Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.

Several vulnerabilities have been discovered in the libtiff package;
wxGTK2 uses a libtiff code tree, so it may have the same vulnerabilities :

Chris Evans discovered several problems in the RLE (run length encoding) decoders that could lead to arbitrary code execution.
(CVE-2004-0803)

Matthias Clasen discovered a division by zero through an integer overflow. (CVE-2004-0804)

Dmitry V. Levin discovered several integer overflows that caused malloc issues which can result to either plain crash or memory corruption. (CVE-2004-0886)

Updated tetex packages that fix several integer overflows are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

TeTeX is an implementation of TeX for Linux or UNIX systems. TeX takes a text file and a set of formatting commands as input and creates a typesetter-independent .dvi (DeVice Independent) file as output.

A number of security flaws have been found affecting libraries used internally within teTeX. An attacker who has the ability to trick a user into processing a malicious file with teTeX could cause teTeX to crash or possibly execute arbitrary code.

A number of integer overflow bugs that affect Xpdf were discovered.
The teTeX package contains a copy of the Xpdf code used for parsing PDF files and is therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0888 and CVE-2004-1125 to these issues.

A number of integer overflow bugs that affect libtiff were discovered.
The teTeX package contains an internal copy of libtiff used for parsing TIFF image files and is therefore affected by these bugs. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0803, CVE-2004-0804 and CVE-2004-0886 to these issues.

Also latex2html is added to package tetex-latex for 64bit platforms.

Users of teTeX should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues.

Updated kdegraphics packages that resolve multiple security issues in kfax are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team

The kdegraphics package contains graphics applications for the K Desktop Environment.

During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect libtiff. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0886 and CVE-2004-0804 to these issues.

Additionally, a number of buffer overflow bugs that affect libtiff have been found. The kfax application contains a copy of the libtiff code used for parsing TIFF files and is therefore affected by these bugs. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause kfax to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0803 to this issue.

Users of kfax should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue.

Chris Evans discovered several heap buffer overflows in libtiff's RLE decoder. These overflows could be triggered by a specially crafted TIFF image file, resulting in an application crash and possibly arbitrary code execution.

New libtiff packages are available for Slackware 8.1, 9.0, 9.1, 10.1, and -current to fix security issues that could lead to application crashes, or possibly execution of arbitrary code.

Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform.
(formerly CVE-2004-0888). This also affects applications like kdegraphics, that use embedded versions of xpdf. (CVE-2005-0206)

In addition, previous libtiff updates overlooked kdegraphics, which contains and embedded libtiff used for kfax. This update includes patches to address: CVE-2004-0803, CVE-2004-0804, CVE-2004-0886, CVE-2004-1183, CVE-2004-1308.

The updated packages are patched to deal with these issues.

The remote host is affected by the vulnerability described in GLSA-200412-17 (kfax: Multiple overflows in the included TIFF library)

    Than Ngo discovered that kfax contains a private copy of the TIFF     library and is therefore subject to several known vulnerabilities (see     References).
  Impact :

    A remote attacker could entice a user to view a carefully-crafted TIFF     image file with kfax, which would potentially lead to execution of     arbitrary code with the rights of the user running kfax.
  Workaround :

    The KDE Team recommends to remove the kfax binary as well as the     kfaxpart.la KPart:
    rm /usr/kde/3.*/lib/kde3/kfaxpart.la     rm /usr/kde/3.*/bin/kfax     Note: This will render the kfax functionality useless, if kfax     functionality is needed you should upgrade to the KDE 3.3.2 which is     not stable at the time of this writing.
    There is no known workaround at this time.

The remote host is affected by the vulnerability described in GLSA-200412-02 (PDFlib: Multiple overflows in the included TIFF library)

    The TIFF library is subject to several known vulnerabilities (see     GLSA 200410-11). Most of these overflows also apply to PDFlib.
  Impact :

    A remote attacker could entice a user or web application to     process a carefully crafted PDF file or TIFF image using a     PDFlib-powered program. This can potentially lead to the execution of     arbitrary code with the rights of the program processing the file.
  Workaround :

    There is no known workaround at this time.

The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs :

  - Apache
  - Apache2
  - AppKit
  - Cyrus IMAP
  - HIToolbox
  - Kerberos
  - Postfix
  - PSNormalizer
  - QuickTime Streaming Server
  - Safari
  - Terminal

These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code.

Several problems have been discovered in libtiff, the Tag Image File Format library for processing TIFF graphics files. An attacker could prepare a specially crafted TIFF graphic that would cause the client to execute arbitrary code or crash. The Common Vulnerabilities and Exposures Project has identified the following problems :

  - CAN-2004-0803     Chris Evans discovered several problems in the RLE (run     length encoding) decoders that could lead to arbitrary     code execution.

  - CAN-2004-0804

    Matthias Clasen discovered a division by zero through an     integer overflow.

  - CAN-2004-0886

    Dmitry V. Levin discovered several integer overflows     that caused malloc issues which can result to either     plain crash or memory corruption.

Updated libtiff packages that fix various buffer and integer overflows are now available.

The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely used file format for bitmapped images.

During a source code audit, Chris Evans discovered a number of integer overflow bugs that affect libtiff. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0886 and CVE-2004-0804 to these issues.

Additionally, a number of buffer overflow bugs that affect libtiff have been found. An attacker who has the ability to trick a user into opening a malicious TIFF file could cause the application linked to libtiff to crash or possibly execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0803 to this issue.

All users are advised to upgrade to these errata packages, which contain fixes for these issues.

The remote host is missing the patch for the advisory SUSE-SA:2004:038 (libtiff).


libtiff is used by image viewers and web browser to view 'TIFF' images.
These usually open and display those images without querying the user, making a normal system by default vulnerable to exploits of image library bugs.

Chris Evans found several security related problems during an audit of the image handling library libtiff, some related to buffer overflows, some related to integer overflows and similar. This issue is being tracked by the CVE ID CVE-2004-0803.

Matthias Claasen found a division by zero in libtiff. This is tracked by the CVE ID CVE-2004-0804.

Further auditing by Dmitry Levin exposed several additional integer overflows. These are tracked by the CVE ID CVE-2004-0886.

Additionally, iDEFENSE Security located a buffer overflow in the OJPEG (old JPEG) handling in the SUSE libtiff package. This was fixed by disabling the old JPEG support and is tracked by the CVE ID CVE-2004-0929.

SUSE wishes to thank all the reporters, auditors, and programmers for helping to fix these problems.

Several vulnerabilities have been discovered in the libtiff package :

Chris Evans discovered several problems in the RLE (run length encoding) decoders that could lead to arbitrary code execution.
(CVE-2004-0803)

Matthias Clasen discovered a division by zero through an integer overflow. (CVE-2004-0804)

Dmitry V. Levin discovered several integer overflows that caused malloc issues which can result to either plain crash or memory corruption. (CVE-2004-0886)

The remote host is affected by the vulnerability described in GLSA-200410-11 (tiff: Buffer overflows in image decoding)

    Chris Evans found heap-based overflows in RLE decoding routines in     tif_next.c, tif_thunder.c and potentially tif_luv.c.
  Impact :

    A remote attacker could entice a user to view a carefully crafted TIFF     image file, which would potentially lead to execution of arbitrary code     with the rights of the user viewing the image. This affects any program     that makes use of the tiff library, including GNOME and KDE web browsers or     mail readers.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
24551	Mandrake Linux Security Advisory : wxGTK2 (MDKSA-2004:111)	Nessus	Mandriva Local Security Checks	high
21809	CentOS 3 : tetex (CESA-2005:354)	Nessus	CentOS Local Security Checks	critical
21795	CentOS 3 : kdegraphics (CESA-2005:021)	Nessus	CentOS Local Security Checks	critical
19172	FreeBSD : tiff -- RLE decoder heap overflows (f6680c03-0bd8-11d9-8a8a-000c41e2cdad)	Nessus	FreeBSD Local Security Checks	high
18775	Slackware 10.0 / 8.1 / 9.0 / 9.1 / current : libtiff (SSA:2004-305-02)	Nessus	Slackware Local Security Checks	high
18017	RHEL 2.1 / 3 : kdegraphics (RHSA-2005:021)	Nessus	Red Hat Local Security Checks	critical
17680	RHEL 2.1 / 3 : tetex (RHSA-2005:354)	Nessus	Red Hat Local Security Checks	critical
17281	Mandrake Linux Security Advisory : kdegraphics (MDKSA-2005:052)	Nessus	Mandriva Local Security Checks	critical
16004	GLSA-200412-17 : kfax: Multiple overflows in the included TIFF library	Nessus	Gentoo Local Security Checks	high
15906	GLSA-200412-02 : PDFlib: Multiple overflows in the included TIFF library	Nessus	Gentoo Local Security Checks	high
15898	Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)	Nessus	MacOS X Local Security Checks	high
15665	Debian DSA-567-1 : tiff - heap overflows	Nessus	Debian Local Security Checks	high
15629	RHEL 2.1 / 3 : libtiff (RHSA-2004:577)	Nessus	Red Hat Local Security Checks	high
15552	SUSE-SA:2004:038: libtiff	Nessus	SuSE Local Security Checks	critical
15523	Mandrake Linux Security Advisory : libtiff (MDKSA-2004:109)	Nessus	Mandriva Local Security Checks	high
15472	GLSA-200410-11 : tiff: Buffer overflows in image decoding	Nessus	Gentoo Local Security Checks	high

Detections

Analytics

CVE-2004-0803

critical

Tenable Plugins

high

critical

critical

high

high

critical

critical

critical

high

high

high

high

high

critical

high

high