Vulnerabilities > CVE-2004-1307

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.

Vulnerable Configurations

Part Description Count
Application
Avaya
12
Application
F5
4
Application
Libtiff
10
Application
Sgi
1
OS
Conectiva
2
OS
Apple
20
OS
Avaya
2
OS
Gentoo
1
OS
Mandrakesoft
6
OS
Sco
1
OS
Sun
9

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-002.NASL
    descriptionSeveral vulnerabilities have been discovered in the libtiff package; wxGTK2 uses a libtiff code tree, so it may have the same vulnerabilities : iDefense reported the possibility of remote exploitation of an integer overflow in libtiff that may allow for the execution of arbitrary code. The overflow occurs in the parsing of TIFF files set with the STRIPOFFSETS flag. iDefense also reported a heap-based buffer overflow vulnerability within the LibTIFF package could allow attackers to execute arbitrary code. (CVE-2004-1308) The vulnerability specifically exists due to insufficient validation of user-supplied data when calculating the size of a directory entry. The updated packages are patched to protect against these vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id16115
    published2005-01-07
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16115
    titleMandrake Linux Security Advisory : wxGTK2 (MDKSA-2005:002)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2005:002. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16115);
      script_version ("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:47");
    
      script_cve_id("CVE-2004-1183", "CVE-2004-1307", "CVE-2004-1308");
      script_xref(name:"MDKSA", value:"2005:002");
    
      script_name(english:"Mandrake Linux Security Advisory : wxGTK2 (MDKSA-2005:002)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in the libtiff package;
    wxGTK2 uses a libtiff code tree, so it may have the same
    vulnerabilities :
    
    iDefense reported the possibility of remote exploitation of an integer
    overflow in libtiff that may allow for the execution of arbitrary
    code.
    
    The overflow occurs in the parsing of TIFF files set with the
    STRIPOFFSETS flag.
    
    iDefense also reported a heap-based buffer overflow vulnerability
    within the LibTIFF package could allow attackers to execute arbitrary
    code. (CVE-2004-1308)
    
    The vulnerability specifically exists due to insufficient validation
    of user-supplied data when calculating the size of a directory entry.
    
    The updated packages are patched to protect against these
    vulnerabilities."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64wxgtk2.5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64wxgtk2.5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64wxgtk2.5_1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64wxgtk2.5_1-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64wxgtkgl2.5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64wxgtkgl2.5_1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libwxgtk2.5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libwxgtk2.5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libwxgtk2.5_1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libwxgtk2.5_1-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libwxgtkgl2.5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libwxgtkgl2.5_1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:wxGTK2.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64wxgtk2.5-2.5.0-0.cvs20030817.1.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64wxgtk2.5-devel-2.5.0-0.cvs20030817.1.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64wxgtkgl2.5-2.5.0-0.cvs20030817.1.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libwxgtk2.5-2.5.0-0.cvs20030817.1.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libwxgtk2.5-devel-2.5.0-0.cvs20030817.1.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libwxgtkgl2.5-2.5.0-0.cvs20030817.1.5.100mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.0", reference:"wxGTK2.5-2.5.0-0.cvs20030817.1.5.100mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64wxgtk2.5_1-2.5.1-5.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64wxgtk2.5_1-devel-2.5.1-5.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"lib64wxgtkgl2.5_1-2.5.1-5.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libwxgtk2.5_1-2.5.1-5.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libwxgtk2.5_1-devel-2.5.1-5.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", cpu:"i386", reference:"libwxgtkgl2.5_1-2.5.1-5.3.101mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK10.1", reference:"wxGTK2.5-2.5.1-5.3.101mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2005-005.NASL
    descriptionThe remote host is missing Security Update 2005-005. This security update contains fixes for the following applications : - Apache - AppKit - AppleScript - Bluetooth - Directory Services - Finder - Foundation - HelpViewer - LDAP - libXpm - lukemftpd - NetInfo - ServerAdmin - sudo - Terminal - VPN These programs have multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id18189
    published2005-05-03
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18189
    titleMac OS X Multiple Vulnerabilities (Security Update 2005-005)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-577.NASL
    descriptionUpdated libtiff packages that fix various buffer and integer overflows are now available. The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely used file format for bitmapped images. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect libtiff. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0886 and CVE-2004-0804 to these issues. Additionally, a number of buffer overflow bugs that affect libtiff have been found. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0803 to this issue. All users are advised to upgrade to these errata packages, which contain fixes for these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id15629
    published2004-11-04
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/15629
    titleRHEL 2.1 / 3 : libtiff (RHSA-2004:577)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-001.NASL
    descriptionSeveral vulnerabilities have been discovered in the libtiff package : iDefense reported the possibility of remote exploitation of an integer overflow in libtiff that may allow for the execution of arbitrary code. The overflow occurs in the parsing of TIFF files set with the STRIPOFFSETS flag. iDefense also reported a heap-based buffer overflow vulnerability within the LibTIFF package could allow attackers to execute arbitrary code. (CVE-2004-1308) The vulnerability specifically exists due to insufficient validation of user-supplied data when calculating the size of a directory entry. The updated packages are patched to protect against these vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id16114
    published2005-01-07
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16114
    titleMandrake Linux Security Advisory : libtiff (MDKSA-2005:001)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-021.NASL
    descriptionUpdated kdegraphics packages that resolve multiple security issues in kfax are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team The kdegraphics package contains graphics applications for the K Desktop Environment. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect libtiff. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0886 and CVE-2004-0804 to these issues. Additionally, a number of buffer overflow bugs that affect libtiff have been found. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0803 to this issue. Users of kfax should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id18017
    published2005-04-12
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18017
    titleRHEL 2.1 / 3 : kdegraphics (RHSA-2005:021)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-021.NASL
    descriptionUpdated kdegraphics packages that resolve multiple security issues in kfax are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team The kdegraphics package contains graphics applications for the K Desktop Environment. During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect libtiff. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0886 and CVE-2004-0804 to these issues. Additionally, a number of buffer overflow bugs that affect libtiff have been found. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0803 to this issue. Users of kfax should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id21795
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21795
    titleCentOS 3 : kdegraphics (CESA-2005:021)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-617.NASL
    description'infamous41md
    last seen2020-06-01
    modified2020-06-02
    plugin id16048
    published2004-12-27
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16048
    titleDebian DSA-617-1 : tiff - insufficient input validation

Oval

accepted2013-04-29T04:12:04.478-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
descriptionInteger overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.
familyunix
idoval:org.mitre.oval:def:11175
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleInteger overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.
version26

Redhat

rpms
  • libtiff-0:3.5.7-20.1
  • libtiff-debuginfo-0:3.5.7-20.1
  • libtiff-devel-0:3.5.7-20.1
  • kdegraphics-7:3.1.3-3.7
  • kdegraphics-debuginfo-7:3.1.3-3.7
  • kdegraphics-devel-7:3.1.3-3.7

Statements

contributorTomas Hoger
lastmodified2008-08-12
organizationRed Hat
statementThis issue was resolved in all affected libtiff versions as shipped with Red Hat Enterprise Linux 2.1, 3, and 4 via a patch for CVE-2004-0886. For updates containing patches for CVE-2004-0886, see: https://rhn.redhat.com/errata/CVE-2004-0886.html