National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2009-2285 Detail

Description

Buffer underflow in the LZWDecodeCompat function in libtiff 3.8.2 allows context-dependent attackers to cause a denial of service (crash) via a crafted TIFF image, a different vulnerability than CVE-2008-2327.

Source:  MITRE      Last Modified:  07/01/2009

Quick Info

CVE Dictionary Entry:
CVE-2009-2285
Original release date:
07/01/2009
Last revised:
09/18/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
4.3 MEDIUM
Vector:
(AV:N/AC:M/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore:
2.9
Exploitability Subscore:
8.6
CVSS Version 2 Metrics:
Access Vector:
Network exploitable - Victim must voluntarily interact with attack mechanism
Access Complexity:
Medium
Authentication:
Not required to exploit
Impact Type:
Allows unauthorized disclosure of information

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://bugzilla.maptools.org/show_bug.cgi?id=2065 Exploit External Source CONFIRM http://bugzilla.maptools.org/show_bug.cgi?id=2065
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html External Source APPLE APPLE-SA-2009-11-09-1
http://lists.apple.com/archives/security-announce/2010//Mar/msg00003.html External Source APPLE APPLE-SA-2010-03-30-2
http://lists.apple.com/archives/security-announce/2010/Feb/msg00000.html External Source APPLE APPLE-SA-2010-02-02-1
http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.html External Source APPLE APPLE-SA-2010-01-19-1
http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html External Source APPLE APPLE-SA-2010-03-11-1
http://security.gentoo.org/glsa/glsa-200908-03.xml External Source GENTOO GLSA-200908-03
http://sunsolve.sun.com/search/document.do?assetkey=1-66-267808-1 External Source SUNALERT 267808
http://support.apple.com/kb/HT3937 External Source CONFIRM http://support.apple.com/kb/HT3937
http://support.apple.com/kb/HT4004 External Source CONFIRM http://support.apple.com/kb/HT4004
http://support.apple.com/kb/HT4013 External Source CONFIRM http://support.apple.com/kb/HT4013
http://support.apple.com/kb/HT4070 External Source CONFIRM http://support.apple.com/kb/HT4070
http://support.apple.com/kb/HT4105 External Source CONFIRM http://support.apple.com/kb/HT4105
http://www.debian.org/security/2009/dsa-1835 External Source DEBIAN DSA-1835
http://www.lan.st/showthread.php?t=1856&page=3 Exploit External Source MISC http://www.lan.st/showthread.php?t=1856&page=3
http://www.openwall.com/lists/oss-security/2009/06/22/1 Exploit External Source MLIST [oss-security] 20090621 libtiff buffer underflow in LZWDecodeCompat
http://www.openwall.com/lists/oss-security/2009/06/23/1 External Source MLIST [oss-security] 20090623 Re: libtiff buffer underflow in LZWDecodeCompat
http://www.openwall.com/lists/oss-security/2009/06/29/5 Exploit External Source MLIST [oss-security] 20090629 CVE Request -- libtiff [was: Re: libtiff buffer underflow in LZWDecodeCompat]
http://www.redhat.com/support/errata/RHSA-2009-1159.html External Source REDHAT RHSA-2009:1159
http://www.ubuntulinux.org/support/documentation/usn/usn-797-1 External Source UBUNTU USN-797-1
http://www.vupen.com/english/advisories/2009/1637 External Source VUPEN ADV-2009-1637
http://www.vupen.com/english/advisories/2009/2727 External Source VUPEN ADV-2009-2727
http://www.vupen.com/english/advisories/2009/3184 External Source VUPEN ADV-2009-3184
http://www.vupen.com/english/advisories/2010/0173 External Source VUPEN ADV-2010-0173
https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/380149 Exploit External Source CONFIRM https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/380149
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10145 External Source OVAL oval:org.mitre.oval:def:10145
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7049 External Source OVAL oval:org.mitre.oval:def:7049
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00142.html External Source FEDORA FEDORA-2009-7335
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00161.html External Source FEDORA FEDORA-2009-7358
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00230.html External Source FEDORA FEDORA-2009-7417
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00655.html External Source FEDORA FEDORA-2009-7717
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00714.html External Source FEDORA FEDORA-2009-7763

References to Check Content

Identifier:
oval:org.mitre.oval:def:10145
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10145
Identifier:
oval:org.mitre.oval:def:7049
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:7049

Technical Details

Vulnerability Type (View All)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:a:libtiff:libtiff:3.8.2:*:*:*:*:*:*:*

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History 2 change records found - show changes