REDHAT-BUG-601274: Integer Overflow
First published: Mon Jun 07 2010(Updated: )
Sauli Pahlman of CERT-FI provided us with fuzzed TIFF file which crashes image viewers using libtiff library. TIFF image triggers an integer overflow in TIFFroundup() macro called from TIFFFillStrip(). Sufficient large bytecount from the file can cause TIFFroundup() to return 0 and cause TIFFReadBufferSetup() to allocate an insufficiently-sized buffer. Later in TIFFReadRawStrip1(), application-provided read callback is called via TIFFReadFile() that possibly overflows the buffer. This flaw occurs in libtiff 3.9.2, where bytecount in TIFFFillStrip() is defined as uint32. Older libtiff versions (e.g. those shipped with Red Hat Enterprise Linux 3, 4, and 5) use tsize_t (signed int32) as its type and reject bytecount values that may lead to integer overflow earlier. Issues was reported in launchpad (bug is currently restricted): <a href="https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589565">https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589565</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| TIFF | ||
| Red Hat Enterprise Linux | >=3<6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589565
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=422062&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=422062&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=422514&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=422514&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=422624&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=422624&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=601274#c2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=601274#c7
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=601274#c5
- http://admin.fedoraproject.org/updates/libtiff-3.9.4-1.fc12
- http://admin.fedoraproject.org/updates/libtiff-3.9.4-1.fc13
- https://bugzilla.redhat.com/show_bug.cgi?id=601274
Frequently Asked Questions
What is the severity of REDHAT-BUG-601274?
REDHAT-BUG-601274 is classified as a critical vulnerability due to the potential for denial of service through crashing image viewers.
How do I fix REDHAT-BUG-601274?
To fix REDHAT-BUG-601274, ensure you are using the latest patched version of the libtiff library provided by your distribution.
Which software is affected by REDHAT-BUG-601274?
REDHAT-BUG-601274 affects versions of the libtiff library used in Red Hat Enterprise Linux prior to version 6.
What is the nature of the vulnerability in REDHAT-BUG-601274?
The vulnerability in REDHAT-BUG-601274 is an integer overflow that occurs within the TIFFroundup() macro during the processing of certain TIFF files.
Who reported the REDHAT-BUG-601274 vulnerability?
The REDHAT-BUG-601274 vulnerability was reported by Sauli Pahlman of CERT-FI.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-2065
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/libtiff
- canonical/tiff
- vendor/red hat
- canonical/red hat enterprise linux