Hi, On Tue, Dec 21, 2004 at 05:09:30PM -0500, customer service mailbox wrote: > libtiff STRIPOFFSETS Integer Overflow Vulnerability > > iDEFENSE Security Advisory 12.21.04 > www.idefense.com/application/poi/display?id=173&type=vulnerabilities > December 21, 2004 > > I. BACKGROUND > > libtiff provides support for the Tag Image File Format (TIFF), a widely > used format for storing image data. > > More information is available at the following site: > http://www.remotesensing.org/libtiff/ > > II. DESCRIPTION > > Remote exploitation of an integer overflow in libtiff may allow for the > execution of arbitrary code. > > The overflow occurs in the parsing of TIFF files set with the > STRIPOFFSETS flag in libtiff/tif_dirread.c. In the TIFFFetchStripThing() > > function, the number of strips (nstrips) is used directly in a > CheckMalloc() routine without sanity checking. The call ultimately boils > > down to: > > malloc(user_supplied_int*size(int32)); > > When supplied 0x40000000 as the user supplied integer, malloc is called > with a length argument of 0. This has the effect of returning the > smallest possible malloc chunk. A user controlled buffer is subsequently > > copied to that small heap buffer, causing a heap overflow. > > When exploited, it is possible to overwrite heap structures and seize > control of execution. > > III. ANALYSIS > > An attacker can exploit the above-described vulnerability to execute > arbitrary code under the permissions of the target user. Successful > exploitation requires that the attacker convince the end user to open > the malicious TIFF file using an application linked with a vulnerable > version of libtiff. Exploitation of this vulnerability against a remote > target is difficult because of the precision required in the attack. > > IV. DETECTION > > iDEFENSE has confirmed this vulnerability in libtiff 3.6.1. Changes were > > introduced in libtiff 3.7.0 that had the effect of fixing this > vulnerability. > > The following vendors provide susceptible libtiff packages within their > respective operating system distributions: > > - Gentoo Linux > - Fedora Linux > - RedHat Linux > - SuSE Linux > - Debian Linux > > V. WORKAROUND > > Only open TIFF files from trusted users. > > VI. VENDOR RESPONSE > > This issue is addressed in libtiff 3.7.0 and 3.7.1. > > VII. CVE INFORMATION > > A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not > been assigned yet. I believe this issue is subset of CAN-2004-0886 which was fixed in the middle of October. -- ldv
Attachment:
pgpynF88RHbTx.pgp
Description: PGP signature