Vigil@nce - libtiff: buffer overflow of tiff2pdf t2p_write_pdf_page
May 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to open a malicious TIFF image
with tiff2pdf, in order to create a denial of service or to
execute code.
– Impacted products: Fedora, Unix (platform)
– Severity: 2/4
– Creation date: 02/05/2013
DESCRIPTION OF THE VULNERABILITY
The tiff2pdf tool of the libtiff suite is used to convert a TIFF
image to a PDF document.
The t2p_write_pdf_page() function of the tiff2pdf.c file generates
a PDF Page object. The PDF MediaBox field defines the page area
containing data. Its values are generated using the sprintf()
function which writes in a 16 bytes array. However, if the TIFF
image uses large sizes, a buffer overflow occurs.
An attacker can therefore invite the victim to open a malicious
TIFF image with tiff2pdf, in order to create a denial of service
or to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libtiff-buffer-overflow-of-tiff2pdf-t2p-write-pdf-page-12744