LibTIFF contains an overflow condition in the 'TIFFFetchShortPair' function [tif_dirread.c] that is triggered when parsing 'DotRange', 'YCbCrSubsampling', 'HalftoneHints', or 'PageNumber' tags. With a specially crafted TIFF image file, a context-dependent attacker can cause a stack-based buffer overflow, allowing execution of arbitrary code.

Upgrade to version 3.8.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

It has been reported that this issue has been fixed in Adobe Reader / Acrobat (2010/02/16). Upgrade to version 8.2.1 and 9.3.1, or higher, to address this vulnerability.

• Security Tracker: 1023601
• Exploit Database: 11787 21868 21869
• CVE ID: 2006-3459 (see also: NVD) 2010-0188 (see also: NVD)
• Secunia Advisory ID: 21253 21274 21290 21304 21319 21334 21338 21370 21392 21501 21537 21598 21632 21672 22036 27832 38915 41325
• Metasploit ID: 27723 62526
• Related OSVDB ID: 27724 27725 27726 27727 27728 27729 62526
• Bugtraq ID: 38195
• VUPEN Advisory: ADV-2010-0399 [ Link is 404 ]
• Vendor Specific Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P.asc ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc http://docs.info.apple.com/article.html?artnum=304063
  http://support.avaya.com/elmodocs2/security/ASA-2006-166.htm
  http://www.adobe.com/support/security/bulletins/apsb10-07.html
  http://www.gentoo.org/security/en/glsa/glsa-200608-07.xml
  http://www.gentoo.org/security/en/glsa/glsa-201009-05.xml
• Generic Exploit URL: http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html
  http://www.saintcorporation.com/cgi-bin/exploit_info/adobe_reader_libtiff_tifffetchshortpair
• Other Advisory URL: http://contagiodump.blogspot.com/2010/04/apr-18-cve-2010-0188-pdf-china-bank.html
  http://lists.suse.com/archive/suse-security-announce/2006-Aug/0001.html
  http://noobz.eu/content/home.html#280806
  http://secunia.com/blog/76
  http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.536600
  http://sunsolve.sun.com/search/document.do?assetkey=1-26-103099-1
  http://sunsolve.sun.com/search/document.do?assetkey=1-26-103160-1
  http://telussecuritylabs.com/threats/show/TSL20100217-05
  http://telussecuritylabs.com/threats/show/TSL20100217-05
  http://www.mandriva.com/security/advisories?name=MDKSA-2006:137
  http://www.ubuntu.com/usn/usn-330-1
  http://www.us.debian.org/security/2006/dsa-1137
  http://www.virustotal.com/file-scan/report.html?id=1471f2c34d40083b574c0fa0930cba9311aa532bf7207c009b0361b7b6db8bb7-1274275625
  http://www.virustotal.com/file-scan/report.html?id=2a0aa0de5b9f88f0cf46d49827ded597848bab76fe9a52b9c48007f45d9c0610-1292991048
  https://issues.rpath.com/browse/RPL-558
• Mail List Post: http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
  http://seclists.org/bugtraq/2010/Mar/127
• Generic Informational URL: http://telussecuritylabs.com/threats/show/TSL20110927-04
  http://telussecuritylabs.com/threats/show/TSL20121130-02
• Vendor Specific News/Changelog Entry: https://bugs.gentoo.org/show_bug.cgi?id=142383
• RedHat RHSA: RHSA-2006:0603 RHSA-2006:0648 RHSA-2010:0114

• Tavis Ormandy - Google Security Team