CVE-2012-1173
published 2012-06-04CVE-2012-1173: Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which…
PriorityP339medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
6.92%
93.3th percentile
Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tiff | < tiff 4.0.1-2 (bookworm) | tiff 4.0.1-2 (bookworm) |
| libtiff | libtiff | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vrfr-r2jm-7vm2: Multiple integer overflows in tiff_getimage
ghsa_unreviewed·2022-05-14
CVE-2012-1173 [MEDIUM] GHSA-vrfr-r2jm-7vm2: Multiple integer overflows in tiff_getimage
Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow.
OSV
CVE-2012-1173: Multiple integer overflows in tiff_getimage
osv·2012-06-04·CVSS 6.8
CVE-2012-1173 [MEDIUM] CVE-2012-1173: Multiple integer overflows in tiff_getimage
Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow.
Ubuntu
tiff vulnerabilities
vendor_ubuntu·2012-04-04·CVSS 4.3
CVE-2010-4665 [MEDIUM] tiff vulnerabilities
Title: tiff vulnerabilities
Summary: The TIFF library could be made to crash or run programs as your login if it
opened a specially crafted file.
Alexander Gavrun discovered that the TIFF library incorrectly allocated
space for a tile. If a user or automated system were tricked into opening a
specially crafted TIFF image, a remote attacker could execute arbitrary
code with user privileges, or crash the application, leading to a denial of
service. (CVE-2012-1173)
It was discovered that the tiffdump utility incorrectly handled directory
data structures with many directory entries. If a user or automated system
were tricked into opening a specially crafted TIFF image, a remote attacker
could crash the application, leading to a denial of service, or possibly
execute arbitrary code with user
Red Hat
libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files
vendor_redhat·2012-04-04·CVSS 6.8
CVE-2012-1173 [MEDIUM] CWE-122 libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files
libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files
Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow.
Package: libtiff (Red Hat Enterprise Linux 4) - Will not fix
Debian
CVE-2012-1173: tiff - Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote atta...
vendor_debian·2012·CVSS 6.8
CVE-2012-1173 [MEDIUM] CVE-2012-1173: tiff - Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote atta...
Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer overflow.
Scope: local
bookworm: resolved (fixed in 4.0.1-2)
bullseye: resolved (fixed in 4.0.1-2)
forky: resolved (fixed in 4.0.1-2)
sid: resolved (fixed in 4.0.1-2)
trixie: resolved (fixed in 4.0.1-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-4168 flash-plugin: cross-domain information leak flaw (APSB12-19)
bugzilla·2012-08-21·CVSS 4.3
CVE-2012-4168 [MEDIUM] CVE-2012-4168 flash-plugin: cross-domain information leak flaw (APSB12-19)
CVE-2012-4168 flash-plugin: cross-domain information leak flaw (APSB12-19)
Adobe security bulletin APSB12-19 describes one security flaw that could cause Adobe Flash Player to leak confidential information:
These updates resolve a cross-domain information leak vulnerability (CVE-2012-4168).
External Reference:
http://www.adobe.com/support/security/bulletins/apsb12-19.html
Discussion:
According to the APSB12-19 advisory, these are fixed in 11.2.202.238 which was provided with RHSA-2012:1173 (and upstream APSB12-18). Attempting to confirm this is not a typo or mistake.
---
This issue has been addressed in following products:
Supplementary for Red Hat Enterprise Linux 6
Via RHSA-2012:1173 https://rhn.redhat.com/errata/RHSA-2012-1173.html
---
This issue has been addressed in follo
Bugzilla
CVE-2012-4163 CVE-2012-4164 CVE-2012-4165 CVE-2012-4166 CVE-2012-4167 flash-plugin: multiple code execution flaws (APSB12-19)
bugzilla·2012-08-21·CVSS 10.0
CVE-2012-4163 [CRITICAL] CVE-2012-4163 CVE-2012-4164 CVE-2012-4165 CVE-2012-4166 CVE-2012-4167 flash-plugin: multiple code execution flaws (APSB12-19)
CVE-2012-4163 CVE-2012-4164 CVE-2012-4165 CVE-2012-4166 CVE-2012-4167 flash-plugin: multiple code execution flaws (APSB12-19)
Adobe security bulletin APSB12-19 describes several security flaws that could cause Adobe Flash Player to crash and potentially allow an attacker to take control of the affected system:
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2012-4163, CVE-2012-4164, CVE-2012-4165, CVE-2012-4166).
These updates resolve an integer overflow vulnerability that could lead to code execution (CVE-2012-4167).
External Reference:
http://www.adobe.com/support/security/bulletins/apsb12-19.html
Discussion:
According to the APSB12-19 advisory, these are fixed in 11.2.202.238 which was provided with RHSA-2012:1173 (and upstream APSB
Bugzilla
CVE-2012-2113 libtiff: integer overflow in tiff2pdf leading to heap-buffer overflow when reading a tiled tiff file
bugzilla·2012-04-06·CVSS 6.8
CVE-2012-2113 [MEDIUM] CVE-2012-2113 libtiff: integer overflow in tiff2pdf leading to heap-buffer overflow when reading a tiled tiff file
CVE-2012-2113 libtiff: integer overflow in tiff2pdf leading to heap-buffer overflow when reading a tiled tiff file
Description of problem:
Version-Release number of selected component (if applicable):
libtiff-3.9.4-5.el6_2
How reproducible:
always
Steps to Reproduce:
1. tiff2pdf poc.tif
(where poc.tif is the file provided for testing CVE-2012-1173)
Actual results:
# tiff2pdf poc.tif
II*%PDF-1.1
%����
1 0 obj
>
endobj
2 0 obj
>
endobj
3 0 obj
>
endobj
4 0 obj
>
/ProcSet [ /ImageC ]
>>
>>
endobj
5 0 obj
>
stream
q 192.0000 0.0000 0.0000 61.4400 0.0000 84.2400 cm /Im1_1 Do Q
q 192.0000 0.0000 0.0000 61.4400 0.0000 22.8000 cm /Im1_2 Do Q
q 192.0000 0.0000 0.0000 22.8000 0.0000 0.0000 cm /Im1_3 Do Q
endstream
endobj
6 0 obj
191
endobj
7 0 obj
>
stream
Segmentation fault (core dumped)
Ex
Bugzilla
CVE-2012-1173 libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files [fedora-all]
bugzilla·2012-04-05·CVSS 6.8
CVE-2012-1173 [MEDIUM] CVE-2012-1173 libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files [fedora-all]
CVE-2012-1173 libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraprojec
Bugzilla
CVE-2012-1173 libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files
bugzilla·2012-03-13·CVSS 6.8
CVE-2012-1173 [MEDIUM] CVE-2012-1173 libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files
CVE-2012-1173 libtiff: Heap-buffer overflow due to TileSize calculation when parsing tiff files
A flaw was found in the way that LibTIFF attempted to allocate space for a tile within a TIFF image file. When calculating the size for a buffer, LibTIFF performs a multiply that can cause an integer overflow. After allocation, LibTIFF will initialize the buffer with the tile data, which can cause code execution under the context of the application using LibTIFF, and with the calling user's permissions.
http://bugzilla.maptools.org/show_bug.cgi?id=2369
Discussion:
http://bugzilla.maptools.org/show_bug.cgi?id=2369
Note: Segfault seen on 32 bit only.
RHEL6 - x86_65
[root@dhcp201-201 ~]# tifftopnm poc.tif
poc.tif: Integer overflow in TIFFVTileSize.
TIFFReadDirectory: poc.tif: cannot handle ze
http://bugzilla.maptools.org/attachment.cgi?id=477&action=diffhttp://bugzilla.maptools.org/show_bug.cgi?id=2369http://home.gdal.org/private/zdi-can-1221/zdi-can-1221.txthttp://lists.apple.com/archives/security-announce/2012/Sep/msg00003.htmlhttp://lists.apple.com/archives/security-announce/2012/Sep/msg00004.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077463.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/078403.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/078835.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0468.htmlhttp://secunia.com/advisories/48684http://secunia.com/advisories/48722http://secunia.com/advisories/48735http://secunia.com/advisories/48757http://secunia.com/advisories/48893http://secunia.com/advisories/50726http://security.gentoo.org/glsa/glsa-201209-02.xmlhttp://support.apple.com/kb/HT5501http://support.apple.com/kb/HT5503http://ubuntu.com/usn/usn-1416-1http://www.debian.org/security/2012/dsa-2447http://www.mandriva.com/security/advisories?name=MDVSA-2012:054http://www.osvdb.org/81025http://www.securityfocus.com/bid/52891http://www.securitytracker.com/id?1026895https://downloads.avaya.com/css/P8/documents/100161772https://exchange.xforce.ibmcloud.com/vulnerabilities/74656https://hermes.opensuse.org/messages/14302713http://bugzilla.maptools.org/attachment.cgi?id=477&action=diffhttp://bugzilla.maptools.org/show_bug.cgi?id=2369http://home.gdal.org/private/zdi-can-1221/zdi-can-1221.txthttp://lists.apple.com/archives/security-announce/2012/Sep/msg00003.htmlhttp://lists.apple.com/archives/security-announce/2012/Sep/msg00004.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077463.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/078403.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/078835.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0468.htmlhttp://secunia.com/advisories/48684http://secunia.com/advisories/48722http://secunia.com/advisories/48735http://secunia.com/advisories/48757http://secunia.com/advisories/48893http://secunia.com/advisories/50726http://security.gentoo.org/glsa/glsa-201209-02.xmlhttp://support.apple.com/kb/HT5501http://support.apple.com/kb/HT5503http://ubuntu.com/usn/usn-1416-1http://www.debian.org/security/2012/dsa-2447http://www.mandriva.com/security/advisories?name=MDVSA-2012:054http://www.osvdb.org/81025http://www.securityfocus.com/bid/52891http://www.securitytracker.com/id?1026895https://downloads.avaya.com/css/P8/documents/100161772https://exchange.xforce.ibmcloud.com/vulnerabilities/74656https://hermes.opensuse.org/messages/14302713
2012-06-04
Published