CVE-2009-2347

Name of the Vulnerable Software and Affected Versions libtiff versions 3.8 through 3.8.2 libtiff versions 3.9 libtiff versions 4.0 through 4.0.2

Description The issue involves multiple integer overflows in inter-color spaces conversion tools in libtiff, which can be exploited by context-dependent attackers to execute arbitrary code via a TIFF image with large width and height values. This triggers a heap-based buffer overflow in the cvt whole image function in tiff2rgba and the tiffcvt function in rgb2ycbcr. The exploitation of these vulnerabilities can lead to a violation of confidentiality, integrity, and availability of protected information and can be carried out remotely.

Recommendations For libtiff versions 3.8 through 3.8.2, update to a version later than 3.8.2 to resolve the issue. For libtiff version 3.9, update to a version later than 3.9 to resolve the issue. For libtiff versions 4.0 through 4.0.2, update to a version later than 4.0.2 to resolve the issue. As a temporary workaround, consider disabling the cvt whole image function in tiff2rgba and the tiffcvt function in rgb2ycbcr until a patch is available.