Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libtiff | Libtiff | 3.8.0 (including) | 3.8.0 (including) |
| Libtiff | Libtiff | 3.8.1 (including) | 3.8.1 (including) |
| Libtiff | Libtiff | 3.8.2 (including) | 3.8.2 (including) |
| Libtiff | Libtiff | 3.9 (including) | 3.9 (including) |
| Libtiff | Libtiff | 4.0 (including) | 4.0 (including) |
| Red Hat Enterprise Linux 3 | RedHat | libtiff-0:3.5.7-33.el3 | * |
| Red Hat Enterprise Linux 4 | RedHat | libtiff-0:3.6.1-12.el4_8.4 | * |
| Red Hat Enterprise Linux 5 | RedHat | libtiff-0:3.8.2-7.el5_3.4 | * |
| Tiff | Ubuntu | dapper | * |
| Tiff | Ubuntu | devel | * |
| Tiff | Ubuntu | hardy | * |
| Tiff | Ubuntu | intrepid | * |
| Tiff | Ubuntu | jaunty | * |
| Tiff | Ubuntu | upstream | * |