Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Interactive_response | Avaya | 1.2.1 | 1.2.1 |
Libtiff | Libtiff | 3.6.1 | 3.6.1 |
Linux | Conectiva | 9.0 | 9.0 |
Propack | Sgi | 3.0 | 3.0 |
Call_management_system_server | Avaya | 8.0 | 8.0 |
Icontrol_service_manager | F5 | 1.3.5 | 1.3.5 |
Integrated_management | Avaya | * | * |
Interactive_response | Avaya | 1.3 | 1.3 |
Call_management_system_server | Avaya | 13.0 | 13.0 |
Libtiff | Libtiff | 3.4 | 3.4 |
Icontrol_service_manager | F5 | 1.3.4 | 1.3.4 |
Libtiff | Libtiff | 3.5.7 | 3.5.7 |
Libtiff | Libtiff | 3.7.0 | 3.7.0 |
Intuity_audix_lx | Avaya | * | * |
Libtiff | Libtiff | 3.6.0 | 3.6.0 |
Libtiff | Libtiff | 3.5.3 | 3.5.3 |
Libtiff | Libtiff | 3.5.4 | 3.5.4 |
Libtiff | Libtiff | 3.5.2 | 3.5.2 |
Call_management_system_server | Avaya | 9.0 | 9.0 |
Cvlan | Avaya | * | * |
Interactive_response | Avaya | * | * |
Libtiff | Libtiff | 3.5.5 | 3.5.5 |
Linux | Conectiva | 10.0 | 10.0 |
Libtiff | Libtiff | 3.5.1 | 3.5.1 |
Call_management_system_server | Avaya | 11.0 | 11.0 |
Icontrol_service_manager | F5 | 1.3.6 | 1.3.6 |
Icontrol_service_manager | F5 | 1.3 | 1.3 |
Call_management_system_server | Avaya | 12.0 | 12.0 |