CVE-2004-1307

Description

Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.

Affected products

• Apple / mac_os_x10.3.2 – 10.3.2
• Apple / mac_os_x10.3.1 – 10.3.1
• Apple / mac_os_x10.3 – 10.3
• Apple / mac_os_x10.3.9 – 10.3.9
• Apple / mac_os_x10.3.8 – 10.3.8
• Apple / mac_os_x10.3.7 – 10.3.7
• Apple / mac_os_x10.3.6 – 10.3.6
• Apple / mac_os_x10.3.5 – 10.3.5
• Apple / mac_os_x10.3.4 – 10.3.4
• Apple / mac_os_x10.3.3 – 10.3.3
• Apple / mac_os_x_server10.3.9 – 10.3.9
• Apple / mac_os_x_server10.3.8 – 10.3.8
• Apple / mac_os_x_server10.3.7 – 10.3.7
• Apple / mac_os_x_server10.3.6 – 10.3.6
• Apple / mac_os_x_server10.3.5 – 10.3.5
• Apple / mac_os_x_server10.3.4 – 10.3.4
• Apple / mac_os_x_server10.3.3 – 10.3.3
• Apple / mac_os_x_server10.3.2 – 10.3.2
• Apple / mac_os_x_server10.3.1 – 10.3.1
• Apple / mac_os_x_server10.3 – 10.3
• Avaya / call_management_system_server11.0 – 11.0
• Avaya / call_management_system_server13.0 – 13.0
• Avaya / call_management_system_server12.0 – 12.0
• Avaya / call_management_system_server9.0 – 9.0
• Avaya / call_management_system_server8.0 – 8.0
• Avaya / cvlan
• Avaya / integrated_management
• Avaya / interactive_response1.2.1 – 1.2.1
• Avaya / interactive_response
• Avaya / interactive_response1.3 – 1.3
• Avaya / intuity_audix_lx
• Avaya / mn100
• Avaya / modular_messaging_message_storage_server1.1 – 1.1
• Avaya / modular_messaging_message_storage_server2.0 – 2.0
• conectiva / linux9.0 – 9.0
• conectiva / linux10.0 – 10.0
• F5 / icontrol_service_manager1.3.4 – 1.3.4
• F5 / icontrol_service_manager1.3.6 – 1.3.6
• F5 / icontrol_service_manager1.3 – 1.3
• F5 / icontrol_service_manager1.3.5 – 1.3.5
• gentoo / linux
• libtiff / libtiff3.5.2 – 3.5.2
• libtiff / libtiff3.5.1 – 3.5.1
• libtiff / libtiff3.4 – 3.4
• libtiff / libtiff3.7.0 – 3.7.0
• libtiff / libtiff3.6.1 – 3.6.1
• libtiff / libtiff3.6.0 – 3.6.0
• libtiff / libtiff3.5.7 – 3.5.7
• libtiff / libtiff3.5.5 – 3.5.5
• libtiff / libtiff3.5.4 – 3.5.4
• libtiff / libtiff3.5.3 – 3.5.3
• mandrakesoft / mandrake_linux10.0 – 10.0
• mandrakesoft / mandrake_linux10.0 – 10.0
• mandrakesoft / mandrake_linux10.1 – 10.1
• mandrakesoft / mandrake_linux10.1 – 10.1
• mandrakesoft / mandrake_linux_corporate_server3.0 – 3.0
• mandrakesoft / mandrake_linux_corporate_server3.0 – 3.0
• sco / unixware7.1.4 – 7.1.4
• sgi / propack3.0 – 3.0
• sun / solaris7.0 – 7.0
• sun / solaris8.0 – 8.0
• sun / solaris9.0 – 9.0
• sun / solaris9.0 – 9.0
• sun / solaris9.0 – 9.0
• sun / solaris10.0 – 10.0
• sun / solaris10.0 – 10.0
• sun / sunos5.7 – 5.7
• sun / sunos5.8 – 5.8

References

• MISChttp://www.us-cert.gov/cas/techalerts/TA05-136A.html
• MISChttp://www.kb.cert.org/vuls/id/539110
• MISChttp://sunsolve.sun.com/search/document.do?assetkey=1-66-201072-1
• MISChttp://sunsolve.sun.com/search/document.do?assetkey=1-26-101677-1
• MISChttp://www.idefense.com/application/poi/display?id=173&type=vulnerabilities&flashstatus=true
• MAILING_LISThttp://lists.apple.com/archives/security-announce/2005/May/msg00001.html
• MISChttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11175