Jump to content

Advisories MDKSA-2006:136: Updated kdegraphics packages fix multiple libtiff vulnerabilities

paul

By paul
in Mandriva Security Advisories

 Share

Recommended Posts

paul Platinum

paul

Posted
Posted

Tavis Ormandy, Google Security Team, discovered several vulnerabilites

the libtiff image processing library. Older versions of kdegraphics use

an embedded copy of the libtiff code, with possibly the same

vulnerabilities:

 

Several buffer overflows have been discovered, including a stack

buffer overflow via TIFFFetchShortPair() in tif_dirread.c, which is

used to read two unsigned shorts from the input file. While a bounds

check is performed via CheckDirCount(), no action is taken on the

result allowing a pathological tdir_count to read an arbitrary number

of unsigned shorts onto a stack buffer. (CVE-2006-3459)

 

A heap overflow vulnerability was discovered in the jpeg decoder,

where TIFFScanLineSize() is documented to return the size in bytes

that a subsequent call to TIFFReadScanline() would write, however the

encoded jpeg stream may disagree with these results and overrun the

buffer with more data than expected. (CVE-2006-3460)

 

The NeXT RLE decoder was also vulnerable to a heap overflow

vulnerability, where no bounds checking was performed on the result of

certain RLE decoding operations. This was solved by ensuring the

number of pixels written did not exceed the size of the scanline

buffer already prepared. (CVE-2006-3462)

 

An infinite loop was discovered in EstimateStripByteCounts(), where a

16bit unsigned short was used to iterate over a 32bit unsigned value,

should the unsigned int (td_nstrips) have exceeded USHORT_MAX, the

loop would never terminate and continue forever. (CVE-2006-3463)

 

Multiple unchecked arithmetic operations were uncovered, including a

number of the range checking operations deisgned to ensure the offsets

specified in tiff directories are legitimate. These can be caused to

wrap for extreme values, bypassing sanity checks. Additionally, a

number of codepaths were uncovered where assertions did not hold true,

resulting in the client application calling abort(). (CVE-2006-3464)

 

The updated packages have been patched to correct these issues.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...