CERT-In Advisory CIAD-2006-15
Multiple Buffer Overflow Vulnerabilities in libtiff package.
Original issue date:
June 09, 2006
Severity Rating: Medium
Systems Affected
- LibTIFF version prior to 3.8.2
Overview libtiff is a library of functions used to manipulate TIFF (Tagged Image File Format) images. Multiple Vulnerabilities has been reported in LibTIFF which could be exploited by attackers to cause denial of service or execute arbitrary commands.
Description
1. tiffsplit buffer overflow vulnerability ( CVE-2006-2656 )
A stack-based buffer overflow vulnerability has been discovered in the tiffsplit command of the libtiff package version 3.8.2 and earlier. This could be used by malicious attacker to execute arbitrary code via a long filename.
2. tiff2pdf buffer overflow vulnerability ( CVE-2006-2193 )
The vulnerability is caused due to a boundary error within tiff2pdf when handling a TIFF file with a "DocumentName" tag that contains UTF-8 characters. This can be exploited to cause a stack-based buffer overflow and may allow arbitrary code execution.
Vendor Information
libtiff
http://www.libtiff.org/
Solution Upgrade to the latest version.
References
CVE References
CVE-2006-2193
CVE-2006-2656
FrSIRT Advisories
http://www.frsirt.com/english/advisories/2006/2197
Secunia Advisories
http://secunia.com/advisories/20488/
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91 11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
