The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of libtiff: buffer overflow via the tags DOTRANGE

Synthesis of the vulnerability 

An attacker can build a TIFF file containing a malicious tag DOTRANGE, in order to execute some code.
Impacted systems: Debian, Fedora, Junos Space, LibTIFF, Mandriva Linux, openSUSE, Solaris, RHEL.
Severity of this alert: 3/4.
Creation date: 29/11/2012.
Références of this alert: 867235, BID-56715, CERTA-2013-AVI-543, CVE-2012-5581, DSA-2589-1, FEDORA-2012-20404, JSA11023, MDVSA-2012:184, MDVSA-2013:046, openSUSE-SU-2013:0187-1, RHSA-2012:1590-01, VIGILANCE-VUL-12191.

Description of the vulnerability 

The image file format TIFF is partially based on a sequence of blocs <tag, data>.

One of the defined tags is named DOTRANGE and its value is expected to be a pair of integer. However, during the packing of a tag sequence, the routine _TIFFVSetField() from the source file libtiff/tif_dir.c uses an integer variable as it was an array of size two, which leads to overwrite neighbor variables.

An attacker can therefore build a TIFF file containing a malicious tag DOTRANGE, in order to execute some code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness alert impacts software or systems such as Debian, Fedora, Junos Space, LibTIFF, Mandriva Linux, openSUSE, Solaris, RHEL.

Our Vigil@nce team determined that the severity of this weakness note is important.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this weakness bulletin.

Solutions for this threat 

libtiff: patch for DOTRANGE.
A patch is available in information sources.

Debian: new tiff packages.
New packages are available:
  tiff_3.9.4-5+squeeze8

Fedora: new libtiff packages.
New packages are available:
  libtiff-3.9.7-1.fc16
  libtiff-3.9.7-1.fc17

Junos Space: version 20.1R1.
The version 20.1R1 is fixed:
  https://www.juniper.net/support/downloads/

Mandriva Business Server: new libtiff packages.
New packages are available:
  libtiff-4.0.1-3.1.mbs1

Mandriva: new libtiff packages.
New packages are available:
  libtiff-3.9.5-1.5-mdv2011.0
  libtiff-3.8.2-12.10mdvmes5.2

openSUSE 11.4: new tiff packages.
New packages are available:
  tiff-3.9.4-34.1

RHEL: new libtiff packages.
New packages are available:
  RHEL 5 : libtiff-3.8.2-18
  RHEL 6 : libtiff-3.9.4-9

Solaris 10: patch for LibTIFF.
A patch is available:
  SPARC: 119900-17
  X86: 119901-16

Solaris 11.1: version 11.1.10.5.0.
The version 11.1.10.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1577554.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides software vulnerabilities patches. The technology watch team tracks security threats targeting the computer system.