Vigil@nce - LibTIFF ppm2tiff: buffer overflow via TIFFScanlineSize
November 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to open a malicious PPM/PGM/PBM
image with LibTIFF ppm2tiff, in order to create a denial of
service or to execute code.
Impacted products: Unix (platform)
Severity: 2/4
Creation date: 02/11/2012
DESCRIPTION OF THE VULNERABILITY
The ppm2tiff tool is provided in the LibTIFF suite. It can be used
to convert an image in PPM/PGM/PBM format to a TIFF image.
The tools/ppm2tiff.c file calls the TIFFScanlineSize() function to
obtain the size of data. This function returns zero when it
detects an integer overflow. However, ppm2tiff.c does not check
this error code, and allocate a short memory area. A buffer
overflow then occurs.
An attacker can therefore invite the victim to open a malicious
PPM/PGM/PBM image with LibTIFF ppm2tiff, in order to create a
denial of service or to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/LibTIFF-ppm2tiff-buffer-overflow-via-TIFFScanlineSize-12108