From customerservice@idefense.com Sat Oct 23 04:10:29 2004 From: customer service mailbox To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Fri, 22 Oct 2004 13:34:48 -0400 Subject: iDEFENSE Security Advisory XX.XX.04 - Novell SuSe Linux LibTIFF Heap Overflow Vulnerability Novell SuSe Linux LibTIFF Heap Overflow Vulnerability iDEFENSE Security Advisory 10.22.04 www.idefense.com/application/poi/display?id=154&type=vulnerabilities October 22, 2004 I. BACKGROUND libtiff provides support for using the Tag Image File Format (TIFF), a widely used format for storing image data. II. DESCRIPTION An exploitable heap overflow in the handling of malformed tiff files has been discovered in the latest version of libtiff when JPEG support has been enabled. The overflow occurs in the OJPEGVSetField() function of libtiff/tif_ojpeg.c. During processing, it is assumed that more than 255 bytes will not be processed, however in certain cases it is possible to cause up to 16 times that amount of data to be processed, thus causing the overflow. III. ANALYSIS An attacker can exploit the above-described vulnerability to execute arbitrary code under the permissions of the target user. Successful exploitation requires that the attacker convince the end-user to open the malicious tiff file using an application linked with a vulnerable version of libtiff. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in version 3.6.1 of libtiff when compiled with optional OJPEG_SUPPORT. This option is enabled by default under SuSE Linux 9.1 Personal and Suse Linux 9.1 Professional. V. WORKAROUND Only open files from trusted users. Alternatively, recompile libtiff without the optional OJPEG_SUPPORT. VI. VENDOR RESPONSE This issue is addressed in SUSE-SA:2004:038 http://www.suse.de/de/security/2004_38_libtiff.html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0929 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/09/2004 Initial vendor notification 09/09/2004   Vendor response 10/22/2004   Coordinated public disclosure IX. CREDIT Andrei Nigmatulin is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright © 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.