Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Производитель ПО
Наименование ПО
libtiff
(Unknown)
Описание
Переполнение буфера в функциях LZWDecode, LZWDecodeCompat и LZWDecodeVector в tif_lzw.c в декодере LZW в LibTIFF позволяет злоумышленникам выполнить произвольный код, используя специально сформированный TIFF-файл. Данная уязвимость связана с некорректной обработкой кода CODE_CLEAR.
Как исправить
Для устранения уязвимости необходимо установить последнюю версию продукта, соответствующую используемой платформе. Необходимую информацию можно получить по адресу:
http://www.libtiff.org/
http://www.libtiff.org/
Ссылки
CERT (TA08-260A): http://www.us-cert.gov/cas/techalerts/TA08-260A.html
DEBIAN (DSA-1632): http://www.debian.org/security/2008/dsa-1632
FEDORA (FEDORA-2008-7388): https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00121.html
FEDORA (FEDORA-2008-7370): https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00102.html
CONFIRM (https://bugzilla.redhat.com/show_bug.cgi?id=458674): https://bugzilla.redhat.com/show_bug.cgi?id=458674
VUPEN (ADV-2009-2143): http://www.vupen.com/english/advisories/2009/2143
MISC (http://www.vmware.com/security/advisories/VMSA-2008-0017.html): http://www.vmware.com/security/advisories/VMSA-2008-0017.html
UBUNTU (USN-639-1): http://www.ubuntu.com/usn/usn-639-1
SECTRACK (1020750): http://www.securitytracker.com/id?1020750
BID (30832): http://www.securityfocus.com/bid/30832
BUGTRAQ (20081031 VMSA-2008-0017 Updated ESX packages for libxml2, ucd-snmp, libtiff): http://www.securityfocus.com/archive/1/archive/1/497962/100/0/threaded
BUGTRAQ (20080905 rPSA-2008-0268-1 libtiff): http://www.securityfocus.com/archive/1/archive/1/496033/100/0/threaded
REDHAT (RHSA-2008:0863): http://www.redhat.com/support/errata/RHSA-2008-0863.html
REDHAT (RHSA-2008:0848): http://www.redhat.com/support/errata/RHSA-2008-0848.html
REDHAT (RHSA-2008:0847): http://www.redhat.com/support/errata/RHSA-2008-0847.html
MANDRIVA (MDVSA-2008:184): http://www.mandriva.com/security/advisories?name=MDVSA-2008:184
VUPEN (ADV-2008-3232): http://www.frsirt.com/english/advisories/2008/3232
VUPEN (ADV-2008-3107): http://www.frsirt.com/english/advisories/2008/3107
VUPEN (ADV-2008-2971): http://www.frsirt.com/english/advisories/2008/2971
VUPEN (ADV-2008-2776): http://www.frsirt.com/english/advisories/2008/2776
VUPEN (ADV-2008-2584): http://www.frsirt.com/english/advisories/2008/2584
VUPEN (ADV-2008-2438): http://www.frsirt.com/english/advisories/2008/2438
CONFIRM (http://support.apple.com/kb/HT3318): http://support.apple.com/kb/HT3318
CONFIRM (http://support.apple.com/kb/HT3298): http://support.apple.com/kb/HT3298
CONFIRM (http://support.apple.com/kb/HT3276): http://support.apple.com/kb/HT3276
SUNALERT (265030): http://sunsolve.sun.com/search/document.do?assetkey=1-26-265030-1
GENTOO (GLSA-200809-07): http://security.gentoo.org/glsa/glsa-200809-07.xml
CONFIRM (http://security-tracker.debian.net/tracker/DTSA-160-1): http://security-tracker.debian.net/tracker/DTSA-160-1
CONFIRM (http://security-tracker.debian.net/tracker/DSA-1632-1): http://security-tracker.debian.net/tracker/DSA-1632-1
CONFIRM (http://security-tracker.debian.net/tracker/CVE-2008-2327): http://security-tracker.debian.net/tracker/CVE-2008-2327
SUSE (SUSE-SR:2008:018): http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
APPLE (APPLE-SA-2008-11-20): http://lists.apple.com/archives/security-announce/2008/Nov/msg00002.html
APPLE (APPLE-SA-2008-09-15): http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html
APPLE (APPLE-SA-2008-11-13): http://lists.apple.com/archives/security-announce//2008/Nov/msg00001.html
CONFIRM (http://bugs.gentoo.org/show_bug.cgi?id=234080): http://bugs.gentoo.org/show_bug.cgi?id=234080
DEBIAN (DSA-1632): http://www.debian.org/security/2008/dsa-1632
FEDORA (FEDORA-2008-7388): https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00121.html
FEDORA (FEDORA-2008-7370): https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00102.html
CONFIRM (https://bugzilla.redhat.com/show_bug.cgi?id=458674): https://bugzilla.redhat.com/show_bug.cgi?id=458674
VUPEN (ADV-2009-2143): http://www.vupen.com/english/advisories/2009/2143
MISC (http://www.vmware.com/security/advisories/VMSA-2008-0017.html): http://www.vmware.com/security/advisories/VMSA-2008-0017.html
UBUNTU (USN-639-1): http://www.ubuntu.com/usn/usn-639-1
SECTRACK (1020750): http://www.securitytracker.com/id?1020750
BID (30832): http://www.securityfocus.com/bid/30832
BUGTRAQ (20081031 VMSA-2008-0017 Updated ESX packages for libxml2, ucd-snmp, libtiff): http://www.securityfocus.com/archive/1/archive/1/497962/100/0/threaded
BUGTRAQ (20080905 rPSA-2008-0268-1 libtiff): http://www.securityfocus.com/archive/1/archive/1/496033/100/0/threaded
REDHAT (RHSA-2008:0863): http://www.redhat.com/support/errata/RHSA-2008-0863.html
REDHAT (RHSA-2008:0848): http://www.redhat.com/support/errata/RHSA-2008-0848.html
REDHAT (RHSA-2008:0847): http://www.redhat.com/support/errata/RHSA-2008-0847.html
MANDRIVA (MDVSA-2008:184): http://www.mandriva.com/security/advisories?name=MDVSA-2008:184
VUPEN (ADV-2008-3232): http://www.frsirt.com/english/advisories/2008/3232
VUPEN (ADV-2008-3107): http://www.frsirt.com/english/advisories/2008/3107
VUPEN (ADV-2008-2971): http://www.frsirt.com/english/advisories/2008/2971
VUPEN (ADV-2008-2776): http://www.frsirt.com/english/advisories/2008/2776
VUPEN (ADV-2008-2584): http://www.frsirt.com/english/advisories/2008/2584
VUPEN (ADV-2008-2438): http://www.frsirt.com/english/advisories/2008/2438
CONFIRM (http://support.apple.com/kb/HT3318): http://support.apple.com/kb/HT3318
CONFIRM (http://support.apple.com/kb/HT3298): http://support.apple.com/kb/HT3298
CONFIRM (http://support.apple.com/kb/HT3276): http://support.apple.com/kb/HT3276
SUNALERT (265030): http://sunsolve.sun.com/search/document.do?assetkey=1-26-265030-1
GENTOO (GLSA-200809-07): http://security.gentoo.org/glsa/glsa-200809-07.xml
CONFIRM (http://security-tracker.debian.net/tracker/DTSA-160-1): http://security-tracker.debian.net/tracker/DTSA-160-1
CONFIRM (http://security-tracker.debian.net/tracker/DSA-1632-1): http://security-tracker.debian.net/tracker/DSA-1632-1
CONFIRM (http://security-tracker.debian.net/tracker/CVE-2008-2327): http://security-tracker.debian.net/tracker/CVE-2008-2327
SUSE (SUSE-SR:2008:018): http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
APPLE (APPLE-SA-2008-11-20): http://lists.apple.com/archives/security-announce/2008/Nov/msg00002.html
APPLE (APPLE-SA-2008-09-15): http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html
APPLE (APPLE-SA-2008-11-13): http://lists.apple.com/archives/security-announce//2008/Nov/msg00001.html
CONFIRM (http://bugs.gentoo.org/show_bug.cgi?id=234080): http://bugs.gentoo.org/show_bug.cgi?id=234080