Package name
libtiff
Date
2010-08-06
Advisory ID
MDVSA-2010:146
Affected versions
2010.1 x86_64 , 2010.1 i586 , 2010.0 x86_64 , 2010.0 i586

Problem description

Multiple vulnerabilities has been discovered and corrected in libtiff:

The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in
ImageMagick, does not properly handle invalid ReferenceBlackWhite
values, which allows remote attackers to cause a denial of service
(application crash) via a crafted TIFF image that triggers an array
index error, related to downsampled OJPEG input. (CVE-2010-2595)

Multiple integer overflows in the Fax3SetupState function in tif_fax3.c
in the FAX3 decoder in LibTIFF before 3.9.3 allow remote attackers to
execute arbitrary code or cause a denial of service (application crash)
via a crafted TIFF file that triggers a heap-based buffer overflow
(CVE-2010-1411).

Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted TIFF file
that triggers a buffer overflow (CVE-2010-2065).

The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers
to cause a denial of service (out-of-bounds read and application crash)
via a TIFF file with an invalid combination of SamplesPerPixel and
Photometric values (CVE-2010-2483).

The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2
makes incorrect calls to the TIFFGetField function, which allows
remote attackers to cause a denial of service (application crash) via
a crafted TIFF image, related to downsampled OJPEG input and possibly
related to a compiler optimization that triggers a divide-by-zero error
(CVE-2010-2597).

The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly
handle unknown tag types in TIFF directory entries, which allows
remote attackers to cause a denial of service (out-of-bounds read
and application crash) via a crafted TIFF file (CVE-2010-248).

Stack-based buffer overflow in the TIFFFetchSubjectDistance function
in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to
cause a denial of service (application crash) or possibly execute
arbitrary code via a long EXIF SubjectDistance field in a TIFF file
(CVE-2010-2067).

tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as
used in ImageMagick, does not properly perform vertical flips, which
allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted TIFF image,
related to downsampled OJPEG input. (CVE-2010-2233).

LibTIFF 3.9.4 and earlier does not properly handle an invalid
td_stripbytecount field, which allows remote attackers to cause a
denial of service (NULL pointer dereference and application crash)
via a crafted TIFF file, a different vulnerability than CVE-2010-2443
(CVE-2010-2482).

The updated packages have been patched to correct these issues.

Updated packages

2010.1 x86_64

 e858e4c72c5191395d4db7f994ffd7c4  2010.1/x86_64/lib64tiff3-3.9.2-2.1mdv2010.1.x86_64.rpm
 6bdce5697bc818f57cb56d22ce989b30  2010.1/x86_64/lib64tiff-devel-3.9.2-2.1mdv2010.1.x86_64.rpm
 daaf9562d71e8076e87578f25b8dbebe  2010.1/x86_64/lib64tiff-static-devel-3.9.2-2.1mdv2010.1.x86_64.rpm
 36d9eef4dd2739944f05fe7edd4e76f8  2010.1/x86_64/libtiff-progs-3.9.2-2.1mdv2010.1.x86_64.rpm 
 31563b8124d1953b9c8849e0a63f5422  2010.1/SRPMS/libtiff-3.9.2-2.1mdv2010.1.src.rpm

2010.1 i586

 0ddf3e069a91387a7d85ad5aacd1dd81  2010.1/i586/libtiff3-3.9.2-2.1mdv2010.1.i586.rpm
 53d5d64cb3bb34a78d52776d42e0ed16  2010.1/i586/libtiff-devel-3.9.2-2.1mdv2010.1.i586.rpm
 e549b78e6658cb9a408454bf698e2ead  2010.1/i586/libtiff-progs-3.9.2-2.1mdv2010.1.i586.rpm
 821179322f86ba6dcc96dd6afc48fd0f  2010.1/i586/libtiff-static-devel-3.9.2-2.1mdv2010.1.i586.rpm 
 31563b8124d1953b9c8849e0a63f5422  2010.1/SRPMS/libtiff-3.9.2-2.1mdv2010.1.src.rpm

2010.0 x86_64

 3965284cc51603cfdc0d9420104b8fd3  2010.0/x86_64/lib64tiff3-3.9.1-4.1mdv2010.0.x86_64.rpm
 2768094532f4d1941ef66bae6da6ea15  2010.0/x86_64/lib64tiff-devel-3.9.1-4.1mdv2010.0.x86_64.rpm
 2e08c6517abcf34dab75040fbee15212  2010.0/x86_64/lib64tiff-static-devel-3.9.1-4.1mdv2010.0.x86_64.rpm
 3c81e78d3c389abcc370add6af857d12  2010.0/x86_64/libtiff-progs-3.9.1-4.1mdv2010.0.x86_64.rpm 
 69aa854e6935c2d111e44e84225f6f69  2010.0/SRPMS/libtiff-3.9.1-4.1mdv2010.0.src.rpm

2010.0 i586

 ceb7febb41b948977f6196b5bf31d538  2010.0/i586/libtiff3-3.9.1-4.1mdv2010.0.i586.rpm
 d38ee02dca1666e8d8f7c628e9debcbe  2010.0/i586/libtiff-devel-3.9.1-4.1mdv2010.0.i586.rpm
 e022bf3d3badddd3c480b4143a8cc2ec  2010.0/i586/libtiff-progs-3.9.1-4.1mdv2010.0.i586.rpm
 6f18f9ce3d9582ea3f6f9ddd7b1680d8  2010.0/i586/libtiff-static-devel-3.9.1-4.1mdv2010.0.i586.rpm 
 69aa854e6935c2d111e44e84225f6f69  2010.0/SRPMS/libtiff-3.9.1-4.1mdv2010.0.src.rpm

References