CERTA-2005-AVI-003

Vulnerability from certfr_avis - Published: 2005-01-04 - Updated: 2005-06-03

None

Description

Libtiff est une bibliothèque pour le traitement des images au format TIFF (Tag Image File Format).

De multiples vulnérabilités de type débordement de mémoire sont présentes dans la bibliothèque libtiff.

En incitant un utilisateur à visualiser une image au format TIFF habilement constituée, ces vulnérabilités peuvent être exploitées afin d'exécuter du code arbitraire via une application utilisant la bibliothèque vulnérable.

Solution

La version 3.7.1 de la bibliothèque libtiff corrige cette vulnérabilité.

Se référer aux bulletins de sécurité de l'éditeur (cf. section Documentation) pour l'obtention des correctifs.

Libtiff v3.7.0 et versions antérieures.

Impacted products
Vendor Product Description
References

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eLibtiff v3.7.0 et versions ant\u00e9rieures.\u003c/p\u003e",
  "content": "## Description\n\nLibtiff est une biblioth\u00e8que pour le traitement des images au format\nTIFF (Tag Image File Format).\n\nDe multiples vuln\u00e9rabilit\u00e9s de type d\u00e9bordement de m\u00e9moire sont\npr\u00e9sentes dans la biblioth\u00e8que libtiff.\n\nEn incitant un utilisateur \u00e0 visualiser une image au format TIFF\nhabilement constitu\u00e9e, ces vuln\u00e9rabilit\u00e9s peuvent \u00eatre exploit\u00e9es afin\nd\u0027ex\u00e9cuter du code arbitraire via une application utilisant la\nbiblioth\u00e8que vuln\u00e9rable.\n\n## Solution\n\nLa version 3.7.1 de la biblioth\u00e8que libtiff corrige cette vuln\u00e9rabilit\u00e9.\n\nSe r\u00e9f\u00e9rer aux bulletins de s\u00e9curit\u00e9 de l\u0027\u00e9diteur (cf. section\nDocumentation) pour l\u0027obtention des correctifs.\n",
  "cves": [],
  "initial_release_date": "2005-01-04T00:00:00",
  "last_revision_date": "2005-06-03T00:00:00",
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Mandrake MDKSA-2005:052 du 04 mars    2005 :",
      "url": "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:052"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Debian DSA-626 du 06 janvier 2005 :",
      "url": "http://www.debian.org/security/2004/dsa-626"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2005:019 du 13 janvier    2005 :",
      "url": "http://rhn.redhat.com/errata/RHSA-2005-019.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Debian DSA-617 du 24 d\u00e9cembre 2004 :",
      "url": "http://www.debian.org/security/2004/dsa-617"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Sun #57769 du 27 avril 2005 :",
      "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-26-57769-1"
    },
    {
      "title": "Source de libtiff :",
      "url": "ftp://ftp.remotesensing.org/pub/libtiff/"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 SUSE SuSE-SA:2005:001 du 10 janvier    2005 :",
      "url": "http://www.novell.com/linux/security/advisories/2005_01_libtiff_tiff.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 RedHat RHSA-2005:035 du 15 janvier    2005 :",
      "url": "http://rhn.redhat.com/errata/RHSA-2005-035.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Gentoo GLSA 200501-06 du 05 janvier    2005 :",
      "url": "http://www.gentoo.org/security/en/glsa/glsa-200501-06.xml"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 FreeBSD du 06 janvier 2005 relatifs \u00e0    tiff :",
      "url": "http://www.vuxml/freebsd/"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Mandrake MDKSA-2005:001 du 6 janvier    2005 :",
      "url": "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:001"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 #174 d\u0027iDEFENSE du 21 d\u00e9cembre 2004 :",
      "url": "http://www.idefense.com/application/poi/display?id=174\u0026type=vulnerabilities"
    }
  ],
  "reference": "CERTA-2005-AVI-003",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2005-01-04T00:00:00.000000"
    },
    {
      "description": "ajout r\u00e9f\u00e9rence au bulletin de s\u00e9curit\u00e9 Gentoo GLSA 200501-06. Ajout r\u00e9f\u00e9rence CVE 1308.",
      "revision_date": "2005-01-06T00:00:00.000000"
    },
    {
      "description": "ajout r\u00e9f\u00e9rences aux bulletins de s\u00e9curit\u00e9 Mandrake MDKSA-2005:001, Debian DSA-626 et bulletins FreeBSD. Ajout r\u00e9f\u00e9rence CVE 1183.",
      "revision_date": "2005-01-07T00:00:00.000000"
    },
    {
      "description": "ajout r\u00e9f\u00e9rence au bulletin de s\u00e9curit\u00e9 SUSE SuSE-SA:2005:001.",
      "revision_date": "2005-01-12T00:00:00.000000"
    },
    {
      "description": "ajout r\u00e9f\u00e9rence au bulletin de s\u00e9curit\u00e9 RedHat RHSA-2005:019.",
      "revision_date": "2005-01-14T00:00:00.000000"
    },
    {
      "description": "ajout r\u00e9f\u00e9rence au bulletin de s\u00e9curit\u00e9 RedHat RHSA-2005:035.",
      "revision_date": "2005-02-17T00:00:00.000000"
    },
    {
      "description": "ajout r\u00e9f\u00e9rence au bulletin de s\u00e9curit\u00e9 Mandrake MDKSA-2005:052.",
      "revision_date": "2005-03-08T00:00:00.000000"
    },
    {
      "description": "ajout r\u00e9f\u00e9rence au bulletin de s\u00e9curit\u00e9 #57769 de Sun.",
      "revision_date": "2005-06-03T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "D\u00e9ni de service"
    }
  ],
  "summary": null,
  "title": "Multiples vuln\u00e9rabilit\u00e9s de libtiff",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 DSA-617 de Debian",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.