CVE-2012-2088
published 2012-07-22CVE-2012-2088: Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service…
PriorityP341high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
6.46%
92.9th percentile
Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tiff | < tiff 4.0-1 (bookworm) | tiff 4.0-1 (bookworm) |
| libtiff | libtiff | <= 3.9.4 | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
| libtiff | libtiff | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
tiff vulnerabilities
vendor_ubuntu·2012-07-05·CVSS 7.5
CVE-2012-2088 [HIGH] tiff vulnerabilities
Title: tiff vulnerabilities
Summary: The TIFF library could be made to crash or run programs as your login if it
opened a specially crafted file.
It was discovered that the TIFF library incorrectly handled certain
malformed TIFF images. If a user or automated system were tricked into
opening a specially crafted TIFF image, a remote attacker could crash the
application, leading to a denial of service, or possibly execute arbitrary
code with user privileges. (CVE-2012-2088)
It was discovered that the tiff2pdf utility incorrectly handled certain
malformed TIFF images. If a user or automated system were tricked into
opening a specially crafted TIFF image, a remote attacker could crash the
application, leading to a denial of service, or possibly execute arbitrary
code with user privileges. (
Red Hat
libtiff: Type conversion flaw leading to heap-buffer overflow
vendor_redhat·2012-06-15·CVSS 7.5
CVE-2012-2088 [HIGH] CWE-122 libtiff: Type conversion flaw leading to heap-buffer overflow
libtiff: Type conversion flaw leading to heap-buffer overflow
Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.
Debian
CVE-2012-2088: tiff - Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in l...
vendor_debian·2012·CVSS 7.5
CVE-2012-2088 [HIGH] CVE-2012-2088: tiff - Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in l...
Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.
Scope: local
bookworm: resolved (fixed in 4.0-1)
bullseye: resolved (fixed in 4.0-1)
forky: resolved (fixed in 4.0-1)
sid: resolved (fixed in 4.0-1)
trixie: resolved (fixed in 4.0-1)
GHSA
GHSA-2p93-pprm-392q: Integer signedness error in the TIFFReadDirectory function in tif_dirread
ghsa_unreviewed·2022-05-14
CVE-2012-2088 [HIGH] GHSA-2p93-pprm-392q: Integer signedness error in the TIFFReadDirectory function in tif_dirread
Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.
OSV
CVE-2012-2088: Integer signedness error in the TIFFReadDirectory function in tif_dirread
osv·2012-07-22·CVSS 7.5
CVE-2012-2088 [HIGH] CVE-2012-2088: Integer signedness error in the TIFFReadDirectory function in tif_dirread
Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-2113 CVE-2012-2088 libtiff various flaws [fedora-all]
bugzilla·2012-06-18·CVSS 7.5
CVE-2012-2113 [HIGH] CVE-2012-2113 CVE-2012-2088 libtiff various flaws [fedora-all]
CVE-2012-2113 CVE-2012-2088 libtiff various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=810551
Bugzilla
CVE-2012-2088 libtiff: Type conversion flaw leading to heap-buffer overflow
bugzilla·2012-06-18·CVSS 7.5
CVE-2012-2088 [HIGH] CVE-2012-2088 libtiff: Type conversion flaw leading to heap-buffer overflow
CVE-2012-2088 libtiff: Type conversion flaw leading to heap-buffer overflow
A type-conversion flaw leading to a heap-based buffer overflow was found in the way libtiff reads certain tiled tiff files. An attacker could create a specially-crafted TIFF image that, when opened, could cause an application using libtiff to crash or, possibly, execute arbitrary code with the privileges of the user running the application.
This issue does affects only version 3.x, but is fixed in upstream 4.x
This bug has been split from: bug 810551
Discussion:
Created libtiff tracking bugs for this issue
Affects: fedora-all [bug 832866]
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2012:1054 https://rhn.redhat.com/errata/RHSA-2012
Bugzilla
CVE-2012-2113 libtiff: integer overflow in tiff2pdf leading to heap-buffer overflow when reading a tiled tiff file
bugzilla·2012-04-06·CVSS 6.8
CVE-2012-2113 [MEDIUM] CVE-2012-2113 libtiff: integer overflow in tiff2pdf leading to heap-buffer overflow when reading a tiled tiff file
CVE-2012-2113 libtiff: integer overflow in tiff2pdf leading to heap-buffer overflow when reading a tiled tiff file
Description of problem:
Version-Release number of selected component (if applicable):
libtiff-3.9.4-5.el6_2
How reproducible:
always
Steps to Reproduce:
1. tiff2pdf poc.tif
(where poc.tif is the file provided for testing CVE-2012-1173)
Actual results:
# tiff2pdf poc.tif
II*%PDF-1.1
%����
1 0 obj
>
endobj
2 0 obj
>
endobj
3 0 obj
>
endobj
4 0 obj
>
/ProcSet [ /ImageC ]
>>
>>
endobj
5 0 obj
>
stream
q 192.0000 0.0000 0.0000 61.4400 0.0000 84.2400 cm /Im1_1 Do Q
q 192.0000 0.0000 0.0000 61.4400 0.0000 22.8000 cm /Im1_2 Do Q
q 192.0000 0.0000 0.0000 22.8000 0.0000 0.0000 cm /Im1_3 Do Q
endstream
endobj
6 0 obj
191
endobj
7 0 obj
>
stream
Segmentation fault (core dumped)
Ex
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-07/msg00010.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1054.htmlhttp://secunia.com/advisories/49686http://secunia.com/advisories/50726http://security.gentoo.org/glsa/glsa-201209-02.xmlhttp://support.apple.com/kb/HT6162http://support.apple.com/kb/HT6163http://www.mandriva.com/security/advisories?name=MDVSA-2012:101http://www.securityfocus.com/bid/54270https://bugzilla.redhat.com/show_bug.cgi?id=832864https://hermes.opensuse.org/messages/15083566http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-07/msg00010.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1054.htmlhttp://secunia.com/advisories/49686http://secunia.com/advisories/50726http://security.gentoo.org/glsa/glsa-201209-02.xmlhttp://support.apple.com/kb/HT6162http://support.apple.com/kb/HT6163http://www.mandriva.com/security/advisories?name=MDVSA-2012:101http://www.securityfocus.com/bid/54270https://bugzilla.redhat.com/show_bug.cgi?id=832864https://hermes.opensuse.org/messages/15083566
2012-07-22
Published