SB2012122003 - Amazon Linux AMI update for libtiff

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2012122003

SB2012122003 - Amazon Linux AMI update for libtiff

Published: December 20, 2012

Security Bulletin ID SB2012122003
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Heap-based buffer overflow (CVE-ID: CVE-2012-3401)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in The t2p_read_tiff_init function in tiff2pdf (tools/tiff2pdf.c) in LibTIFF 4.0.2 and earlier does not properly initialize the T2P context struct pointer in certain error conditions, which. A remote attacker can use a crafted TIFF image that triggers a heap-based buffer overflow. to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Heap-based buffer overflow (CVE-ID: CVE-2012-4447)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3. A remote attacker can use a crafted TIFF image using the PixarLog Compression format. to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Heap-based buffer overflow (CVE-ID: CVE-2012-4564)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in ppm2tiff does not check the return value of the TIFFScanlineSize function, which. A remote attacker can use a crafted PPM image that triggers an integer overflow to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


4) Stack-based buffer overflow (CVE-ID: CVE-2012-5581)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing a crafted DOTRANGE tag in a TIFF image. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References