Several integer overflow flaws, leading to heap-based buffer
overflows were found in various libtiff's inter-color spaces
conversion tools. An attacker could create a specially-crafted
TIFF file, which once opened by an unsuspecting user, would
cause the conversion tool to crash or, potentially, execute
arbitrary code with the privileges of the user running the tool.
Created attachment 351312 [details]
The original patch missed two out of three places with the same bug in
tiff2rgba. (I looked around for additional occurrences and didn't find any,
though I can't swear there are none.) Also, I checked with Frank Warmerdam who
disapproved of letting the tools/ files use tiffiop.h, so the revised patch
does not use _TIFFCheckMalloc. Some other cleanup too, mostly around being
careful if size_t is wider than 32 bits and not claiming that
possibly-perfectly-legal files are "malformed".
Public now via:
libtiff-3.8.2-14.fc11 has been submitted as an update for Fedora 11.
libtiff-3.8.2-14.fc10 has been submitted as an update for Fedora 10.
Filed upstream as http://bugzilla.maptools.org/show_bug.cgi?id=2079
MITRE's CVE record (CVE-2009-2347):
Multiple integer overflows in inter-color spaces conversion tools in
libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent
attackers to execute arbitrary code via a TIFF image with large (1)
width and (2) height values, which triggers a heap-based buffer
overflow in the (a) cvt_whole_image function in tiff2rgba and (b)
tiffcvt function in rgb2ycbcr.
This issue has been addressed in following products:
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2009:1159 https://rhn.redhat.com/errata/RHSA-2009-1159.html
libtiff-3.8.2-14.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
libtiff-3.8.2-14.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.