Vigil@nce - libtiff: integer overflow of FAX3
June 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to open a malicious compressed
TIFF image in format FAX3, in order to execute code in
applications linked to libtiff.
Severity: 2/4
Creation date: 14/06/2010
DESCRIPTION OF THE VULNERABILITY
The libtiff library is used to manage TIFF images.
The CCITT FAX3 compression algorithm can be applied on black and
white TIFF images. The libtiff/tif_fax3.c file manages these
images.
The Fax3SetupState() function of the tif_fax3.c file incorrectly
computes sizes of memory areas to allocate. This integer overflow
corrupts the memory.
An attacker can therefore invite the victim to open a malicious
compressed TIFF image in format FAX3, in order to execute code in
applications linked to libtiff.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/libtiff-integer-overflow-of-FAX3-9706