what you don't know can hurt you

Mandriva Linux Security Advisory 2010-146

Mandriva Linux Security Advisory 2010-146
Posted Aug 6, 2010
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2010-146 - The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in ImageMagick, does not properly handle invalid ReferenceBlackWhite values, which allows remote attackers to cause a denial of service via a crafted TIFF image that triggers an array index error, related to downsampled OJPEG input. Multiple integer overflows in the Fax3SetupState function in tif_fax3.c in the FAX3 decoder in LibTIFF before 3.9.3 allow remote attackers to execute arbitrary code or cause a denial of service via a crafted TIFF file that triggers a heap-based buffer overflow. Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF file that triggers a buffer overflow. The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers to cause a denial of service via a TIFF file with an invalid combination of SamplesPerPixel and Photometric values. The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 makes incorrect calls to the TIFFGetField function, which allows remote attackers to cause a denial of service via a crafted TIFF image, related to downsampled OJPEG input and possibly related to a compiler optimization that triggers a divide-by-zero error. The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly handle unknown tag types in TIFF directory entries, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted TIFF file. Stack-based buffer overflow in the TIFFFetchSubjectDistance function in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a long EXIF SubjectDistance field in a TIFF file. tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used in ImageMagick, does not properly perform vertical flips, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF image, related to downsampled OJPEG input. LibTIFF 3.9.4 and earlier does not properly handle an invalid td_stripbytecount field, which allows remote attackers to cause a denial of service via a crafted TIFF file, a different vulnerability than CVE-2010-2443. The updated packages have been patched to correct these issues.

tags | advisory, remote, denial of service, overflow, arbitrary
systems | linux, mandriva
advisories | CVE-2010-2595, CVE-2010-1411, CVE-2010-2065, CVE-2010-2483, CVE-2010-2597, CVE-2010-2481, CVE-2010-2067, CVE-2010-2233, CVE-2010-2482
MD5 | 40631af2a0f8063cb9fc05b84d48cfbb

Mandriva Linux Security Advisory 2010-146

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:146
http://www.mandriva.com/security/
_______________________________________________________________________

Package : libtiff
Date : August 6, 2010
Affected: 2010.0, 2010.1
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in libtiff:

The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in
ImageMagick, does not properly handle invalid ReferenceBlackWhite
values, which allows remote attackers to cause a denial of service
(application crash) via a crafted TIFF image that triggers an array
index error, related to downsampled OJPEG input. (CVE-2010-2595)

Multiple integer overflows in the Fax3SetupState function in tif_fax3.c
in the FAX3 decoder in LibTIFF before 3.9.3 allow remote attackers to
execute arbitrary code or cause a denial of service (application crash)
via a crafted TIFF file that triggers a heap-based buffer overflow
(CVE-2010-1411).

Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted TIFF file
that triggers a buffer overflow (CVE-2010-2065).

The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers
to cause a denial of service (out-of-bounds read and application crash)
via a TIFF file with an invalid combination of SamplesPerPixel and
Photometric values (CVE-2010-2483).

The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2
makes incorrect calls to the TIFFGetField function, which allows
remote attackers to cause a denial of service (application crash) via
a crafted TIFF image, related to downsampled OJPEG input and possibly
related to a compiler optimization that triggers a divide-by-zero error
(CVE-2010-2597).

The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly
handle unknown tag types in TIFF directory entries, which allows
remote attackers to cause a denial of service (out-of-bounds read
and application crash) via a crafted TIFF file (CVE-2010-248).

Stack-based buffer overflow in the TIFFFetchSubjectDistance function
in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via a long EXIF SubjectDistance field in a TIFF file
(CVE-2010-2067).

tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as
used in ImageMagick, does not properly perform vertical flips, which
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted TIFF image,
related to downsampled OJPEG input. (CVE-2010-2233).

LibTIFF 3.9.4 and earlier does not properly handle an invalid
td_stripbytecount field, which allows remote attackers to cause a
denial of service (NULL pointer dereference and application crash)
via a crafted TIFF file, a different vulnerability than CVE-2010-2443
(CVE-2010-2482).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2595
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2597
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2481
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2233
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2482
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2010.0:
ceb7febb41b948977f6196b5bf31d538 2010.0/i586/libtiff3-3.9.1-4.1mdv2010.0.i586.rpm
d38ee02dca1666e8d8f7c628e9debcbe 2010.0/i586/libtiff-devel-3.9.1-4.1mdv2010.0.i586.rpm
e022bf3d3badddd3c480b4143a8cc2ec 2010.0/i586/libtiff-progs-3.9.1-4.1mdv2010.0.i586.rpm
6f18f9ce3d9582ea3f6f9ddd7b1680d8 2010.0/i586/libtiff-static-devel-3.9.1-4.1mdv2010.0.i586.rpm
69aa854e6935c2d111e44e84225f6f69 2010.0/SRPMS/libtiff-3.9.1-4.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
3965284cc51603cfdc0d9420104b8fd3 2010.0/x86_64/lib64tiff3-3.9.1-4.1mdv2010.0.x86_64.rpm
2768094532f4d1941ef66bae6da6ea15 2010.0/x86_64/lib64tiff-devel-3.9.1-4.1mdv2010.0.x86_64.rpm
2e08c6517abcf34dab75040fbee15212 2010.0/x86_64/lib64tiff-static-devel-3.9.1-4.1mdv2010.0.x86_64.rpm
3c81e78d3c389abcc370add6af857d12 2010.0/x86_64/libtiff-progs-3.9.1-4.1mdv2010.0.x86_64.rpm
69aa854e6935c2d111e44e84225f6f69 2010.0/SRPMS/libtiff-3.9.1-4.1mdv2010.0.src.rpm

Mandriva Linux 2010.1:
0ddf3e069a91387a7d85ad5aacd1dd81 2010.1/i586/libtiff3-3.9.2-2.1mdv2010.1.i586.rpm
53d5d64cb3bb34a78d52776d42e0ed16 2010.1/i586/libtiff-devel-3.9.2-2.1mdv2010.1.i586.rpm
e549b78e6658cb9a408454bf698e2ead 2010.1/i586/libtiff-progs-3.9.2-2.1mdv2010.1.i586.rpm
821179322f86ba6dcc96dd6afc48fd0f 2010.1/i586/libtiff-static-devel-3.9.2-2.1mdv2010.1.i586.rpm
31563b8124d1953b9c8849e0a63f5422 2010.1/SRPMS/libtiff-3.9.2-2.1mdv2010.1.src.rpm

Mandriva Linux 2010.1/X86_64:
e858e4c72c5191395d4db7f994ffd7c4 2010.1/x86_64/lib64tiff3-3.9.2-2.1mdv2010.1.x86_64.rpm
6bdce5697bc818f57cb56d22ce989b30 2010.1/x86_64/lib64tiff-devel-3.9.2-2.1mdv2010.1.x86_64.rpm
daaf9562d71e8076e87578f25b8dbebe 2010.1/x86_64/lib64tiff-static-devel-3.9.2-2.1mdv2010.1.x86_64.rpm
36d9eef4dd2739944f05fe7edd4e76f8 2010.1/x86_64/libtiff-progs-3.9.2-2.1mdv2010.1.x86_64.rpm
31563b8124d1953b9c8849e0a63f5422 2010.1/SRPMS/libtiff-3.9.2-2.1mdv2010.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMXDLBmqjQ0CJFipgRAsxuAJ9WAKaIXwvgmXJzs8W+fgn2/2+E/gCg9RT9
1DtIJJ4PJJj+9xrl7Yhsyw8=
=Ov4p
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close