In the LEADTOOLS imaging toolkits, Cisco Talos security researchers have discovered multiple faults that could result in code execution on the victim device. Developed by LEAD Technologies Inc., LEADTOOLS represents a series of toolkits for implementation in applications targeted to desktop, server and mobile devices in file, clinical, multimedia and image technologies. Various operating systems are provided by a SDK and various libraries. According to researchers from Talos, multiple vulnerabilities discovered in LEADTOOLS may allow a malicious actor to establish denial-of-service (DoS) conditions. The first flaw is a heap out – of-bound write vulnerability in the LEADTOOLS 20 TIF parsing feature. Followed as CVE-2019-5084, a specially designed TIF image can use the vulnerability to trigger a offset beyond the limits of a heap allocation. The LEADTOOLS 20 CMP-parsing function, Talos says, has an integer underflow security defect. The problem can be monitored as CVE-2019-5099 using a specially designed CMP image file. Cisco’s researchers also found out that the LEADTOOLS 20 header parsing feature is affected by an integer overflow bug (tracked as CVE-2019-5100) and that there’s a vulnerability to heap overflow in JPEG2000-parsing (CVE-2019-5125). Compared to the first two bugs, an attacker attempting to cause such faults requires specially created image files from BMP and J2K. These four vulnerabilities are strongly gravitational and have a CVSS rating of 8.8. Such vulnerabilities were found by Talos security researchers in LEADTOOLS 20.0.2019.3.15 early in September and disclosed to the vendor on September 10. Earlier this week a patch was issued.
