Bug 510041 (CVE-2009-2347) - CVE-2009-2347 libtiff: integer overflows in various inter-color spaces conversion tools (crash, ACE)
Summary: CVE-2009-2347 libtiff: integer overflows in various inter-color spaces conver...
Alias: CVE-2009-2347
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 507722 507723 507724 507725 507726 809169
TreeView+ depends on / blocked
Reported: 2009-07-07 14:29 UTC by Vincent Danen
Modified: 2019-09-29 12:30 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-07-08 16:19:44 UTC

Attachments (Terms of Use)
revised patch (5.02 KB, patch)
2009-07-10 23:02 UTC, Tom Lane
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1159 0 normal SHIPPED_LIVE Moderate: libtiff security update 2009-07-16 19:50:26 UTC

Comment 7 Jan Lieskovsky 2009-07-10 12:24:06 UTC
Several integer overflow flaws, leading to heap-based buffer
overflows were found in various libtiff's inter-color spaces
conversion tools. An attacker could create a specially-crafted
TIFF file, which once opened by an unsuspecting user, would
cause the conversion tool to crash or, potentially, execute
arbitrary code with the privileges of the user running the tool.

Comment 9 Tom Lane 2009-07-10 23:02:43 UTC
Created attachment 351312 [details]
revised patch

The original patch missed two out of three places with the same bug in
tiff2rgba.  (I looked around for additional occurrences and didn't find any,
though I can't swear there are none.)  Also, I checked with Frank Warmerdam who
disapproved of letting the tools/ files use tiffiop.h, so the revised patch
does not use _TIFFCheckMalloc.  Some other cleanup too, mostly around being
careful if size_t is wider than 32 bits and not claiming that
possibly-perfectly-legal files are "malformed".

Comment 11 Jan Lieskovsky 2009-07-13 14:29:54 UTC
Public now via:


Comment 12 Fedora Update System 2009-07-13 15:02:34 UTC
libtiff-3.8.2-14.fc11 has been submitted as an update for Fedora 11.

Comment 13 Fedora Update System 2009-07-13 15:02:40 UTC
libtiff-3.8.2-14.fc10 has been submitted as an update for Fedora 10.

Comment 14 Tom Lane 2009-07-13 15:33:12 UTC
Filed upstream as http://bugzilla.maptools.org/show_bug.cgi?id=2079

Comment 15 Jan Lieskovsky 2009-07-15 14:54:13 UTC
MITRE's CVE record (CVE-2009-2347):

Multiple integer overflows in inter-color spaces conversion tools in
libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent
attackers to execute arbitrary code via a TIFF image with large (1)
width and (2) height values, which triggers a heap-based buffer
overflow in the (a) cvt_whole_image function in tiff2rgba and (b)
tiffcvt function in rgb2ycbcr.


Comment 16 errata-xmlrpc 2009-07-16 19:50:38 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1159 https://rhn.redhat.com/errata/RHSA-2009-1159.html

Comment 17 Fedora Update System 2009-07-19 10:12:53 UTC
libtiff-3.8.2-14.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2009-07-19 10:30:15 UTC
libtiff-3.8.2-14.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.