324885 – (CVE-2010-1411) <media-libs/tiff-{3.9.4,4.0.0_beta6}: Multiple integer overflows (CVE-2010-{1411,2065,2067,2233,2443,2481,2483,2596,2597,2630,2631})

Bug 324885 (CVE-2010-1411) - <media-libs/tiff-{3.9.4,4.0.0_beta6}: Multiple integer overflows (CVE-2010-{1411,2065,2067,2233,2443,2481,2483,2596,2597,2630,2631})

Summary: <media-libs/tiff-{3.9.4,4.0.0_beta6}: Multiple integer overflows (CVE-2010-{1...

Status:	RESOLVED FIXED

Alias:	CVE-2010-1411

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2010-06-20 22:34 UTC by Samuli Suominen (RETIRED)
Modified:	2012-09-23 18:46 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Samuli Suominen (RETIRED) gentoo-dev

2010-06-20 22:34:17 UTC

2010-06-08  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>

* libtiff/tif_fax3.c (Fax3SetupState): Avoid under-allocation of
  buffer due to integer overflow in TIFFroundup() and several other
  potential overflows.  In conjunction with the fix to TIFFhowmany(),
  fixes CVE-2010-1411.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1411

*tiff-3.9.4 (20 Jun 2010)

  20 Jun 2010; Samuli Suominen <ssuominen@gentoo.org> +tiff-3.9.4.ebuild:
  Version bump.

Current tiff-4.0_beta5 is ~arch is likely also vulnerable. To be honest, I don't understand why we have experimental beta in ~arch at all. It should at least be package.masked.

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2010-06-21 22:09:25 UTC

test & stabilize:

=media-libs/tiff-3.9.4

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2010-06-22 01:20:28 UTC

Stable for HPPA.

Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-06-22 07:17:23 UTC

x86 stable

Comment 4 Christoph Mende (RETIRED) gentoo-dev

2010-06-23 16:26:04 UTC

amd64 stable

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2010-06-25 18:37:47 UTC

alpha/arm/ia64/m68k/s390/sh/sparc stable

Comment 6 Stefan Behte (RETIRED) gentoo-dev

2010-06-25 19:51:55 UTC

Fixing whiteboard. If you want to, have a look at http://www.gentoo.org/security/en/vulnerability-policy.xml on how to set it.

Comment 7 Stefan Behte (RETIRED) gentoo-dev

2010-06-25 21:36:30 UTC

CVE-2010-1411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1411):
  Multiple integer overflows in the Fax3SetupState function in
  tif_fax3.c in the FAX3 decoder in LibTIFF before 3.9.3, as used in
  ImageIO in Apple Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4,
  allow remote attackers to execute arbitrary code or cause a denial of
  service (application crash) via a crafted TIFF file that triggers a
  heap-based buffer overflow.

Comment 8 Samuli Suominen (RETIRED) gentoo-dev

2010-07-03 22:52:52 UTC

ppc64 stable

Comment 9 Joe Jezak (RETIRED) gentoo-dev

2010-07-19 01:07:31 UTC

Marked ppc stable.

Comment 10 Stefan Behte (RETIRED) gentoo-dev

2010-08-01 12:32:27 UTC

Added to glsa for #307001.

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 01:12:17 UTC

CVE-2010-2065 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2065):
  Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 allows
  remote attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a crafted TIFF file that triggers a
  buffer overflow.

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 01:13:35 UTC

CVE-2010-2067 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2067):
  Stack-based buffer overflow in the TIFFFetchSubjectDistance function in
  tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to cause a
  denial of service (application crash) or possibly execute arbitrary code via
  a long EXIF SubjectDistance field in a TIFF file.

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 01:17:18 UTC

CVE-2010-2233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2233):
  tif_getimage.c in LibTIFF 3.9.0 and 3.9.2 on 64-bit platforms, as used in
  ImageMagick, does not properly perform vertical flips, which allows remote
  attackers to cause a denial of service (application crash) or possibly
  execute arbitrary code via a crafted TIFF image, related to "downsampled
  OJPEG input."

Comment 14 GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 01:19:13 UTC

CVE-2010-2443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2443):
  The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before 3.9.3
  allows remote attackers to cause a denial of service (NULL pointer
  dereference and application crash) via an OJPEG image with undefined strip
  offsets, related to the TIFFVGetField function.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 01:26:16 UTC

CVE-2010-2481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2481):
  The TIFFExtractData macro in LibTIFF before 3.9.4 does not properly handle
  unknown tag types in TIFF directory entries, which allows remote attackers
  to cause a denial of service (out-of-bounds read and application crash) via
  a crafted TIFF file.

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 01:28:24 UTC

CVE-2010-2483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2483):
  The TIFFRGBAImageGet function in LibTIFF 3.9.0 allows remote attackers to
  cause a denial of service (out-of-bounds read and application crash) via a
  TIFF file with an invalid combination of SamplesPerPixel and Photometric
  values.

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2011-10-08 01:29:19 UTC

CVE-2010-2631 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2631):
  LibTIFF 3.9.0 ignores tags in certain situations during the first stage of
  TIFF file processing and does not properly handle this during the second
  stage, which allows remote attackers to cause a denial of service
  (application crash) via a crafted file, a different vulnerability than
  CVE-2010-2481.

CVE-2010-2630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2630):
  The TIFFReadDirectory function in LibTIFF 3.9.0 does not properly validate
  the data types of codec-specific tags that have an out-of-order position in
  a TIFF file, which allows remote attackers to cause a denial of service
  (application crash) via a crafted file, a different vulnerability than
  CVE-2010-2481.

CVE-2010-2597 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2597):
  The TIFFVStripSize function in tif_strip.c in LibTIFF 3.9.0 and 3.9.2 makes
  incorrect calls to the TIFFGetField function, which allows remote attackers
  to cause a denial of service (application crash) via a crafted TIFF image,
  related to "downsampled OJPEG input" and possibly related to a compiler
  optimization that triggers a divide-by-zero error.

CVE-2010-2596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2596):
  The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as
  used in tiff2ps, allows remote attackers to cause a denial of service
  (assertion failure and application exit) via a crafted TIFF image, related
  to "downsampled OJPEG input."

Comment 18 GLSAMaker/CVETool Bot gentoo-dev

2012-09-23 18:46:17 UTC

This issue was resolved and addressed in
 GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml
by GLSA coordinator Sean Amoss (ackle).