Vulnerability CVE-2004-1307 - CERT Civis.Net

Vulnerability Name:

CVE-2004-1307 (CCN-18639)

Assigned:

2004-12-21

Published:

2004-12-21

Updated:

2018-10-30

Summary:

Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2004-1307

Source: APPLE
Type: Patch, Vendor Advisory
APPLE-SA-2005-05-03

Source: CCN
Type: RHSA-2004-577
libtiff security update

Source: CCN
Type: RHSA-2005-021
kdegraphics security update

Source: SUNALERT
Type: UNKNOWN
101677

Source: CCN
Type: Sun Alert ID: 201072
Multiple Security Vulnerabilities in libtiff(3)

Source: SUNALERT
Type: UNKNOWN
201072

Source: CCN
Type: iDEFENSE Security Advisory 12.21.04
libtiff STRIPOFFSETS Integer Overflow Vulnerability

Source: IDEFENSE
Type: Patch, Vendor Advisory
20041221 libtiff STRIPOFFSETS Integer Overflow Vulnerability

Source: CCN
Type: US-CERT VU#539110
LibTIFF vulnerable to integer overflow in the TIFFFetchStrip() routine

Source: CERT-VN
Type: Patch, Third Party Advisory, US Government Resource
VU#539110

Source: CCN
Type: LibTIFF Web site
LibTIFF - TIFF Library and Utilities

Source: CERT
Type: US Government Resource
TA05-136A

Source: XF
Type: UNKNOWN
libtiff-stripoffsets-bo(18639)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:11175

Vulnerable Configuration:

Configuration 1:

cpe:/a:avaya:call_management_system_server:8.0:*:*:*:*:*:*:*

OR cpe:/a:avaya:call_management_system_server:9.0:*:*:*:*:*:*:*

OR cpe:/a:avaya:call_management_system_server:11.0:*:*:*:*:*:*:*

OR cpe:/a:avaya:call_management_system_server:12.0:*:*:*:*:*:*:*

OR cpe:/a:avaya:call_management_system_server:13.0:*:*:*:*:*:*:*

OR cpe:/a:avaya:cvlan:*:*:*:*:*:*:*:*

OR cpe:/a:avaya:integrated_management:*:*:*:*:*:*:*:*

OR cpe:/a:avaya:interactive_response:*:*:*:*:*:*:*:*

OR cpe:/a:avaya:interactive_response:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:avaya:interactive_response:1.3:*:*:*:*:*:*:*

OR cpe:/a:avaya:intuity_audix_lx:*:*:*:*:*:*:*:*

OR cpe:/a:f5:icontrol_service_manager:1.3:*:*:*:*:*:*:*

OR cpe:/a:f5:icontrol_service_manager:1.3.4:*:*:*:*:*:*:*

OR cpe:/a:f5:icontrol_service_manager:1.3.5:*:*:*:*:*:*:*

OR cpe:/a:f5:icontrol_service_manager:1.3.6:*:*:*:*:*:*:*

OR cpe:/a:libtiff:libtiff:3.4:*:*:*:*:*:*:*

OR cpe:/a:libtiff:libtiff:3.5.1:*:*:*:*:*:*:*

OR cpe:/a:libtiff:libtiff:3.5.2:*:*:*:*:*:*:*

OR cpe:/a:libtiff:libtiff:3.5.3:*:*:*:*:*:*:*

OR cpe:/a:libtiff:libtiff:3.5.4:*:*:*:*:*:*:*

OR cpe:/a:libtiff:libtiff:3.5.5:*:*:*:*:*:*:*

OR cpe:/a:libtiff:libtiff:3.5.7:*:*:*:*:*:*:*

OR cpe:/a:libtiff:libtiff:3.6.0:*:*:*:*:*:*:*

OR cpe:/a:libtiff:libtiff:3.6.1:*:*:*:*:*:*:*

OR cpe:/a:libtiff:libtiff:3.7.0:*:*:*:*:*:*:*

OR cpe:/a:sgi:propack:3.0:*:*:*:*:*:*:*

OR cpe:/o:conectiva:linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:conectiva:linux:10.0:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:avaya:mn100:*:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.3:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.3.1:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.3.2:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.3.3:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.3.4:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.3.5:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.3.6:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.3.7:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.3.8:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.3.9:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.3:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.3.1:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.3.2:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.3.3:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.3.4:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.3.5:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.3.6:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.3.7:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.3.8:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.3.9:*:*:*:*:*:*:*

OR cpe:/o:avaya:modular_messaging_message_storage_server:1.1:*:*:*:*:*:*:*

OR cpe:/o:avaya:modular_messaging_message_storage_server:2.0:*:*:*:*:*:*:*

OR cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:10.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:10.0:*:amd64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:10.1:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:10.1:*:x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:x86_64:*:*:*:*:*

OR cpe:/o:sco:unixware:7.1.4:*:*:*:*:*:*:*

OR cpe:/o:sun:solaris:7.0:*:x86:*:*:*:*:*

OR cpe:/o:sun:solaris:8.0:*:x86:*:*:*:*:*

OR cpe:/o:sun:solaris:9.0:*:sparc:*:*:*:*:*

OR cpe:/o:sun:solaris:9.0:*:x86:*:*:*:*:*

OR cpe:/o:sun:solaris:9.0:x86_update_2:*:*:*:*:*:*

OR cpe:/o:sun:solaris:10.0:*:sparc:*:*:*:*:*

OR cpe:/o:sun:solaris:10.0:*:x86:*:*:*:*:*

OR cpe:/o:sun:sunos:5.7:*:*:*:*:*:*:*

OR cpe:/o:sun:sunos:5.8:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:*:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:sun:solaris:7.0::x86:*:*:*:*:*

OR cpe:/o:sun:solaris:7.0::sparc:*:*:*:*:*

OR cpe:/o:sun:solaris:8::x86:*:*:*:*:*

OR cpe:/o:sun:solaris:8::sparc:*:*:*:*:*

OR cpe:/o:sun:solaris:9::x86:*:*:*:*:*

OR cpe:/o:sun:solaris:10::sparc:*:*:*:*:*

OR cpe:/o:sun:solaris:10::x86:*:*:*:*:*

OR cpe:/o:sun:solaris:9::sparc:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*

OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:11175	V	Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.	2013-04-29
oval:com.redhat.rhsa:def:20050021	P	RHSA-2005:021: kdegraphics security update (Moderate)	2005-04-14
oval:com.redhat.rhsa:def:20040577	P	RHSA-2004:577: libtiff security update (Important)	2004-10-22