The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of LibTIFF ppm2tiff: buffer overflow via TIFFScanlineSize

Synthesis of the vulnerability 

An attacker can invite the victim to open a malicious PPM/PGM/PBM image with LibTIFF ppm2tiff, in order to create a denial of service or to execute code.
Vulnerable products: Debian, Fedora, Junos Space, LibTIFF, Mandriva Linux, openSUSE, Solaris, RHEL, Slackware.
Severity of this weakness: 2/4.
Creation date: 02/11/2012.
Références of this bulletin: 871700, BID-56372, CERTA-2012-AVI-621, CERTA-2013-AVI-387, CERTFR-2014-AVI-112, CVE-2012-4564, DSA-2575-1, FEDORA-2012-20404, JSA11023, MDVSA-2012:174, MDVSA-2013:046, openSUSE-SU-2013:0187-1, RHSA-2012:1590-01, SSA:2013-290-01, VIGILANCE-VUL-12108.

Description of the vulnerability 

The ppm2tiff tool is provided in the LibTIFF suite. It can be used to convert an image in PPM/PGM/PBM format to a TIFF image.

The tools/ppm2tiff.c file calls the TIFFScanlineSize() function to obtain the size of data. This function returns zero when it detects an integer overflow. However, ppm2tiff.c does not check this error code, and allocate a short memory area. A buffer overflow then occurs.

An attacker can therefore invite the victim to open a malicious PPM/PGM/PBM image with LibTIFF ppm2tiff, in order to create a denial of service or to execute code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability impacts software or systems such as Debian, Fedora, Junos Space, LibTIFF, Mandriva Linux, openSUSE, Solaris, RHEL, Slackware.

Our Vigil@nce team determined that the severity of this weakness bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this weakness.

Solutions for this threat 

LibTIFF ppm2tiff: patch for TIFFScanlineSize.
A patch is available in information sources.

Debian: new tiff packages.
New packages are available:
  tiff 3.9.4-5+squeeze7

Fedora: new libtiff packages.
New packages are available:
  libtiff-3.9.7-1.fc16
  libtiff-3.9.7-1.fc17

Junos Space: version 20.1R1.
The version 20.1R1 is fixed:
  https://www.juniper.net/support/downloads/

Mandriva Business Server: new libtiff packages.
New packages are available:
  libtiff-4.0.1-3.1.mbs1

Mandriva: new libtiff packages.
New packages are available:
  libtiff-3.9.5-1.4-mdv2011.0
  libtiff-3.8.2-12.9mdvmes5.2

openSUSE 11.4: new tiff packages.
New packages are available:
  tiff-3.9.4-34.1

RHEL: new libtiff packages.
New packages are available:
  RHEL 5 : libtiff-3.8.2-18
  RHEL 6 : libtiff-3.9.4-9

Slackware: new libtiff packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/libtiff-3.9.7-i486-1_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/libtiff-3.9.7-i486-1_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/libtiff-3.9.7-i486-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/libtiff-3.9.7-x86_64-1_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/libtiff-3.9.7-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/libtiff-3.9.7-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/libtiff-3.9.7-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/libtiff-3.9.7-x86_64-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/libtiff-3.9.7-i486-1_slack14.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/libtiff-3.9.7-x86_64-1_slack14.0.txz

Solaris 11: version 11.1.7.5.0.
The version 11.1.7.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1554870.1

Solaris: version 11.1.14.5.0.
The version 11.1.14.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1607967.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a systems vulnerabilities database. The Vigil@nce vulnerability database contains several thousand vulnerabilities.