Jump to content

Advisories MDVSA-2010:146: libtiff


paul
 Share

Recommended Posts

Multiple vulnerabilities has been discovered and corrected in libtiff:

 

The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in

ImageMagick, does not properly handle invalid ReferenceBlackWhite

values, which allows remote attackers to cause a denial of service

(application crash) via a crafted TIFF image that triggers an array

index error, related to downsampled OJPEG input. (CVE-2010-2595)

 

Multiple integer overflows in the Fax3SetupState function in tif_fax3.c

in the FAX3 decoder in LibTIFF before 3.9.3 allow remote attackers to

execute arbitrary code or cause a denial of service (application crash)

via a crafted TIFF file that triggers a heap-based buffer overflow

(CVE-2010-1411).

 

Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3

allows remote attackers to cause a denial of service (application

crash) or possibly execute arbitrary code via a crafted TIFF file

that triggers a buffer overflow (CVE-2010-2065).

 

The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers

to cause a denial of service (out-of-bounds read and application crash)

via a TIFF file with an invalid combination of SamplesPerPixel and

Photometric values (CVE-2010-2483).

 

The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2

makes incorrect calls to the TIFFGetField function, which allows

remote attackers to cause a denial of service (application crash) via

a crafted TIFF image, related to downsampled OJPEG input and possibly

related to a compiler optimization that triggers a divide-by-zero error

(CVE-2010-2597).

 

The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly

handle unknown tag types in TIFF directory entries, which allows

remote attackers to cause a denial of service (out-of-bounds read

and application crash) via a crafted TIFF file (CVE-2010-248).

 

Stack-based buffer overflow in the TIFFFetchSubjectDistance function

in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to

cause a denial of service (application crash) or possibly execute

arbitrary code via a long EXIF SubjectDistance field in a TIFF file

(CVE-2010-2067).

 

tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as

used in ImageMagick, does not properly perform vertical flips, which

allows remote attackers to cause a denial of service (application

crash) or possibly execute arbitrary code via a crafted TIFF image,

related to downsampled OJPEG input. (CVE-2010-2233).

 

LibTIFF 3.9.4 and earlier does not properly handle an invalid

td_stripbytecount field, which allows remote attackers to cause a

denial of service (NULL pointer dereference and application crash)

via a crafted TIFF file, a different vulnerability than CVE-2010-2443

(CVE-2010-2482).

 

The updated packages have been patched to correct these issues.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...