Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Call_management_system_server | Avaya | 8.0 (including) | 8.0 (including) |
| Call_management_system_server | Avaya | 9.0 (including) | 9.0 (including) |
| Call_management_system_server | Avaya | 11.0 (including) | 11.0 (including) |
| Call_management_system_server | Avaya | 12.0 (including) | 12.0 (including) |
| Call_management_system_server | Avaya | 13.0 (including) | 13.0 (including) |
| Cvlan | Avaya | * | * |
| Integrated_management | Avaya | * | * |
| Interactive_response | Avaya | * | * |
| Interactive_response | Avaya | 1.2.1 (including) | 1.2.1 (including) |
| Interactive_response | Avaya | 1.3 (including) | 1.3 (including) |
| Intuity_audix_lx | Avaya | * | * |
| Icontrol_service_manager | F5 | 1.3 (including) | 1.3 (including) |
| Icontrol_service_manager | F5 | 1.3.4 (including) | 1.3.4 (including) |
| Icontrol_service_manager | F5 | 1.3.5 (including) | 1.3.5 (including) |
| Icontrol_service_manager | F5 | 1.3.6 (including) | 1.3.6 (including) |
| Libtiff | Libtiff | 3.4 (including) | 3.4 (including) |
| Libtiff | Libtiff | 3.5.1 (including) | 3.5.1 (including) |
| Libtiff | Libtiff | 3.5.2 (including) | 3.5.2 (including) |
| Libtiff | Libtiff | 3.5.3 (including) | 3.5.3 (including) |
| Libtiff | Libtiff | 3.5.4 (including) | 3.5.4 (including) |
| Libtiff | Libtiff | 3.5.5 (including) | 3.5.5 (including) |
| Libtiff | Libtiff | 3.5.7 (including) | 3.5.7 (including) |
| Libtiff | Libtiff | 3.6.0 (including) | 3.6.0 (including) |
| Libtiff | Libtiff | 3.6.1 (including) | 3.6.1 (including) |
| Libtiff | Libtiff | 3.7.0 (including) | 3.7.0 (including) |
| Propack | Sgi | 3.0 (including) | 3.0 (including) |
| Linux | Conectiva | 9.0 (including) | 9.0 (including) |
| Linux | Conectiva | 10.0 (including) | 10.0 (including) |
| Red Hat Enterprise Linux 3 | RedHat | libtiff-0:3.5.7-20.1 | * |
| Red Hat Enterprise Linux 3 | RedHat | kdegraphics-7:3.1.3-3.7 | * |
References
- http://lists.apple.com/archives/security-announce/2005/May/msg00001.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-101677-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-201072-1
- http://www.idefense.com/application/poi/display?id=173\u0026type=vulnerabilities\u0026flashstatus=true
- http://www.kb.cert.org/vuls/id/539110
- http://www.us-cert.gov/cas/techalerts/TA05-136A.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11175
- http://lists.apple.com/archives/security-announce/2005/May/msg00001.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-101677-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-201072-1
- http://www.idefense.com/application/poi/display?id=173\u0026type=vulnerabilities\u0026flashstatus=true
- http://www.kb.cert.org/vuls/id/539110
- http://www.us-cert.gov/cas/techalerts/TA05-136A.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11175