Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Sun Alert 265808 Multiple Integer Overflow Vulnerabilities in the libtiff(3) Image Conversion Tools 'tiff2rgba' and 'rgb2ycbcr' May Lead to Arbitrary Code Execution
Informations
Name SUN-265808 First vendor Publication 2009-08-14
Vendor Sun Last vendor Modification 2009-08-20
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Product: Solaris 8 Operating System Solaris 9 Operating System Solaris 10 Operating System OpenSolaris

Multiple integer overflow vulnerabilities in the libtiff(3) image conversion tools 'tiff2rgba' and 'rgb2ycbcr' may allow a local or remote unprivileged user to execute arbitrary code via a TIFF image with large width and height values.

This issue is also described in the following document:


State: Workaround
First released: 14-Aug-2009

Original Source

Url : http://blogs.sun.com/security/entry/sun_alert_265808_multiple_integer

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-189 Numeric Errors (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10988
 
Oval ID: oval:org.mitre.oval:def:10988
Title: Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.
Description: Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.
Family: unix Class: vulnerability
Reference(s): CVE-2009-2347
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12926
 
Oval ID: oval:org.mitre.oval:def:12926
Title: USN-801-1 -- tiff vulnerability
Description: Tielei Wang and Tom Lane discovered that the TIFF library did not correctly handle certain malformed TIFF images. If a user or automated system were tricked into processing a malicious image, an attacker could execute arbitrary code with the privileges of the user invoking the program.
Family: unix Class: patch
Reference(s): USN-801-1
CVE-2009-2347
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 9.04
Ubuntu 6.06
Ubuntu 8.10
Product(s): tiff
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13644
 
Oval ID: oval:org.mitre.oval:def:13644
Title: DSA-1835-1 tiff -- several
Description: Several vulnerabilities have been discovered in the library for the Tag Image File Format. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2285 It was discovered that malformed TIFF images can lead to a crash in the decompression code, resulting in denial of service. CVE-2009-2347 Andrea Barisani discovered several integer overflows, which can lead to the execution of arbitrary code if malformed images are passed to the rgb2ycbcr or tiff2rgba tools. For the old stable distribution, these problems have been fixed in version 3.8.2-7+etch3. For the stable distribution, these problems have been fixed in version 3.8.2-11.2. For the unstable distribution, these problems will be fixed soon. We recommend that you upgrade your tiff packages.
Family: unix Class: patch
Reference(s): DSA-1835-1
CVE-2009-2285
CVE-2009-2347
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
Product(s): tiff
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22533
 
Oval ID: oval:org.mitre.oval:def:22533
Title: ELSA-2009:1159: libtiff security update (Moderate)
Description: Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.
Family: unix Class: patch
Reference(s): ELSA-2009:1159-01
CVE-2009-2285
CVE-2009-2347
Version: 13
Platform(s): Oracle Linux 5
Product(s): libtiff
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28879
 
Oval ID: oval:org.mitre.oval:def:28879
Title: RHSA-2009:1159 -- libtiff security update (Moderate)
Description: Updated libtiff packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.
Family: unix Class: patch
Reference(s): RHSA-2009:1159
CESA-2009:1159-CentOS 3
CESA-2009:1159-CentOS 5
CVE-2009-2285
CVE-2009-2347
Version: 3
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 3
CentOS Linux 5
Product(s): libtiff
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7522
 
Oval ID: oval:org.mitre.oval:def:7522
Title: DSA-1835 tiff -- several vulnerabilities
Description: Several vulnerabilities have been discovered in the library for the Tag Image File Format (TIFF). The Common Vulnerabilities and Exposures project identifies the following problems: It was discovered that malformed TIFF images can lead to a crash in the decompression code, resulting in denial of service. Andrea Barisani discovered several integer overflows, which can lead to the execution of arbitrary code if malformed images are passed to the rgb2ycbcr or tiff2rgba tools.
Family: unix Class: patch
Reference(s): DSA-1835
CVE-2009-2285
CVE-2009-2347
Version: 3
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
Product(s): tiff
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 5

OpenVAS Exploits

Date Description
2012-09-26 Name : Gentoo Security Advisory GLSA 201209-02 (tiff)
File : nvt/glsa_201209_02.nasl
2011-08-09 Name : CentOS Update for libtiff CESA-2009:1159 centos3 i386
File : nvt/gb_CESA-2009_1159_libtiff_centos3_i386.nasl
2011-08-09 Name : CentOS Update for libtiff CESA-2009:1159 centos5 i386
File : nvt/gb_CESA-2009_1159_libtiff_centos5_i386.nasl
2011-03-15 Name : Mandriva Update for libtiff MDVSA-2011:043 (libtiff)
File : nvt/gb_mandriva_MDVSA_2011_043.nasl
2010-07-06 Name : FreeBSD Ports: tiff
File : nvt/freebsd_tiff5.nasl
2010-06-25 Name : Fedora Update for libtiff FEDORA-2010-10359
File : nvt/gb_fedora_2010_10359_libtiff_fc11.nasl
2009-12-10 Name : Mandriva Security Advisory MDVSA-2009:169-1 (libtiff)
File : nvt/mdksa_2009_169_1.nasl
2009-10-13 Name : SLES10: Security update for libtiff
File : nvt/sles10_libtiff1.nasl
2009-10-13 Name : Solaris Update for GNOME 2.6.0 119900-09
File : nvt/gb_solaris_119900_09.nasl
2009-10-13 Name : Solaris Update for Gnome libtiff - library for reading and writing TIFF 11990...
File : nvt/gb_solaris_119901_08.nasl
2009-10-11 Name : SLES11: Security update for libtiff
File : nvt/sles11_libtiff30.nasl
2009-10-10 Name : SLES9: Security update for libtiff
File : nvt/sles9p5055840.nasl
2009-09-09 Name : SuSE Security Summary SUSE-SR:2009:014
File : nvt/suse_sr_2009_014.nasl
2009-08-17 Name : Gentoo Security Advisory GLSA 200908-03 (tiff)
File : nvt/glsa_200908_03.nasl
2009-08-17 Name : Mandrake Security Advisory MDVSA-2009:169 (libtiff)
File : nvt/mdksa_2009_169.nasl
2009-07-29 Name : Ubuntu USN-799-1 (dbus)
File : nvt/ubuntu_799_1.nasl
2009-07-29 Name : Ubuntu USN-801-1 (tiff)
File : nvt/ubuntu_801_1.nasl
2009-07-29 Name : RedHat Security Advisory RHSA-2009:1159
File : nvt/RHSA_2009_1159.nasl
2009-07-29 Name : Ubuntu USN-802-1 (apache2)
File : nvt/ubuntu_802_1.nasl
2009-07-29 Name : CentOS Security Advisory CESA-2009:1159 (libtiff)
File : nvt/ovcesa2009_1159.nasl
2009-07-29 Name : Mandrake Security Advisory MDVSA-2009:150 (libtiff)
File : nvt/mdksa_2009_150.nasl
2009-07-29 Name : Fedora Core 11 FEDORA-2009-7775 (libtiff)
File : nvt/fcore_2009_7775.nasl
2009-07-29 Name : Fedora Core 10 FEDORA-2009-7724 (libtiff)
File : nvt/fcore_2009_7724.nasl
2009-07-29 Name : Debian Security Advisory DSA 1835-1 (tiff)
File : nvt/deb_1835_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
55822 LibTIFF tiff2rgba Utility cvt_whole_image() Function Crafted TIFF File Handli...

55821 LibTIFF rgb2ycbcr Utility tiffcvt() Function Crafted TIFF File Handling Overflow

Nessus® Vulnerability Scanner

Date Description
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2009-0027.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-1159.nasl - Type : ACT_GATHER_INFO
2012-09-24 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201209-02.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20090728_libtiff_for_SL3_0_x.nasl - Type : ACT_GATHER_INFO
2011-03-09 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-043.nasl - Type : ACT_GATHER_INFO
2010-06-17 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_8816bf3a792911dfbcce0018f3e2eb82.nasl - Type : ACT_GATHER_INFO
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1835.nasl - Type : ACT_GATHER_INFO
2009-12-04 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-169.nasl - Type : ACT_GATHER_INFO
2009-10-06 Name : The remote openSUSE host is missing a security update.
File : suse_libtiff-devel-6406.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12470.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libtiff-devel-090807.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_libtiff-6407.nasl - Type : ACT_GATHER_INFO
2009-08-20 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_libtiff-devel-090807.nasl - Type : ACT_GATHER_INFO
2009-08-20 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_libtiff-devel-090807.nasl - Type : ACT_GATHER_INFO
2009-08-10 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200908-03.nasl - Type : ACT_GATHER_INFO
2009-07-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-1159.nasl - Type : ACT_GATHER_INFO
2009-07-20 Name : The remote Fedora host is missing a security update.
File : fedora_2009-7775.nasl - Type : ACT_GATHER_INFO
2009-07-20 Name : The remote Fedora host is missing a security update.
File : fedora_2009-7724.nasl - Type : ACT_GATHER_INFO
2009-07-17 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1159.nasl - Type : ACT_GATHER_INFO
2009-07-14 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-150.nasl - Type : ACT_GATHER_INFO
2009-07-14 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-801-1.nasl - Type : ACT_GATHER_INFO
2006-11-06 Name : The remote host is missing Sun Security Patch number 119900-18
File : solaris10_119900.nasl - Type : ACT_GATHER_INFO
2006-11-06 Name : The remote host is missing Sun Security Patch number 119901-17
File : solaris10_x86_119901.nasl - Type : ACT_GATHER_INFO