http://bugzilla.maptools.org/show_bug.cgi?id=2640

DSA-3762

[oss-security] 20170101 Re: libtiff: multiple heap-based buffer overflow

[oss-security] 20170101 Re: Re: libtiff: multiple heap-based buffer overflow

95214

https://blogs.gentoo.org/ago/2017/01/01/libtiff-multiple-heap-based-buffer-overflow/

https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76

This update for tiff fixes the following issues :

Security issues fixed :

  - CVE-2018-19210: Fixed NULL pointer dereference in the     TIFFWriteDirectorySec function (bsc#1115717).

  - CVE-2017-12944: Fixed denial of service issue in the     TIFFReadDirEntryArray function (bsc#1054594).

  - CVE-2016-10094: Fixed heap-based buffer overflow in the
    _tiffWriteProc function (bsc#1017693).

  - CVE-2016-10093: Fixed heap-based buffer overflow in the
    _TIFFmemcpy function (bsc#1017693).

  - CVE-2016-10092: Fixed heap-based buffer overflow in the     TIFFReverseBits function (bsc#1017693).

  - CVE-2016-6223: Fixed out-of-bounds read on memory-mapped     files in TIFFReadRawStrip1() and TIFFReadRawTile1()     (bsc#990460).

This update was imported from the SUSE:SLE-15:Update update project.

This update for tiff fixes the following issues :

Security issues fixed :

CVE-2018-19210: Fixed NULL pointer dereference in the TIFFWriteDirectorySec function (bsc#1115717).

CVE-2017-12944: Fixed denial of service issue in the TIFFReadDirEntryArray function (bsc#1054594).

CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc function (bsc#1017693).

CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy function (bsc#1017693).

CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits function (bsc#1017693).

CVE-2016-6223: Fixed out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() (bsc#990460).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

Security issues fixed :

  - CVE-2018-19210: Fixed NULL pointer dereference in the     TIFFWriteDirectorySec function (bsc#1115717).

  - CVE-2017-12944: Fixed denial of service issue in the     TIFFReadDirEntryArray function (bsc#1054594).

  - CVE-2016-10094: Fixed heap-based buffer overflow in the
    _tiffWriteProc function (bsc#1017693).

  - CVE-2016-10093: Fixed heap-based buffer overflow in the
    _TIFFmemcpy function (bsc#1017693).

  - CVE-2016-10092: Fixed heap-based buffer overflow in the     TIFFReverseBits function (bsc#1017693).

  - CVE-2016-6223: Fixed out-of-bounds read on memory-mapped     files in TIFFReadRawStrip1() and TIFFReadRawTile1()     (bsc#990460).

This update was imported from the SUSE:SLE-12:Update update project.

This update for tiff fixes the following issues :

Security issues fixed :

CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc function (bsc#1017693).

CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy function (bsc#1017693).

CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits function (bsc#1017693).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Off-by-one error in the t2p_readwrite_pdf_image_tile     function in tools/tiff2pdf.c in LibTIFF 4.0.7 allows     remote attackers to have unspecified impact via a     crafted image.(CVE-2016-10094)

  - Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7     allows remote attackers to have unspecified impact via     a crafted image, which triggers a heap-based buffer     overflow.(CVE-2016-10093)

  - LibTIFF version 4.0.7 is vulnerable to a heap buffer     overflow in the tools/tiffcp resulting in DoS or code     execution via a crafted BitsPerSample     value.(CVE-2017-5225)

  - Integer overflow in the writeBufferToSeparateStrips     function in tiffcrop.c in LibTIFF before 4.0.7 allows     remote attackers to cause a denial of service     (out-of-bounds read) via a crafted tif     file.(CVE-2016-9532)

  - The TIFFReadRawStrip1 and TIFFReadRawTile1 functions in     tif_read.c in libtiff before 4.0.7 allows remote     attackers to cause a denial of service (crash) or     possibly obtain sensitive information via a negative     index in a file-content buffer.(CVE-2016-6223)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Off-by-one error in the t2p_readwrite_pdf_image_tile     function in tools/tiff2pdf.c in LibTIFF 4.0.7 allows     remote attackers to have unspecified impact via a     crafted image.(CVE-2016-10094)

  - Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7     allows remote attackers to have unspecified impact via     a crafted image, which triggers a heap-based buffer     overflow.(CVE-2016-10093)

  - LibTIFF version 4.0.7 is vulnerable to a heap buffer     overflow in the tools/tiffcp resulting in DoS or code     execution via a crafted BitsPerSample     value.(CVE-2017-5225)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the libtiff library and the included tools tiff2rgba, rgb2ycbcr, tiffcp, tiffcrop, tiff2pdf and tiffsplit, which may result in denial of service, memory disclosure or the execution of arbitrary code.

There were additional vulnerabilities in the tools bmp2tiff, gif2tiff, thumbnail and ras2tiff, but since these were addressed by the libtiff developers by removing the tools altogether, no patches are available and those tools were also removed from the tiff package in Debian stable. The change had already been made in Debian stretch before and no applications included in Debian are known to rely on these scripts.
If you use those tools in custom setups, consider using a different conversion/thumbnailing tool.

ID	Name	Product	Family	Severity
123404	openSUSE Security Update : tiff (openSUSE-2019-987)	Nessus	SuSE Local Security Checks	medium
120181	SUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2018:4008-1)	Nessus	SuSE Local Security Checks	medium
119866	openSUSE Security Update : tiff (openSUSE-2018-1598)	Nessus	SuSE Local Security Checks	medium
119807	SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:4191-1)	Nessus	SuSE Local Security Checks	medium
119718	SUSE SLES11 Security Update : tiff (SUSE-SU-2018:4120-1)	Nessus	SuSE Local Security Checks	medium
119550	openSUSE Security Update : tiff (openSUSE-2018-1522)	Nessus	SuSE Local Security Checks	medium
110741	EulerOS 2.0 SP3 : libtiff (EulerOS-SA-2018-1165)	Nessus	Huawei Local Security Checks	high
109501	EulerOS 2.0 SP2 : libtiff (EulerOS-SA-2018-1103)	Nessus	Huawei Local Security Checks	high
109500	EulerOS 2.0 SP1 : libtiff (EulerOS-SA-2018-1102)	Nessus	Huawei Local Security Checks	high
97434	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : tiff vulnerabilities (USN-3212-1)	Nessus	Ubuntu Local Security Checks	high
96495	Debian DSA-3762-1 : tiff - security update	Nessus	Debian Local Security Checks	high

CVE-2016-10094

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins