Hi,

On Tue, Dec 21, 2004 at 05:09:30PM -0500, customer service mailbox wrote:
> libtiff STRIPOFFSETS Integer Overflow Vulnerability
>
> iDEFENSE Security Advisory 12.21.04
> www.idefense.com/application/poi/display?id=173&type=vulnerabilities
> December 21, 2004
>
> I. BACKGROUND
>
> libtiff provides support for the Tag Image File Format (TIFF), a widely
> used format for storing image data.
>
> More information is available at the following site:
> http://www.remotesensing.org/libtiff/
>
> II. DESCRIPTION
>
> Remote exploitation of an integer overflow in libtiff may allow for the
> execution of arbitrary code.
>
> The overflow occurs in the parsing of TIFF files set with the
> STRIPOFFSETS flag in libtiff/tif_dirread.c. In the TIFFFetchStripThing()
>
> function, the number of strips (nstrips) is used directly in a
> CheckMalloc() routine without sanity checking. The call ultimately boils
>
> down to:
>
> malloc(user_supplied_int*size(int32));
>
> When supplied 0x40000000 as the user supplied integer, malloc is called
> with a length argument of 0. This has the effect of returning the
> smallest possible malloc chunk. A user controlled buffer is subsequently
>
> copied to that small heap buffer, causing a heap overflow.
>
> When exploited, it is possible to overwrite heap structures and seize
> control of execution.
>
> III. ANALYSIS
>
> An attacker can exploit the above-described vulnerability to execute
> arbitrary code under the permissions of the target user. Successful
> exploitation requires that the attacker convince the end user to open
> the malicious TIFF file using an application linked with a vulnerable
> version of libtiff. Exploitation of this vulnerability against a remote
> target is difficult because of the precision required in the attack.
>
> IV. DETECTION
>
> iDEFENSE has confirmed this vulnerability in libtiff 3.6.1. Changes were
>
> introduced in libtiff 3.7.0 that had the effect of fixing this
> vulnerability.
>
> The following vendors provide susceptible libtiff packages within their
> respective operating system distributions:
>
> - Gentoo Linux
> - Fedora Linux
> - RedHat Linux
> - SuSE Linux
> - Debian Linux
>
> V. WORKAROUND
>
> Only open TIFF files from trusted users.
>
> VI. VENDOR RESPONSE
>
> This issue is addressed in libtiff 3.7.0 and 3.7.1.
>
> VII. CVE INFORMATION
>
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
> been assigned yet.

I believe this issue is subset of CAN-2004-0886 which was fixed in the
middle of October.

--
ldv

[ reply ]