CVE-2010-2597

Vulnerability

The vulnerability resides in the TIFFVStripSize function in tif_strip.c of LibTIFF versions 3.9.0 and 3.9.2. The function makes incorrect calls to TIFFGetField, leading to a divide-by-zero error when processing a crafted TIFF image that uses downsampled Old JPEG (OJPEG) compression [1][3]. This issue is triggered by specific image parameters that cause a compiler optimization to produce a division by zero.

Exploitation

An attacker can exploit this by providing a specially crafted TIFF file with downsampled OJPEG compression to an application that uses the vulnerable LibTIFF library. No authentication or special privileges are required; the attacker only needs to convince a user or automated process to open the malicious file (e.g., via email attachment, web download, or image processing pipeline). The crash occurs during the decoding of the image, as demonstrated by crashes in ImageMagick's convert and GNOME's Eye of GNOME (eog) [1][4].

Impact

Successful exploitation results in a denial of service (application crash) due to a segmentation fault or divide-by-zero error. The crash can cause the consuming application to terminate, potentially disrupting services or user workflows. There is no indication of code execution or information disclosure; the impact is limited to availability.

Mitigation

Red Hat released an advisory RHSA-2010:0519 [2] addressing this issue, and the fix was included in LibTIFF updates. Users should upgrade to a patched version of LibTIFF (e.g., 3.9.4 or later). For systems that cannot be immediately updated, avoid opening untrusted TIFF files from unknown sources. The vulnerability is not known to be exploited in the wild and is not listed on CISA's Known Exploited Vulnerabilities catalog.