User: Password:
|
|
Subscribe / Log in / New account

MeeGo alert MeeGo-SA-10:34 (libtiff)

From:  "Ware, Ryan R" <ryan.r.ware@intel.com>
To:  "meego-security@meego.com" <meego-security@meego.com>
Subject:  [MeeGo-security] [MeeGo-SA-10:34.libtiff] Invalid ReferenceBlackWhite Values Allows DoS
Date:  Thu, 20 Jan 2011 11:30:08 -0700
Message-ID:  <680CFAB4-4454-44FD-A45B-2EEF2519F731@intel.com>
Archive-link:  Article, Thread

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= MeeGo-SA-10:34.libtiff Security Advisory MeeGo Project Topic: Invalid ReferenceBlackWhite Values Allows DoS Category: Graphics Module: libtiff Announced: October 9, 2010 Affects: MeeGo 1.0 Corrected: October 9, 2010 MeeGo BID: 6500 CVE: CVE-2010-2595 For general information regarding MeeGo Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.MeeGo.com/>. I. Background The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. II. Problem Description CVE-2010-2595: The TIFFYCbCrtoRGB function in LibTIFF 3.9.0 and 3.9.2, as used in ImageMagick, does not properly handle invalid ReferenceBlackWhite values, which allows remote attackers to cause a denial of service (application crash) via a crafted TIFF image that triggers an array index error, related to "downsampled OJPEG input." CVSS v2 Base: 4.3 (MEDIUM) Access Vector: Network exploitable; victim must voluntarily interact with attack mechanism III. Impact CVE-2010-2497: Disruption of service due to input validation error (CWE-20) IV. Workaround None V. Solution Update to package libtiff-3.9.4-20.1 or later. VI. References http://bugs.meego.com/show_bug.cgi?id=6500 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-... http://cwe.mitre.org/data/definitions/20.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (Darwin) iQEcBAEBAgAGBQJNN6kxAAoJEEsJm1wYvCMbSmoIAMM9aet4YsE7YAeqjwh1Jy4l /SEdi/clkHIgxF/qq+aZsf6PO4d2Kp17EQIWvtv7Vnq3tLvkBLzjjjSKv8VVFHVY 7nfYhVB0cw+4lmnhyuWJQRQk7rjBW9S+Fq5U3pOmUb5lL4WQ6o9Kl6F/Rom/jvyV RZ6BBGGXmnEWPE+iiX1DYAtzxlpkaPY0GOE9uFDWkaJ+WHIvLQf8ucqhCjvPfy5z BChu6luJN7g1Mo6JMH1e97OZ5LxHf4g/5uqjBJbDb+VrcFhN1iRlgSgK5Q6OrenJ Up3nvKC66+Nmn6a8ul+HMdVzT5hK+Ggp7pRknvK0syW+rqCYgJQXioUEOgw+O0o= =CGoB -----END PGP SIGNATURE----- _______________________________________________ MeeGo-security mailing list MeeGo-security@meego.com http://lists.meego.com/listinfo/meego-security


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds