Bug 510041 - (CVE-2009-2347) CVE-2009-2347 libtiff: integer overflows in various inter-color spaces conversion tools (crash, ACE)
CVE-2009-2347 libtiff: integer overflows in various inter-color spaces conver...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 507722 507723 507724 507725 507726 809169
  Show dependency treegraph
Reported: 2009-07-07 10:29 EDT by Vincent Danen
Modified: 2016-03-04 07:01 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-07-08 12:19:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
revised patch (5.02 KB, patch)
2009-07-10 19:02 EDT, Tom Lane
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1159 normal SHIPPED_LIVE Moderate: libtiff security update 2009-07-16 15:50:26 EDT

  None (edit)
Comment 7 Jan Lieskovsky 2009-07-10 08:24:06 EDT
Several integer overflow flaws, leading to heap-based buffer
overflows were found in various libtiff's inter-color spaces
conversion tools. An attacker could create a specially-crafted
TIFF file, which once opened by an unsuspecting user, would
cause the conversion tool to crash or, potentially, execute
arbitrary code with the privileges of the user running the tool.
Comment 9 Tom Lane 2009-07-10 19:02:43 EDT
Created attachment 351312 [details]
revised patch

The original patch missed two out of three places with the same bug in
tiff2rgba.  (I looked around for additional occurrences and didn't find any,
though I can't swear there are none.)  Also, I checked with Frank Warmerdam who
disapproved of letting the tools/ files use tiffiop.h, so the revised patch
does not use _TIFFCheckMalloc.  Some other cleanup too, mostly around being
careful if size_t is wider than 32 bits and not claiming that
possibly-perfectly-legal files are "malformed".
Comment 11 Jan Lieskovsky 2009-07-13 10:29:54 EDT
Public now via:

Comment 12 Fedora Update System 2009-07-13 11:02:34 EDT
libtiff-3.8.2-14.fc11 has been submitted as an update for Fedora 11.
Comment 13 Fedora Update System 2009-07-13 11:02:40 EDT
libtiff-3.8.2-14.fc10 has been submitted as an update for Fedora 10.
Comment 14 Tom Lane 2009-07-13 11:33:12 EDT
Filed upstream as http://bugzilla.maptools.org/show_bug.cgi?id=2079
Comment 15 Jan Lieskovsky 2009-07-15 10:54:13 EDT
MITRE's CVE record (CVE-2009-2347):

Multiple integer overflows in inter-color spaces conversion tools in
libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent
attackers to execute arbitrary code via a TIFF image with large (1)
width and (2) height values, which triggers a heap-based buffer
overflow in the (a) cvt_whole_image function in tiff2rgba and (b)
tiffcvt function in rgb2ycbcr.

Comment 16 errata-xmlrpc 2009-07-16 15:50:38 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1159 https://rhn.redhat.com/errata/RHSA-2009-1159.html
Comment 17 Fedora Update System 2009-07-19 06:12:53 EDT
libtiff-3.8.2-14.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2009-07-19 06:30:15 EDT
libtiff-3.8.2-14.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.