{"vuid":"VU#539110","idnumber":"539110","name":"LibTIFF vulnerable to integer overflow in the TIFFFetchStrip() routine","keywords":["LibTIFF","integer overflow","STRIPOFFSETS flag","tif_dirread.c","TIFFFetchStripThing()","apple_security_update_2005_005"],"overview":"An integer overflow in LibTIFF may allow a remote attacker to execute arbitrary code.","clean_desc":"LibTIFF is a library used to encode and decode images in Tag Image File Format (TIFF). An integer overflow in the TIFFFetchStripThing() routine within the tif_dirread.c file may allow an attacker to cause a heap-based buffer overflow. A lack of input validation on user-controlled data concerning the size of an TIFF image may allow a remote attacker to manipulate a call to malloc() to create a buffer with insufficient size. When data is copied to this under-sized buffer, a heap-based buffer overflow may occur. Note that in order to exploit this vulnerability, an attacker must craft a TIFF image with the STRIPOFFSETS flag set. This vulnerability is believed to related to the integer overflows described in VU#687568.","impact":"If a remote attacker can persuade a user to access a specially crafted TIFF image, that attacker may be able to execute arbitrary code with the privileges of that user.","resolution":"Upgrade This issue has been corrected in LibTIFF versions 3.7.0.","workarounds":"Workarounds Do Not Accept TIFF Files from Unknown or Untrusted Sources Exploitation occurs by accessing a specially crafted TIFF file (typically .tiff or .tif extension). By only accessing TIFF files from trusted or known sources, the chances of exploitation are reduced.","sysaffected":"","thanks":"This vulnerability was reported by iDefense Security. iDefense credits \ninfamous41md\n with discovering this vulnerability.","author":"This document was written by Jeff Gennari.","public":["http://securitytracker.com/alerts/2004/Dec/1012651.html","http://www.idefense.com/application/poi/display?id=173&type=vulnerabilities","http://secunia.com/advisories/13607/","http://secunia.com/advisories/15227/"],"cveids":["CVE-2004-1307"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2004-12-22T15:24:32Z","publicdate":"2004-12-21T00:00:00Z","datefirstpublished":"2005-01-20T20:56:55Z","dateupdated":"2005-08-23T15:37:32Z","revision":73,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"10","cam_impact":"16","cam_easeofexploitation":"7","cam_attackeraccessrequired":"16","cam_scorecurrent":"5.04","cam_scorecurrentwidelyknown":"6.72","cam_scorecurrentwidelyknownexploited":"13.44","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":5.04,"vulnote":null}