Jump to content
Sign in to follow this  
paul

Advisories MDVSA-2010:146: libtiff

Recommended Posts

Multiple vulnerabilities has been discovered and corrected in libtiff:

 

The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in

ImageMagick, does not properly handle invalid ReferenceBlackWhite

values, which allows remote attackers to cause a denial of service

(application crash) via a crafted TIFF image that triggers an array

index error, related to downsampled OJPEG input. (CVE-2010-2595)

 

Multiple integer overflows in the Fax3SetupState function in tif_fax3.c

in the FAX3 decoder in LibTIFF before 3.9.3 allow remote attackers to

execute arbitrary code or cause a denial of service (application crash)

via a crafted TIFF file that triggers a heap-based buffer overflow

(CVE-2010-1411).

 

Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3

allows remote attackers to cause a denial of service (application

crash) or possibly execute arbitrary code via a crafted TIFF file

that triggers a buffer overflow (CVE-2010-2065).

 

The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers

to cause a denial of service (out-of-bounds read and application crash)

via a TIFF file with an invalid combination of SamplesPerPixel and

Photometric values (CVE-2010-2483).

 

The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2

makes incorrect calls to the TIFFGetField function, which allows

remote attackers to cause a denial of service (application crash) via

a crafted TIFF image, related to downsampled OJPEG input and possibly

related to a compiler optimization that triggers a divide-by-zero error

(CVE-2010-2597).

 

The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly

handle unknown tag types in TIFF directory entries, which allows

remote attackers to cause a denial of service (out-of-bounds read

and application crash) via a crafted TIFF file (CVE-2010-248).

 

Stack-based buffer overflow in the TIFFFetchSubjectDistance function

in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to

cause a denial of service (application crash) or possibly execute

arbitrary code via a long EXIF SubjectDistance field in a TIFF file

(CVE-2010-2067).

 

tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as

used in ImageMagick, does not properly perform vertical flips, which

allows remote attackers to cause a denial of service (application

crash) or possibly execute arbitrary code via a crafted TIFF image,

related to downsampled OJPEG input. (CVE-2010-2233).

 

LibTIFF 3.9.4 and earlier does not properly handle an invalid

td_stripbytecount field, which allows remote attackers to cause a

denial of service (NULL pointer dereference and application crash)

via a crafted TIFF file, a different vulnerability than CVE-2010-2443

(CVE-2010-2482).

 

The updated packages have been patched to correct these issues.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...