Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 13 Jul 2009 19:12:05 +0100
From: Andrea Barisani <lcars@...rt.org>
To: ocert-announce@...ts.ocert.org, oss-security@...ts.openwall.com,
        bugtraq@...urityfocus.com
Subject: [oCERT-2009-012] libtiff tools integer overflows


#2009-012 libtiff tools integer overflows

Description:

The libtiff image library tools suffer from integer overflows which may lead to
a potentially exploitable heap overflow and result in arbitrary code execution.

The libtiff package ships a library, for reading and writing TIFF, as well as a
small collection of tools for manipulating TIFF images. The cvt_whole_image
function used in the tiff2rgba tool and the tiffcvt function used in the
rgb2ycbcr tool do not properly validate the width and height of the image.
Specific TIFF images with large width and height can be crafted to trigger the
vulnerability.

A patch has been made available by the maintainer and further improved by Tom
Lane of Red Hat.

Affected version:

libtiff <= 3.8.2, <= 3.9 (stable), <= 4.0 (development)

Fixed version:

libtiff, N/A (patch has been made available and it's expected to be committed
to libtiff CVS)

Credit: vulnerability report and PoC code received from Tielei Wang <wangtielei
        [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS.

CVE: CVE-2009-2347

Timeline:

2009-05-22: vulnerability report received
2009-05-22: contacted libtiff maintainer
2009-06-30: report resent to maintainer due to lack of response
2009-07-01: maintainer provides patch
2009-07-04: reporter confirm fixes
2009-07-04: oCERT requests one week embargo for vendor notification
2009-07-04: maintainer confirms embargo
2009-07-07: contacted affected vendors
2009-07-07: assigned CVE
2009-07-07: improved patch contributed by Tom Lane of Red Hat
2009-07-04: reporter acknowledges patch
2009-07-13: advisory release

References:
https://bugzilla.redhat.com/attachment.cgi?id=35132
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2347

Permalink:
http://www.ocert.org/advisories/ocert-2009-012.html

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars@...rt.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.