[Full-disclosure] [PLSA 2008-31] Tiff: Denial of Service

From: PÄ±nar YanardaÄŸ <pinar_at_nospam>
Date: Wed Aug 27 2008 - 05:26:36 GMT
To: pardus-security@pardus.org.tr

Pardus Linux Security Advisory 2008-31 security@pardus.org.tr

Date: 2008-08-27 Severity: 3 Type: Remote ------------------------------------------------------------------------

Summary

A vulnerability has been reported in LibTIFF, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a user's system.

Description

The vulnerability is caused due to errors within the "LZWDecode()" and "LZWDecodeCompat()" functions in libtiff/tif_lzw.c. These can be exploited to cause a buffer underflow via a specially crafted TIFF file.

Affected packages:

   Pardus 2008:
     tiff, all before 3.8.2-9-3
   Pardus 2007:
     tiff, all before 3.8.2-8-7

Resolution

There are update(s) for tiff. You can update them via Package Manager or with a single command from console:

Pardus 2008:
pisi up tiff

Pardus 2007:
pisi up tiff

References

-- PÄ±nar YanardaÄŸ Pardus Security Team http://security.pardus.org.tr _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: James Matthews: "Re: [Full-disclosure] [IVIZ-08-001] Microsoft Bitlocker Plain Text Password Disclosure"
Previous message: M. Shirk: "Re: [Full-disclosure] DIE IN A FIRE post"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]