CVE-2010-2596

Vulnerability

The vulnerability resides in the OJPEGPostDecode function in tif_ojpeg.c in LibTIFF versions 3.9.0 and 3.9.2. When processing a crafted TIFF image with downsampled old-style JPEG (OJPEG) compression, the function hits an assertion sp->libjpeg_session_active!=0 at line 848, causing a crash. The issue is triggered when tiff2ps or other image conversion tools (e.g., ImageMagick's convert) process such a malicious file [1][2].

Exploitation

An attacker needs to supply a specially crafted TIFF image using downsampled OJPEG compression. The user must open or convert the file with an application that uses the affected LibTIFF library, such as running tiff2ps or convert on the image. No authentication or special network position is required; the attack is purely file-based [1][2].

Impact

Successful exploitation results in a denial of service: the application crashes due to the failed assertion (abort) or a subsequent libjpeg error. The crash can terminate the calling process, affecting availability. The reported test file caused a segmentation fault in ImageMagick's convert and a failed assertion in tiff2ps [1][2].

Mitigation

The issue is fixed in LibTIFF versions 3.9.3 and later, specifically with a commit that replaces the assertion with a conditional check. Upstream releases 3.9.3 and 3.9.4 were published around June 2010 [3]. Users should upgrade to LibTIFF 3.9.3 or later. For Gentoo, the fix is included in >=media-libs/tiff-3.9.5-r2 [4]. No workaround is available apart from avoiding processing untrusted TIFF images with the vulnerable library versions.