A flaw was found in the way that LibTIFF attempted to allocate space for a tile within a TIFF image file. When calculating the size for a buffer, LibTIFF performs a multiply that can cause an integer overflow. After allocation, LibTIFF will initialize the buffer with the tile data, which can cause code execution under the context of the application using LibTIFF, and with the calling user's permissions. http://bugzilla.maptools.org/show_bug.cgi?id=2369
http://bugzilla.maptools.org/show_bug.cgi?id=2369 Note: Segfault seen on 32 bit only. RHEL6 - x86_65 ============== [root@dhcp201-201 ~]# tifftopnm poc.tif poc.tif: Integer overflow in TIFFVTileSize. TIFFReadDirectory: poc.tif: cannot handle zero tile size. tifftopnm: error opening TIFF file poc.tif [root@dhcp201-201 ~]# arch x86_64 RHEL6 - x86 =========== [root@rhel6-server-x32 ~]# tifftopnm poc.tif tifftopnm: writing PPM file P6 800 607 255 Segmentation fault [root@rhel6-server-x32 ~]# arch i686
This is to be embargoed until April 4th at 1pm PST.
Created libtiff tracking bugs for this issue Affects: fedora-all [bug 810116]
Created mingw32-libtiff tracking bugs for this issue Affects: fedora-all [bug 810118]
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:0468 https://rhn.redhat.com/errata/RHSA-2012-0468.html
libtiff-3.9.5-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
libtiff-3.9.5-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
libtiff-3.9.5-3.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.