Several integer overflow flaws, leading to heap-based buffer overflows were found in various libtiff's inter-color spaces conversion tools. An attacker could create a specially-crafted TIFF file, which once opened by an unsuspecting user, would cause the conversion tool to crash or, potentially, execute arbitrary code with the privileges of the user running the tool.
Created attachment 351312 [details] revised patch The original patch missed two out of three places with the same bug in tiff2rgba. (I looked around for additional occurrences and didn't find any, though I can't swear there are none.) Also, I checked with Frank Warmerdam who disapproved of letting the tools/ files use tiffiop.h, so the revised patch does not use _TIFFCheckMalloc. Some other cleanup too, mostly around being careful if size_t is wider than 32 bits and not claiming that possibly-perfectly-legal files are "malformed".
Public now via: http://article.gmane.org/gmane.linux.debian.devel.changes.unstable/178563/
libtiff-3.8.2-14.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/libtiff-3.8.2-14.fc11
libtiff-3.8.2-14.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/libtiff-3.8.2-14.fc10
Filed upstream as http://bugzilla.maptools.org/show_bug.cgi?id=2079
MITRE's CVE record (CVE-2009-2347): Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr. References: ----------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2347 http://www.securityfocus.com/archive/1/archive/1/504892/100/0/threaded http://www.ocert.org/advisories/ocert-2009-012.html http://article.gmane.org/gmane.linux.debian.devel.changes.unstable/178563/ http://bugzilla.maptools.org/show_bug.cgi?id=2079 http://www.mandriva.com/security/advisories?name=MDVSA-2009:150 http://www.securityfocus.com/bid/35652 http://secunia.com/advisories/35817 http://secunia.com/advisories/35817
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1159 https://rhn.redhat.com/errata/RHSA-2009-1159.html
libtiff-3.8.2-14.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
libtiff-3.8.2-14.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.