CVE-2010-2595

Vulnerability

The TIFFYCbCrtoRGB function in LibTIFF versions 3.9.0 and 3.9.2 fails to properly validate ReferenceBlackWhite tag values when processing downsampled OJPEG input. This leads to an array index error, as reported in [1], [4]. The issue is triggered through applications like ImageMagick (version 6.5.4.7-3.fc12 tested [1]) when processing a specially crafted TIFF image.

Exploitation

An attacker can exploit this vulnerability by providing a malicious TIFF image with invalid ReferenceBlackWhite values and downsampled OJPEG compression. Minimal user interaction is required, such as opening the image in an application linked against LibTIFF (e.g., convert in ImageMagick [1]) or performing a conversion operation. No authentication or special network position is needed beyond delivering the file to the victim.

Impact

Successful exploitation results in a denial of service via application crash (segmentation fault) [1]. The crash is caused by an out-of-bounds memory access, which may also be leveraged for more severe impacts like arbitrary code execution in some contexts [4], although the primary observed effect is a crash.

Mitigation

LibTIFF 3.9.3 and later versions address this issue [4]. Red Hat released an update via RHSA-2010-0519 [2]. Users should upgrade to LibTIFF 3.9.3 or later, or apply the vendor patch. No workarounds are documented; the only mitigation is to update the library.