Bug 20774 - CVE-2009-2347 libtiff tools integer overflows
Summary: CVE-2009-2347 libtiff tools integer overflows
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: libtiff-utils (show other bugs)
Version: unstable
Hardware: all Linux
: P3 normal
Assignee: Vladimir D. Seleznev
QA Contact: qa-sisyphus
URL: http://www.ocert.org/advisories/ocert...
Keywords: security
Depends on:
Blocks:
 
Reported: 2009-07-14 08:43 MSD by Vladimir Lettiev
Modified: 2009-07-24 03:35 MSD (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Lettiev 2009-07-14 08:43:23 MSD 
The libtiff image library tools suffer from integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution.

The libtiff package ships a library, for reading and writing TIFF, as well as a small collection of tools for manipulating TIFF images. The cvt_whole_image function used in the tiff2rgba tool and the tiffcvt function used in the rgb2ycbcr tool do not properly validate the width and height of the image. Specific TIFF images with large width and height can be crafted to trigger the vulnerability.

A patch has been made available by the maintainer and further improved by Tom Lane of Red Hat ( https://bugzilla.redhat.com/attachment.cgi?id=351312 ).
Comment 1 Dmitry V. Levin 2009-07-14 10:22:39 MSD 
I'm aware of the issue.
Comment 2 Repository Robot 2009-07-24 03:35:33 MSD 
libtiff-3.8.2-alt5 -> sisyphus:

* Wed Jul 15 2009 Dmitry V. Levin <ldv@altlinux> 3.8.2-alt5

- tiff2rgba, rgb2ycbcr: Fixed potential integer overflows in
  buffer size calculations (CVE-2009-2347; closes: #20774).