发布时间 :2006-05-30 14:02:00
修订时间 :2016-10-17 23:39:59

[原文]Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename. NOTE: tiffsplit is not setuid. If there is not a common scenario under which tiffsplit is called with attacker-controlled command line arguments, then perhaps this issue should not be included in CVE.

[CNNVD]libtiff tiffsplit命令 堆栈缓冲区溢出(CNNVD-200605-507)

        libtiff 3.8.2及之前版本中的tiffsplit命令存在基于堆栈的缓冲区溢出。攻击者可以借助长文件名执行任意代码。注意: tiffsplit并非setuid。如果没有能使用攻击者控制的命令行自变量调用tiffsplit的通用场景。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:libtiff:libtiff:3.4LibTIFF 3.4
cpe:/a:libtiff:libtiff:3.5.3LibTIFF 3.5.3
cpe:/a:libtiff:libtiff:3.7.1LibTIFF 3.7.1
cpe:/a:libtiff:libtiff:3.8.0LibTIFF 3.8.0
cpe:/a:libtiff:libtiff:3.5.2LibTIFF 3.5.2
cpe:/a:libtiff:libtiff:3.6.1LibTIFF 3.6.1
cpe:/a:libtiff:libtiff:3.7.0LibTIFF 3.7.0
cpe:/a:libtiff:libtiff:3.5.1LibTIFF 3.5.1
cpe:/a:libtiff:libtiff:3.6.0LibTIFF 3.6.0
cpe:/a:libtiff:libtiff:3.5.7LibTIFF 3.5.7
cpe:/a:libtiff:libtiff:3.5.6LibTIFF 3.5.6
cpe:/a:libtiff:libtiff:3.5.5LibTIFF 3.5.5
cpe:/a:libtiff:libtiff:3.8.2LibTIFF 3.8.2
cpe:/a:libtiff:libtiff:3.5.4LibTIFF 3.5.4
cpe:/a:libtiff:libtiff:3.8.1LibTIFF 3.8.1

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  VULN-DEV  20060524 tiffsplit (libtiff <= 3.8.2) bss & stack buffer overflow...

- 漏洞信息

libtiff tiffsplit命令 堆栈缓冲区溢出
高危 缓冲区溢出
2006-05-30 00:00:00 2006-05-30 00:00:00
        libtiff 3.8.2及之前版本中的tiffsplit命令存在基于堆栈的缓冲区溢出。攻击者可以借助长文件名执行任意代码。注意: tiffsplit并非setuid。如果没有能使用攻击者控制的命令行自变量调用tiffsplit的通用场景。

- 公告与补丁


- 漏洞信息 (1831)

tiffsplit (libtiff <= 3.8.2) Local Stack Buffer Overflow PoC (EDBID:1831)
linux local
2006-05-26 Verified
0 nitr0us
N/A [点击下载]
# tiffsplit (libtiff <= 3.8.2) local stack buffer overflow PoC

tiffsplit from libtiff (
is vulnerable to a bss-based and stack-based overflow, but, I just
wrote the concept c0de for stack-based b0f 'cause I don't know how
to take advantage of the overwritten bss data (after the overflow,
that data is overwritten again correctly by a program' function).

.bss section is in higher addresses than .dtors section, so, we
can't hijack .dtors to....


nitr0us <nitrousenador[at]gmail[dot]com>

# [2006-05-26]

- 漏洞信息 (F47653)

TLSA-2006-0036.txt (PacketStormID:F47653)
2006-06-26 00:00:00

Trustix Secure Linux Security Advisory #2006-0036 - fcron and libtiff suffer from multiple vulnerabilities.

Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0036

Package names:	   fcron, libtiff 
Summary:           Multiple vulnerabilities
Date:              2006-06-16
Affected versions: Trustix Secure Linux 2.2
                   Trustix Secure Linux 3.0
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  Fcron is a scheduler. It aims at replacing Vixie Cron, so it implements
  most of its functionalities. But contrary to Vixie Cron, fcron does not
  need your system to be up 7 days a week, 24 hours a day : it also works
  well with systems which are not running neither all the time nor 
  regularly (contrary to anacrontab).

  The libtiff package contains a library of functions for manipulating
  TIFF (Tagged Image File Format) image format files.  TIFF is a widely
  used file format for bitmapped images.  TIFF files usually end in the
  .tif extension and they are often quite large.

Problem description:
  fcron < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - Patched to fix buffer overflow due to a bug in make_msg(), Bug #1754.

  libtiff < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
  - SECURITY Fix: gpe92 has discovered a vulnerability in LibTIFF caused
    due to a boundary error within tiff2pdf when handling a TIFF file with
    a "DocumentName" tag that contains UTF-8 characters. This can be
    exploited to cause a stack-based buffer overflow and may allow
    arbitrary code execution.
  - Stack-based buffer overflow in the tiffsplit command in libtiff might
    allow attackers to execute arbitrary code via a long filename.

    The Common Vulnerabilities and Exposures project ( has
    assigned the names CVE-2006-2193 and CVE-2006-2656 these issues. 

  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.

  All Trustix Secure Linux updates are available from

About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.

Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Check out our mailing lists:

  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:

  The advisory itself is available from the errata pages at
  <URI:> and
  or directly at

MD5sums of the packages:
- --------------------------------------------------------------------------
ef9c418538fe7078fd0aef828242e94c  3.0/rpms/fcron-2.9.6-13tr.i586.rpm
8a4ecedfff22da6b1c4760a34aa519dc  3.0/rpms/libtiff-3.7.3-3tr.i586.rpm
9d1e3065f727303f684c075d1d58b582  3.0/rpms/libtiff-devel-3.7.3-3tr.i586.rpm
b1531880559bd9b9416df88f24f51b00  3.0/rpms/libtiff-docs-3.7.3-3tr.i586.rpm

b5432c9e8a0e7dc0f14d5d0ba56fae88  2.2/rpms/fcron-
7203c833a5d80a08ccfd240530c91e17  2.2/rpms/libtiff-3.7.3-3tr.i586.rpm
257f3daa5eb28d0567f741e7570dca6a  2.2/rpms/libtiff-devel-3.7.3-3tr.i586.rpm
- --------------------------------------------------------------------------

Trustix Security Team

Version: GnuPG v1.4.2.2 (GNU/Linux)


- 漏洞信息

LibTIFF tiffsplit Filename Processing Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-23 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete