Rapid7 Vulnerability & Exploit Database

RHSA-2009:1159: libtiff security update

Back to Search

RHSA-2009:1159: libtiff security update

Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
07/14/2009
Created
07/25/2018
Added
09/12/2009
Modified
07/04/2017

Description

The libtiff packages contain a library of functions for manipulating TaggedImage File Format (TIFF) files.Several integer overflow flaws, leading to heap-based buffer overflows,were found in various libtiff color space conversion tools. An attackercould create a specially-crafted TIFF file, which once opened by anunsuspecting user, would cause the conversion tool to crash or,potentially, execute arbitrary code with the privileges of the user runningthe tool. (CVE-2009-2347)A buffer underwrite flaw was found in libtiff's Lempel-Ziv-Welch (LZW)compression algorithm decoder. An attacker could create a specially-craftedLZW-encoded TIFF file, which once opened by an unsuspecting user, wouldcause an application linked with libtiff to access an out-of-bounds memorylocation, leading to a denial of service (application crash).(CVE-2009-2285)The CVE-2009-2347 flaws were discovered by Tielei Wang from ICST-ERCIS,Peking University.All libtiff users should upgrade to these updated packages, which containbackported patches to correct these issues. After installing this update,all applications linked with the libtiff library (such as Konqueror) mustbe restarted for the update to take effect.

Solution(s)

  • redhat-upgrade-libtiff
  • redhat-upgrade-libtiff-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;