[MeeGo-security] [MeeGo-SA-10:27.libtiff] Multiple Vulnerabilities in Libtiff
Ware, Ryan R
ryan.r.ware at intel.com
Tue Jan 18 19:54:01 PST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
MeeGo-SA-10:27.libtiff Security Advisory
MeeGo Project
Topic: Multiple Vulnerabilities in Libtiff
Category: Graphics
Module: libtiff
Announced: September 3, 2010
Affects: MeeGo 1.0
Corrected: September 3, 2010
MeeGo BID: 5559, 5564, 5566, 5590, 5596 & 5598
CVE: CVE-2010-2597, CVE-2010-2596, CVE-2010-2630,
CVE-2010-2631, CVE-2010-2482 & CVE-2010-2481
For general information regarding MeeGo Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://www.MeeGo.com/>.
I. Background
The libtiff package contains a library of functions for manipulating
TIFF (Tagged Image File Format) image format files. TIFF is a widely
used file format for bitmapped images. TIFF files usually end in the
.tif extension and they are often quite large.
II. Problem Description
CVE-2010-2597: The TIFFVStripSize function in tif_strip.c in LibTIFF
3.9.0 and 3.9.2 makes incorrect calls to the TIFFGetField function,
which allows remote attackers to cause a denial of service
(application crash) via a crafted TIFF image, related to "downsampled
OJPEG input" and possibly related to a compiler optimization that
triggers a divide-by-zero error.
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism
CVE-2010-2596: The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF
3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause
a denial of service (assertion failure and application exit) via a
crafted TIFF image, related to "downsampled OJPEG input."
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism
CVE-2010-2630: The TIFFReadDirectory function in LibTIFF 3.9.0 does
not properly validate the data types of codec-specific tags that have
an out-of-order position in a TIFF file, which allows remote attackers
to cause a denial of service (application crash) via a crafted file, a
different vulnerability than CVE-2010-2481.
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism
CVE-2010-2631: LibTIFF 3.9.0 ignores tags in certain situations during
the first stage of TIFF file processing and does not properly handle
this during the second stage, which allows remote attackers to cause a
denial of service (application crash) via a crafted file, a different
vulnerability than CVE-2010-2481.
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism
CVE-2010-2482: LibTIFF 3.9.4 and earlier does not properly handle an
invalid td_stripbytecount field, which allows remote attackers to
cause a denial of service (NULL pointer dereference and application
crash) via a crafted TIFF file, a different vulnerability than
CVE-2010-2443.
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism
CVE-2010-2481: The TIFFExtractData macro in LibTIFF before 3.9.4 does
not properly handle unknown tag types in TIFF directory entries, which
allows remote attackers to cause a denial of service (out-of-bounds
read and application crash) via a crafted TIFF file.
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism
III. Impact
CVE-2010-2597: Disruption of service and other unknown issues due to
incorrect input validation (CWE-20)
CVE-2010-2596: Disruption of service and other unknown issues due to
incorrect input validation (CWE-20)
CVE-2010-2630: Disruption of service and other unknown issues due to
incorrect input validation (CWE-20)
CVE-2010-2631: Disruption of service and other unknown issues due to
incorrect input validation (CWE-20)
CVE-2010-2482: Disruption of service and other unknown issues
CVE-2010-2481: Disruption of service and other unknown issues due to
buffer errors (CWE-119)
IV. Workaround
None
V. Solution
Update to package libtiff-3.9.4-19.1 or later.
VI. References
http://bugs.meego.com/show_bug.cgi?id=5559
http://bugs.meego.com/show_bug.cgi?id=5564
http://bugs.meego.com/show_bug.cgi?id=5566
http://bugs.meego.com/show_bug.cgi?id=5590
http://bugs.meego.com/show_bug.cgi?id=5596
http://bugs.meego.com/show_bug.cgi?id=5598
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2597
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2596
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2630
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2631
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2482
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2481
http://cwe.mitre.org/data/definitions/20.html
http://cwe.mitre.org/data/definitions/119.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (Darwin)
iQEcBAEBAgAGBQJNNlsOAAoJEEsJm1wYvCMbwIsH/1nBq0M2Xz5L24imGLJEC/yU
Hi3ycqV5MNsAvP7n4lXOcOa6Z0oXo6H4aQltnT/mYHRs57YX/I0gAi6WXJ8r6U9i
oiH989VnGfEHagAORt6juar3DDBHUdzu6Ok5ke5rxIThiGpFu6SsFU3cISiaVTaz
qArXZurG+wk5OKolVARud0WweK8FBpwYIbXqg7qmG5dBZcZrvDR1n1/K5RwqY/KM
zWUag9iJERyQzrbwWuRtfMYrAzqSZk74+B4D1EeD94c3JUUV2w3VFjl5+NL6mLZW
gUCT4t18skqhTOF/ZfgqhgRbePbGiGB2zKNv48lH/eJQUzxWF1pe9w60OtKRvtg=
=WCha
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: MeeGo-SA-10-27.libtiff.asc
Type: application/octet-stream
Size: 5674 bytes
Desc: MeeGo-SA-10-27.libtiff.asc
URL: <http://lists.meego.com/pipermail/meego-security/attachments/20110118/57c6d68a/attachment-0001.obj>
More information about the MeeGo-security
mailing list