CVE-2006-2193
published 2006-06-08CVE-2006-2193: Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and…
PriorityP433high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
5.36%
91.6th percentile
Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tiff | < tiff 3.8.2-4 (bookworm) | tiff 3.8.2-4 (bookworm) |
| libtiff | libtiff | <= 3.8.2 | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
tiff vulnerabilities
vendor_ubuntu·2006-06-08·CVSS 7.5
CVE-2006-2193 [HIGH] tiff vulnerabilities
Title: tiff vulnerabilities
Summary: tiff vulnerabilities
A buffer overflow has been found in the tiff2pdf utility. By tricking
an user into processing a specially crafted TIF file with tiff2pdf,
this could potentially be exploited to execute arbitrary code with the
privileges of the user. (CVE-2006-2193)
A. Alejandro Hernández discovered a buffer overflow in the tiffsplit
utility. By calling tiffsplit with specially crafted long arguments,
an user can execute arbitrary code. If tiffsplit is used in e. g. a
web-based frontend or similar automated system, this could lead to
remote arbitary code execution with the privileges of that system. (In
normal interactive command line usage this is not a vulnerability.)
(CVE-2006-2656)
Instructions: In general, a standard system upgrade is suffic
Red Hat
tiff2pdf buffer overflow
vendor_redhat·2006-06-07·CVSS 7.5
CVE-2006-2193 [HIGH] tiff2pdf buffer overflow
tiff2pdf buffer overflow
Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.
Statement: This issue does not affect Red Hat Enterprise Linux 2.1 and 3
Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2006-2193: tiff - Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8....
vendor_debian·2006·CVSS 7.5
CVE-2006-2193 [HIGH] CVE-2006-2193: tiff - Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8....
Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.
Scope: local
bookworm: resolved (fixed in 3.8.2-4)
bullseye: resolved (fixed in 3.8.2-4)
forky: resolved (fixed in 3.8.2-4)
sid: resolved (fixed in 3.8.2-4)
trixie: resolved (fixed in 3.8.2-4)
GHSA
GHSA-jgfg-vvq8-cfx3: Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3
ghsa_unreviewed·2022-05-01
CVE-2006-2193 [HIGH] GHSA-jgfg-vvq8-cfx3: Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3
Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.
OSV
CVE-2006-2193: Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3
osv·2006-06-08·CVSS 7.5
CVE-2006-2193 [HIGH] CVE-2006-2193: Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3
Buffer overflow in the t2p_write_pdf_string function in tiff2pdf in libtiff 3.8.2 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a TIFF file with a DocumentName tag that contains UTF-8 characters, which triggers the overflow when a character is sign extended to an integer that produces more digits than expected in an sprintf call.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2006-2193 tiff2pdf buffer overflow
bugzilla·2006-08-15·CVSS 7.5
CVE-2006-2193 [HIGH] CVE-2006-2193 tiff2pdf buffer overflow
CVE-2006-2193 tiff2pdf buffer overflow
Fix needed for FC6
+++ This bug was initially created as a clone of Bug #194363 +++
tiff2pdf buffer overflow
A buffer overflow flaw has been found in tiff2pdf.
Thomas Biege told vendor-sec about this (it came from a colleague of
his)
The code in question is as such:
char buffer[5];
...
sprintf(buffer, "\\%.3o", pdfstr[i]);
pdfstr[i] is signed char, therefore would write \37777777741
This issue also affects FC4
Discussion:
Fixed since libtiff-3.8.2-6.fc6.
Bugzilla
CVE-2006-2193 tiff2pdf buffer overflow
bugzilla·2006-06-07·CVSS 7.5
CVE-2006-2193 [HIGH] CVE-2006-2193 tiff2pdf buffer overflow
CVE-2006-2193 tiff2pdf buffer overflow
tiff2pdf buffer overflow
A buffer overflow flaw has been found in tiff2pdf.
Thomas Biege told vendor-sec about this (it came from a colleague of
his)
The code in question is as such:
char buffer[5];
...
sprintf(buffer, "\\%.3o", pdfstr[i]);
pdfstr[i] is signed char, therefore would write \37777777741
This issue also affects FC4
Discussion:
Fixed in FC5 by libtiff-3.8.2-1.fc6.
---
(or better by its equvalent in FC5: libtiff-3.8.2-1.fc5)
Bugzilla
CVE-2006-2193 tiff2pdf buffer overflow
bugzilla·2006-06-07·CVSS 7.5
CVE-2006-2193 [HIGH] CVE-2006-2193 tiff2pdf buffer overflow
CVE-2006-2193 tiff2pdf buffer overflow
tiff2pdf buffer overflow
A buffer overflow flaw has been found in tiff2pdf.
Thomas Biege told vendor-sec about this (it came from a colleague of
his)
The code in question is as such:
char buffer[5];
...
sprintf(buffer, "\\%.3o", pdfstr[i]);
pdfstr[i] is signed char, therefore would write \37777777741
Discussion:
Fixed since libtiff-3.8.2-6.fc6
---
libtiff-3.8.2-1.fc5 has been pushed for fc5, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
---
moving to security response product -- should we decide to fix this in a future
update we'll create the appropriate tracking bugs with flags for rhel4.
---
This issue was addressed in:
Red Hat Enterprise Linux:
ht
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=370355http://bugzilla.remotesensing.org/show_bug.cgi?id=1196http://lists.suse.com/archive/suse-security-announce/2006-Jun/0008.htmlhttp://secunia.com/advisories/20488http://secunia.com/advisories/20501http://secunia.com/advisories/20520http://secunia.com/advisories/20693http://secunia.com/advisories/20766http://secunia.com/advisories/21002http://secunia.com/advisories/27181http://secunia.com/advisories/27222http://secunia.com/advisories/27832http://secunia.com/advisories/31670http://security.gentoo.org/glsa/glsa-200607-03.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-103160-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-201331-1http://www.debian.org/security/2006/dsa-1091http://www.mandriva.com/security/advisories?name=MDKSA-2006:102http://www.redhat.com/support/errata/RHSA-2008-0848.htmlhttp://www.securityfocus.com/bid/18331http://www.vupen.com/english/advisories/2006/2197http://www.vupen.com/english/advisories/2007/3486http://www.vupen.com/english/advisories/2007/4034https://exchange.xforce.ibmcloud.com/vulnerabilities/26991https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9788https://usn.ubuntu.com/289-1/http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=370355http://bugzilla.remotesensing.org/show_bug.cgi?id=1196http://lists.suse.com/archive/suse-security-announce/2006-Jun/0008.htmlhttp://secunia.com/advisories/20488http://secunia.com/advisories/20501http://secunia.com/advisories/20520http://secunia.com/advisories/20693http://secunia.com/advisories/20766http://secunia.com/advisories/21002http://secunia.com/advisories/27181http://secunia.com/advisories/27222http://secunia.com/advisories/27832http://secunia.com/advisories/31670http://security.gentoo.org/glsa/glsa-200607-03.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-103160-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-201331-1http://www.debian.org/security/2006/dsa-1091http://www.mandriva.com/security/advisories?name=MDKSA-2006:102http://www.redhat.com/support/errata/RHSA-2008-0848.htmlhttp://www.securityfocus.com/bid/18331http://www.vupen.com/english/advisories/2006/2197http://www.vupen.com/english/advisories/2007/3486http://www.vupen.com/english/advisories/2007/4034https://exchange.xforce.ibmcloud.com/vulnerabilities/26991https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9788https://usn.ubuntu.com/289-1/
2006-06-08
Published