CVE-2008-2327
published 2008-08-27CVE-2008-2327: Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and…
PriorityP335medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
4.13%
89.6th percentile
Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tiff | < tiff 3.8.2-12 (bookworm) | tiff 3.8.2-12 (bookworm) |
| debian | tiff | < tiff 3.8.2-11 (bookworm) | tiff 3.8.2-11 (bookworm) |
| libtiff | libtiff | <= 3.8.2 | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| vmware | esxi | — | — |
| vmware | vmware_workstation | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
libtiff: LZWDecodeCompat underflow
vendor_redhat·2009-01-03·CVSS 6.8
CVE-2009-2285 [MEDIUM] libtiff: LZWDecodeCompat underflow
libtiff: LZWDecodeCompat underflow
Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327.
Debian
CVE-2009-2285: tiff - Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context...
vendor_debian·2009·CVSS 6.8
CVE-2009-2285 [MEDIUM] CVE-2009-2285: tiff - Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context...
Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327.
Scope: local
bookworm: resolved (fixed in 3.8.2-12)
bullseye: resolved (fixed in 3.8.2-12)
forky: resolved (fixed in 3.8.2-12)
sid: resolved (fixed in 3.8.2-12)
trixie: resolved (fixed in 3.8.2-12)
VMware
Updated ESX packages for libxml2, ucd-snmp, libtiff
vendor_vmware·2008-10-31·CVSS 6.5
CVE-2008-0960 [MEDIUM] Updated ESX packages for libxml2, ucd-snmp, libtiff
VMSA-2008-0017: Updated ESX packages for libxml2, ucd-snmp, libtiff
a. Updated ESX Service Console package libxml2 A denial of service flaw was found in the way libxml2 processes certain content. If an application that is linked against libxml2 processes malformed XML content, the XML content might cause the application to stop responding. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-3281 to this issue. Additionally the following was also fixed, but was missing in the security advisory. A heap-based buffer overflow flaw was found in the way libxml2 handled long XML entity names. If an application linked against libxml2 processed untrusted malformed XML content, it could cause the application to crash or, possibly, execute arbitrary code.
Ubuntu
tiff vulnerability
vendor_ubuntu·2008-09-02
CVE-2008-2327 tiff vulnerability
Title: tiff vulnerability
Summary: tiff vulnerability
Drew Yao discovered that the TIFF library did not correctly validate LZW
compressed TIFF images. If a user or automated system were tricked into
processing a malicious image, a remote attacker could execute arbitrary
code or cause an application linked against libtiff to crash, leading
to a denial of service.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
libtiff: use of uninitialized memory in LZW decoder
vendor_redhat·2008-08-26·CVSS 6.8
CVE-2008-2327 [MEDIUM] libtiff: use of uninitialized memory in LZW decoder
libtiff: use of uninitialized memory in LZW decoder
Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.
Debian
CVE-2008-2327: tiff - Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZ...
vendor_debian·2008·CVSS 6.8
CVE-2008-2327 [MEDIUM] CVE-2008-2327: tiff - Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZ...
Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.
Scope: local
bookworm: resolved (fixed in 3.8.2-11)
bullseye: resolved (fixed in 3.8.2-11)
forky: resolved (fixed in 3.8.2-11)
sid: resolved (fixed in 3.8.2-11)
trixie: resolved (fixed in 3.8.2-11)
GHSA
GHSA-ggpg-hpjr-gqrh: Buffer underflow in the LZWDecodeCompat function in libtiff 3
ghsa_unreviewed·2022-05-02·CVSS 6.8
CVE-2009-2285 [MEDIUM] CWE-119 GHSA-ggpg-hpjr-gqrh: Buffer underflow in the LZWDecodeCompat function in libtiff 3
Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327.
GHSA
GHSA-948h-p4jx-fxj7: Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw
ghsa_unreviewed·2022-05-01
CVE-2008-2327 [MEDIUM] CWE-119 GHSA-948h-p4jx-fxj7: Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw
Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.
OSV
CVE-2009-2285: Buffer underflow in the LZWDecodeCompat function in libtiff 3
osv·2009-07-01·CVSS 6.8
CVE-2009-2285 [MEDIUM] CVE-2009-2285: Buffer underflow in the LZWDecodeCompat function in libtiff 3
Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327.
OSV
CVE-2008-2327: Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw
osv·2008-08-27·CVSS 6.8
CVE-2008-2327 [MEDIUM] CVE-2008-2327: Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw
Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-2285 libtiff: LZWDecodeCompat underflow
bugzilla·2009-06-22·CVSS 6.8
CVE-2009-2285 [MEDIUM] CVE-2009-2285 libtiff: LZWDecodeCompat underflow
CVE-2009-2285 libtiff: LZWDecodeCompat underflow
A crafted TIFF can crash libtiff in LZWDecodeCompat via underflow (different
from CVE-2008-2327).
Discussions and an analysis are at:
http://www.lan.st/showthread.php?t=1856&page=3
https://bugs.launchpad.net/bugs/380149
It is reported upstream with patch at
http://bugzilla.maptools.org/show_bug.cgi?id=2065
Discussion:
Note that there are two related bugs with two individual patches, the first reported Jan 2009 that indicates it resolves the root cause of the underflow rather than the infinite loop when it comes up. The older bug report is here:
http://bugzilla.maptools.org/show_bug.cgi?id=1985
with the patch for bug #1985 being: http://bugzilla.maptools.org/attachment.cgi?id=279
vs the patch for bug #2065 being: http://bugzilla.mapt
Bugzilla
CVE-2008-2327 libtiff: use of uninitialized memory in LZW decoder
bugzilla·2008-08-11·CVSS 6.8
CVE-2008-2327 [MEDIUM] CVE-2008-2327 libtiff: use of uninitialized memory in LZW decoder
CVE-2008-2327 libtiff: use of uninitialized memory in LZW decoder
Drew Yao of Apple Product Security reported a flaw in the LZW decoder used by libtiff to handle LZW-encoded images. Translation table used by decoding algorithm is not properly re-initialized after "code clear" code is read from the stream being decoded. When reading that code, decoder should discard previous translation table and start filling it again.
Later during the processing, no longer valid table entries may be indexed by the input stream, causing libtiff to follow no longer valid pointer. This can result in crash, memory corruption and possibly allow code execution.
References:
http://www.remotesensing.org/libtiff/
http://en.wikipedia.org/wiki/Lzw
Acknowledgements:
Red Hat would like to thank Drew Yao of the Ap
http://bugs.gentoo.org/show_bug.cgi?id=234080http://lists.apple.com/archives/security-announce//2008/Nov/msg00001.htmlhttp://lists.apple.com/archives/security-announce//2008/Sep/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2008/Nov/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.htmlhttp://secunia.com/advisories/31610http://secunia.com/advisories/31623http://secunia.com/advisories/31668http://secunia.com/advisories/31670http://secunia.com/advisories/31698http://secunia.com/advisories/31838http://secunia.com/advisories/31882http://secunia.com/advisories/31982http://secunia.com/advisories/32706http://secunia.com/advisories/32756http://security-tracker.debian.net/tracker/CVE-2008-2327http://security-tracker.debian.net/tracker/DSA-1632-1http://security-tracker.debian.net/tracker/DTSA-160-1http://security.gentoo.org/glsa/glsa-200809-07.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-265030-1http://support.apple.com/kb/HT3276http://support.apple.com/kb/HT3298http://support.apple.com/kb/HT3318http://www.debian.org/security/2008/dsa-1632http://www.mandriva.com/security/advisories?name=MDVSA-2008:184http://www.redhat.com/support/errata/RHSA-2008-0847.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0848.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0863.htmlhttp://www.securityfocus.com/archive/1/496033/100/0/threadedhttp://www.securityfocus.com/archive/1/497962/100/0/threadedhttp://www.securityfocus.com/bid/30832http://www.securitytracker.com/id?1020750http://www.ubuntu.com/usn/usn-639-1http://www.us-cert.gov/cas/techalerts/TA08-260A.htmlhttp://www.vmware.com/security/advisories/VMSA-2008-0017.htmlhttp://www.vupen.com/english/advisories/2008/2438http://www.vupen.com/english/advisories/2008/2584http://www.vupen.com/english/advisories/2008/2776http://www.vupen.com/english/advisories/2008/2971http://www.vupen.com/english/advisories/2008/3107http://www.vupen.com/english/advisories/2008/3232http://www.vupen.com/english/advisories/2009/2143https://bugzilla.redhat.com/show_bug.cgi?id=458674https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11489https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5514https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00102.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00121.htmlhttp://bugs.gentoo.org/show_bug.cgi?id=234080http://lists.apple.com/archives/security-announce//2008/Nov/msg00001.htmlhttp://lists.apple.com/archives/security-announce//2008/Sep/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2008/Nov/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.htmlhttp://secunia.com/advisories/31610http://secunia.com/advisories/31623http://secunia.com/advisories/31668http://secunia.com/advisories/31670http://secunia.com/advisories/31698http://secunia.com/advisories/31838http://secunia.com/advisories/31882http://secunia.com/advisories/31982http://secunia.com/advisories/32706http://secunia.com/advisories/32756http://security-tracker.debian.net/tracker/CVE-2008-2327http://security-tracker.debian.net/tracker/DSA-1632-1http://security-tracker.debian.net/tracker/DTSA-160-1http://security.gentoo.org/glsa/glsa-200809-07.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-265030-1http://support.apple.com/kb/HT3276http://support.apple.com/kb/HT3298http://support.apple.com/kb/HT3318http://www.debian.org/security/2008/dsa-1632http://www.mandriva.com/security/advisories?name=MDVSA-2008:184http://www.redhat.com/support/errata/RHSA-2008-0847.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0848.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0863.htmlhttp://www.securityfocus.com/archive/1/496033/100/0/threadedhttp://www.securityfocus.com/archive/1/497962/100/0/threadedhttp://www.securityfocus.com/bid/30832http://www.securitytracker.com/id?1020750http://www.ubuntu.com/usn/usn-639-1http://www.us-cert.gov/cas/techalerts/TA08-260A.htmlhttp://www.vmware.com/security/advisories/VMSA-2008-0017.htmlhttp://www.vupen.com/english/advisories/2008/2438http://www.vupen.com/english/advisories/2008/2584http://www.vupen.com/english/advisories/2008/2776http://www.vupen.com/english/advisories/2008/2971http://www.vupen.com/english/advisories/2008/3107http://www.vupen.com/english/advisories/2008/3232http://www.vupen.com/english/advisories/2009/2143https://bugzilla.redhat.com/show_bug.cgi?id=458674https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11489https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5514https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00102.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00121.html
2008-08-27
Published