mailing list archives
Re: iDEFENSE Security Advisory 12.21.04: libtiff STRIPOFFSETS Integer Overflow Vulnerability
From: "Dmitry V. Levin" <ldv () altlinux org>
Date: Wed, 22 Dec 2004 14:45:45 +0300
On Tue, Dec 21, 2004 at 05:09:30PM -0500, customer service mailbox wrote:
libtiff STRIPOFFSETS Integer Overflow Vulnerability
iDEFENSE Security Advisory 12.21.04
December 21, 2004
libtiff provides support for the Tag Image File Format (TIFF), a widely
used format for storing image data.
More information is available at the following site:
Remote exploitation of an integer overflow in libtiff may allow for the
execution of arbitrary code.
The overflow occurs in the parsing of TIFF files set with the
STRIPOFFSETS flag in libtiff/tif_dirread.c. In the TIFFFetchStripThing()
function, the number of strips (nstrips) is used directly in a
CheckMalloc() routine without sanity checking. The call ultimately boils
When supplied 0x40000000 as the user supplied integer, malloc is called
with a length argument of 0. This has the effect of returning the
smallest possible malloc chunk. A user controlled buffer is subsequently
copied to that small heap buffer, causing a heap overflow.
When exploited, it is possible to overwrite heap structures and seize
control of execution.
An attacker can exploit the above-described vulnerability to execute
arbitrary code under the permissions of the target user. Successful
exploitation requires that the attacker convince the end user to open
the malicious TIFF file using an application linked with a vulnerable
version of libtiff. Exploitation of this vulnerability against a remote
target is difficult because of the precision required in the attack.
iDEFENSE has confirmed this vulnerability in libtiff 3.6.1. Changes were
introduced in libtiff 3.7.0 that had the effect of fixing this
The following vendors provide susceptible libtiff packages within their
respective operating system distributions:
- Gentoo Linux
- Fedora Linux
- RedHat Linux
- SuSE Linux
- Debian Linux
Only open TIFF files from trusted users.
VI. VENDOR RESPONSE
This issue is addressed in libtiff 3.7.0 and 3.7.1.
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
I believe this issue is subset of CAN-2004-0886 which was fixed in the
middle of October.