Vigil@nce: LibTIFF, integer overflows of tiff2rgba and rgb2ycbcr
July 2009 by Vigil@nce
An attacker can create a malicious TIFF image and invite the
victim to open it with tiff2rgba or rgb2ycbcr, in order to execute
code on his computer.
– Severity: 2/4
– Consequences: user access/rights
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Number of vulnerabilities in this bulletin: 2
– Creation date: 15/07/2009
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– Mandriva Corporate
– Mandriva Linux
– Mandriva Multi Network Firewall
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The LibTIFF library is used to handle TIFF images, and provides
some tools. Two vulnerabilities were announced.
The tiff2rgba tool converts a TIFF image to RGBA
(RedGreenBlueAlpha). It allocates a memory area whose size is the
result of a multiplication between the width and the height of the
image. However, this multiplication can overflow, and lead to a
memory corruption in the cvt_whole_image() function. [grav:2/4]
The rgb2ycbcr tool converts a TIFF image to YCbCr (Luminance, blue
and red Chroma). It allocates a memory area whose size is the
result of a multiplication between the width and the height of the
image. However, this multiplication can overflow, and lead to a
memory corruption in the tiffcvt() function. [grav:2/4]
An attacker can therefore create a malicious TIFF image and invite
the victim to open it with tiff2rgba or rgb2ycbcr, in order to
execute code on his computer.
CHARACTERISTICS
– Identifiers: BID-35652, CVE-2009-2347, DSA 1835-1,
FEDORA-2009-7724, FEDORA-2009-7775, MDVSA-2009:150,
oCERT-2009-012, RHSA-2009:1159-01, VIGILANCE-VUL-8862
– Url: http://vigilance.fr/vulnerability/LibTIFF-integer-overflows-of-tiff2rgba-and-rgb2ycbcr-8862