Executive Summary
| Summary | |
|---|---|
| Title | New tiff packages fix denial of service |
| Informations | |||
|---|---|---|---|
| Name | DSA-1078 | First vendor Publication | 2006-05-27 |
| Vendor | Debian | Last vendor Modification | 2006-05-27 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:N/C:N/I:N/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 2.1 | Attack Range | Local |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 3.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Andrey Kiselev discovered a problem in the TIFF library that may allow an attacker with a specially crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values to crash the library and hence the surrounding application. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 3.7.2-4. The unstable distribution (sid) is not affected by this problem. We recommend that you upgrade your tiff packages and restart the programs using it. |
Original Source
| Url : http://www.debian.org/security/2006/dsa-1078 |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:9572 | |||
| Oval ID: | oval:org.mitre.oval:def:9572 | ||
| Title: | The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers to cause a denial of service (crash) via a crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values, which triggers an out-of-bounds read. | ||
| Description: | The TIFFToRGB function in libtiff before 3.8.1 allows remote attackers to cause a denial of service (crash) via a crafted TIFF image with Yr/Yg/Yb values that exceed the YCR/YCG/YCB values, which triggers an out-of-bounds read. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2006-2120 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 1078-1 (tiff) File : nvt/deb_1078_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 25230 | LibTIFF TIFFToRGB() Color Mapping Value Overflows |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1078.nasl - Type : ACT_GATHER_INFO |
| 2006-07-03 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2006-0425.nasl - Type : ACT_GATHER_INFO |
| 2006-05-13 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-082.nasl - Type : ACT_GATHER_INFO |
| 2006-05-13 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2006-0425.nasl - Type : ACT_GATHER_INFO |
| 2006-05-13 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-277-1.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:25:51 |
|
