia CSI, Secunia PSI

Automated scanning

Secunia CSI, Secunia PSI

Software:

LibTIFF 3.x

Secunia CVSS Score

This information is available to Secunia VIM Customers

CVE Reference(s)

CVE-2009-5022 CVSS score available to Secunia VIM customers
CVE-2010-3087 CVSS score available to Secunia VIM customers
CVE-2010-4665 CVSS score available to Secunia VIM customers
CVE-2011-0192 CVSS score available to Secunia VIM customers
CVE-2011-1167 CVSS score available to Secunia VIM customers

Description

Some vulnerabilities have been reported in LibTIFF, which can be exploited by malicious people to potentially compromise an application using the library.

1) A boundary error within the "EXPAND2D()" macro in libtiff/tif_fax3.h when decoding CCITT Group 4 compressed TIFF images can be exploited to cause a heap-based buffer overflow via specially crafted TIFF images.

Successful exploitation may allow execution of arbitrary code.

2) A boundary error within the ThunderScan decoder when processing images with an incorrect number of bitspersample can be exploited to cause a heap-based buffer overflow via specially crafted ThunderScan encoded files.

3) An error within the handling of certain TIFF files can be exploited to cause a memory corruption by tricking a user into opening a specially crafted TIFF file.

4) An error within the "OJPEGReadHeaderInfoSecStreamSof()" function in libtiff/tif_ojpeg.c can be exploited to cause a memory corruption by tricking a user into opening a specially crafted TIFF file.

5) An integer overflow error exists within the "tiffdump" utility, which can be exploited by e.g. tricking a user into opening a specially crafted TIFF file containing a directory with a large item count.

Solution
Update to version 3.9.5.

Provided and/or discovered by
1) Apple Product Security
2) Martin Barbella via ZDI
3) Tom Lane and Robert Swiecki
4) Tavis Ormandy
5) Tom Lane

Changelog
Further details available to Secunia VIM customers

Original Advisory
APPLE-SA-2011-03-02-1:
http://lists.apple.com/archives/security-announce/2011/Mar/msg00000.html

LibTIFF:
http://www.remotesensing.org/libtiff/v3.9.5.html
http://bugzilla.maptools.org/show_bug.cgi?id=1999
http://bugzilla.maptools.org/show_bug.cgi?id=2140
http://bugzilla.maptools.org/show_bug.cgi?id=2218
http://bugzilla.maptools.org/show_bug.cgi?id=2228
http://bugzilla.maptools.org/show_bug.cgi?id=2300

ZDI-11-107:
http://www.zerodayinitiative.com/advisories/ZDI-11-107/

Technical Analysis
Further details available to Secunia VIM customers

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: LibTIFF Multiple Vulnerabilities

No posts yet

Secunia Advisory SA43593

LibTIFF Multiple Vulnerabilities

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?