http://bugzilla.maptools.org/show_bug.cgi?id=2567

[oss-security] 20160407 CVE-2016-3619 libtiff: Out-of-bounds Read in the bmp2tiff tool

85919

1035508

GLSA-201701-16

This update for tiff fixes the following issues :

Security issues fixed :

CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672).

CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257).

CVE-2017-9147: Fixed invalid read in the _TIFFVGetField function in tif_dir.c, that allowed remote attackers to cause a DoS via acrafted TIFF file (bsc#1040322).

CVE-2017-9117: Fixed BMP images processing that was verified without biWidth and biHeight values (bsc#1040080).

CVE-2017-17942: Fixed issue in the function PackBitsEncode that could have led to a heap overflow and caused a DoS (bsc#1074186).

CVE-2016-9273: Fixed heap-based buffer overflow issue (bsc#1010163).

CVE-2016-5319: Fixed heap-based buffer overflow in PackBitsEncode (bsc#983440).

CVE-2016-3621: Fixed out-of-bounds read in the bmp2tiff tool (lzw packing) (bsc#974448).

CVE-2016-3620: Fixed out-of-bounds read in the bmp2tiff tool (zip packing) (bsc#974447)

CVE-2016-3619: Fixed out-of-bounds read in the bmp2tiff tool (none packing) (bsc#974446)

CVE-2015-8870: Fixed integer overflow in tools/bmp2tiff.c that allowed remote attackers to causea DOS (bsc#1014461).

Non-security issues fixed: asan_build: build ASAN included

debug_build: build more suitable for debugging

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of Apple TV on the remote device is prior to 10.2. It is, therefore, affected by multiple vulnerabilities :

  - An out-of-bounds read error exists in LibTIFF in the     DumpModeEncode() function within file tif_dumpmode.c.
    An unauthenticated, remote attacker can exploit this     to crash a process linked against the library or     disclose memory contents. (CVE-2016-3619)

  - An out-of-bounds read error exists in WebKit when     handling certain JavaScript code. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the disclosure of memory contents.
    (CVE-2016-9642)

  - A denial of service vulnerability exists in WebKit when     handling certain regular expressions. An     unauthenticated, remote attacker can exploit this, via a     specially crafted web page, to exhaust available memory     resources. (CVE-2016-9643)

  - An information disclosure vulnerability exists in WebKit     when handling page loading due to improper validation of     certain input. An unauthenticated, remote attacker can     exploit this to disclose data cross-origin.
    (CVE-2017-2367)

  - A buffer overflow condition exists in the Carbon     component when handling specially crafted DFONT files     due to improper validation of certain input. An     unauthenticated, remote attacker can exploit this, via     a specially crafted file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2017-2379)

  - An information disclosure vulnerability exists in WebKit     when handling unspecified exceptions. An     unauthenticated, remote attacker can exploit this, via     specially crafted web content, to disclose data     cross-origin. (CVE-2017-2386)

  - A flaw exists in the libarchive component due to the     insecure creation of temporary files. A local attacker     can exploit this, by using a symlink attack against an     unspecified file, to cause unexpected changes to be made     to file system permissions. (CVE-2017-2390)

  - Multiple memory corruption issues exist in WebKit that     allow an unauthenticated, remote attacker to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2017-2394, CVE-2017-2395,     CVE-2017-2396, CVE-2017-2454, CVE-2017-2455,     CVE-2017-2459, CVE-2017-2460, CVE-2017-2464,     CVE-2017-2465, CVE-2017-2466, CVE-2017-2468,     CVE-2017-2469, CVE-2017-2470, CVE-2017-2476)

  - A memory corruption issue exists in the Kernel component     due to improper validation of certain input. An     unauthenticated, remote attacker can exploit this, by     convincing a user to run a specially crafted     application, to cause a denial of service condition or     the execution or arbitrary code. (CVE-2017-2401)

  - Multiple memory corruption issues exist in the FontParser     component when handling font files due to improper     validation of certain input. An unauthenticated, remote     attacker can exploit these to cause a denial condition     or the execution of arbitrary code. (CVE-2017-2406,     CVE-2017-2407, CVE-2017-2487)

  - An unspecified type confusion error exists in WebKit     that allows an unauthenticated, remote attacker to     execute arbitrary code by using specially crafted web     content. (CVE-2017-2415)

  - A memory corruption issue exists in the ImageIO     component, specifically in the GIFReadPlugin::init()     function, when handling image files due to improper     validation of certain input. An unauthenticated, remote     attacker can exploit this, via a specially crafted image     file, to cause a denial of service condition or the     execution of arbitrary code. (CVE-2017-2416)

  - An infinite recursion condition exists in the     CoreGraphics component when handling image files. An     unauthenticated, remote can exploit this, via a     specially crafted image file, to cause a denial of     service condition. (CVE-2017-2417)

  - An unspecified flaw exists related to nghttp2 and     LibreSSL. An unauthenticated, remote attacker can     exploit this, by convincing a user to access a malicious     HTTP/2 server, to have an unspecified impact on     confidentiality, integrity, and availability.
    (CVE-2017-2428)

  - A type confusion error exists in the Audio component     when parsing specially crafted M4A audio files due to     improper validation of certain input. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2017-2430)

  - An integer overflow condition exists in the ImageIO     component when handling JPEG files due to improper     validation of certain input. An unauthenticated, remote     attacker can exploit this, via a specially crafted file,     to cause a denial of service condition or the execution     of arbitrary code. (CVE-2017-2432)

  - A memory corruption issue exists in the CoreText     component when handling font files due to improper     validation of certain input. An unauthenticated, remote     attacker can exploit this, via a specially crafted file,     to cause a denial of service condition or the execution     of arbitrary code. (CVE-2017-2435)

  - An out-of-bounds read error exists in the FontParser     component when handling font files. An unauthenticated,     remote attacker can exploit this, via a specially     crafted file, to disclose process memory.
    (CVE-2017-2439)

  - An integer overflow condition exists in the Kernel     component due to improper validation of certain input.
    An unauthenticated, remote attacker can exploit this, by     convincing a user to run a specially crafted     application, to execute arbitrary code with kernel-level     privileges. (CVE-2017-2440)

  - A use-after-free error exists in libc++abi when     demangling C++ applications. An unauthenticated, remote     attacker can exploit this, by convincing a user to run a     specially crafted application, to execute arbitrary     code. (CVE-2017-2441)

  - A memory corruption issue exists in WebKit within the     CoreGraphics component due to improper validation of     certain input. An unauthenticated, remote attacker can     exploit this, via specially crafted web content, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2017-2444)

  - A universal cross-site scripting (XSS) vulnerability     exists in WebKit when handling frame objects due to     improper validation of certain input. An     unauthenticated, remote attacker can exploit this, via     specially crafted web content, to execute arbitrary     script code in a user's browser session. (CVE-2017-2445)

  - A flaw exists in WebKit due to non-strict mode functions     that are called from built-in strict mode scripts not     being properly restricted from calling sensitive native     functions. An unauthenticated, remote attacker can     exploit this, via specially crafted web content, to     execute arbitrary code. (CVE-2017-2446)

  - An out-of-bounds read error exists in WebKit when     handling the bound arguments array of a bound function.
    An unauthenticated, remote attacker can exploit this,     via specially crafted web content, to disclose memory     contents. (CVE-2017-2447)

  - An unspecified flaw exists in the Security component due     to improper validation of OTR packets under certain     conditions. A man-in-the-middle attacker can exploit     this to disclose and optionally manipulate transmitted     data by spoofing the TLS/SSL server via a packet that     appears to be valid. (CVE-2017-2448)

  - An out-of-bounds read error exists in CoreText component     when handling font files. An unauthenticated, remote     attacker can exploit this, via a specially crafted file,     to disclose process memory. (CVE-2017-2450)

  - A buffer overflow condition exists in the Security     component due to improper validation of certain input.
    An unauthenticated, remote attacker can exploit this,     by convincing a user to run a specially crafted     application, to execute arbitrary code with root     root privileges. (CVE-2017-2451)

  - A race condition exists in the Kernel component when     handling memory using the 'mach_msg' system call. An     unauthenticated, remote attacker can exploit this, by     convincing a user to run a specially crafted     application, to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code with root privileges.
    CVE-2017-2456)

  - An buffer overflow condition exists in the Keyboards     component due to improper validation of certain input.
    An unauthenticated, remote attacker can exploit this, by     convincing a user to run a specially crafted     application, to cause a denial of service condition or     the execution of arbitrary code. (CVE-2017-2458)

  - A denial of service vulnerability exists in the     CoreText component when handling specially crafted text     messages due to improper validation of certain input. An     unauthenticated, remote attacker can exploit this to     exhaust available resources on the system.
    (CVE-2017-2461)

  - A heap buffer overflow condition exists in the Audio     component when parsing specially crafted M4A audio files     due to improper validation of certain input. An     unauthenticated, remote attacker can exploit this, via a     specially crafted file, to execute arbitrary code.
    (CVE-2017-2462)

  - An memory corruption issue exists in the ImageIO     component when handling specially crafted files due to     improper validation of certain input. An     unauthenticated, remote attacker can exploit this, via     a specially crafted file, to cause a denial of service     condition or the execution of arbitrary code.
    (CVE-2017-2467)

  - A use-after-free error exists in the Kernel component in     the XNU port actions extension due to improper handling     of port references in error cases. An local attacker can     exploit this to deference already freed memory,     resulting in the execution of arbitrary code with     kernel-level privileges. (CVE-2017-2472)

  - A signedness error exists in the Kernel component in the     SIOCSIFORDER IOCTL due to improper validation of certain     input. A local attacker can exploit this to cause an     out-of-bounds read and memory corruption, resulting in     a denial of service condition or the execution of     arbitrary code with kernel-level privileges.
    (CVE-2017-2473)

  - A off-by-one overflow condition exists in the Kernel     component in the SIOCSIFORDER IOCTL due to improper     validation of certain input. A local attacker can exploit     this to cause a heap-based buffer overflow, resulting in     the execution of arbitrary code with kernel-level     privileges. (CVE-2017-2474)

  - A universal cross-site scripting (XSS) vulnerability     exists in WebKit when handling frames due to improper     validation of certain input. An unauthenticated, remote     attacker can exploit this, via specially crafted web     content, to execute arbitrary script code in a user's     browser session. (CVE-2017-2475)

  - A race condition exists in the Kernel component in the     necp_open() function when closing files descriptors due     to improper handling of proc_fd locks. A local attacker     can exploit this to dereference already freed memory,     resulting in the execution of arbitrary code with     kernel-level privileges. (CVE-2017-2478)

  - A use-after-free error exists in WebKit when handling     ElementData objects. An unauthenticated, remote attacker     can exploit this, via specially crafted web content, to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2017-2481)

  - A heap buffer overflow condition exists in the Kernel     component within the Berkeley Packet Filter (BPF)     BIOCSBLEN IOCTL due to improper validation of certain     input when reattaching to an interface. A local attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code with kernel-level     privileges. (CVE-2017-2482)

  - An off-by-one error exists in the Kernel component,     specifically in the audit_pipe_open() function, when     handling auditpipe devices due to improper validation of     certain input. A local attacker can exploit this to     corrupt memory, resulting in a denial of service     condition or the execution of arbitrary code with     kernel-level privileges. (CVE-2017-2483)

  - An unspecified memory corruption issue exists in the     Security component when parsing X.509 certificates due     to improper validation of certain input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2017-2485)

  - A double-free error exists in the Kernel component due     to FSEVENTS_DEVICE_FILTER_64 IOCTL not properly locking     devices. A local attacker can exploit this to corrupt     memory, resulting in the execution of arbitrary code     with elevated privileges. (CVE-2017-2490)

  - A use-after-free error exists in JavaScriptCore when     handling the String.replace() method. An     unauthenticated, remote attacker can exploit this to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2017-2491)

  - A universal cross-site scripting (XSS) vulnerability     exists in JavaScriptCore due to an unspecified prototype     flaw. An unauthenticated, remote attacker can exploit     this, via a specially crafted web page, to execute     arbitrary code in a user's browser session.
    (CVE-2017-2492)

Note that only 4th generation models are affected by these vulnerabilities.

The remote host is running a version of macOS that is 10.12.x prior to 10.12.4. It is, therefore, affected by multiple vulnerabilities in multiple components, some of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows :

  - apache
  - apache_mod_php
  - AppleGraphicsPowerManagement
  - AppleRAID
  - Audio
  - Bluetooth
  - Carbon
  - CoreGraphics
  - CoreMedia
  - CoreText
  - curl
  - EFI
  - FinderKit
  - FontParser
  - HTTPProtocol
  - Hypervisor
  - iBooks
  - ImageIO
  - Intel Graphics Driver
  - IOATAFamily
  - IOFireWireAVC
  - IOFireWireFamily
  - Kernel
  - Keyboards
  - libarchive
  - libc++abi
  - LibreSSL
  - MCX Client
  - Menus
  - Multi-Touch
  - OpenSSH
  - OpenSSL
  - Printing
  - python
  - QuickTime
  - Security
  - SecurityFoundation
  - sudo
  - System Integrity Protection
  - tcpdump
  - tiffutil
  - WebKit

The version of Apple iOS running on the mobile device is prior to 10.3. It is, therefore, affected by multiple vulnerabilities in multiple components, the majority of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows :

  - Accounts
  - Audio
  - Carbon
  - CoreGraphics
  - CoreText
  - DataAccess
  - FontParser
  - HomeKit
  - HTTPProtocol
  - ImageIO
  - iTunes Store
  - JavaScriptCore
  - Kernel
  - Keyboards
  - libarchive
  - libc++abi
  - libxslt
  - Pasteboard
  - Phone
  - Profiles
  - Quick Look
  - Safari
  - Safari Reader
  - SafariViewController
  - Security
  - Siri
  - WebKit
  - WebKit JavaScript Bindings
  - WebKit Web Inspector

The remote host is affected by the vulnerability described in GLSA-201701-16 (libTIFF: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libTIFF. Please review       the CVE identifier and bug reports referenced for details.
  Impact :

    A remote attacker could entice a user to process a specially crafted       image file, possibly resulting in execution of arbitrary code with the       privileges of the process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Version 4.0.2-6+deb7u7 introduced changes that resulted in libtiff being unable to write out tiff files when the compression scheme in use relies on codec-specific TIFF tags embedded in the image.

This problem manifested itself with errors like those: $ tiffcp -r 16
-c jpeg sample.tif out.tif _TIFFVGetField: out.tif: Invalid tag 'Predictor' (not supported by codec). _TIFFVGetField: out.tif: Invalid tag 'BadFaxLines' (not supported by codec). tiffcp:
tif_dirwrite.c:687: TIFFWriteDirectorySec: Assertion `0' failed.

For Debian 7 'Wheezy', these problems have been fixed in version 4.0.2-6+deb7u10.

We recommend that you upgrade your tiff packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
119143	SUSE SLES11 Security Update : tiff (SUSE-SU-2018:3879-1)	Nessus	SuSE Local Security Checks	critical
99264	Apple TV < 10.2 Multiple Vulnerabilities	Nessus	Misc.	high
99134	macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)	Nessus	MacOS X Local Security Checks	critical
99127	Apple iOS < 10.3 Multiple Vulnerabilities	Nessus	Mobile Devices	critical
96373	GLSA-201701-16 : libTIFF: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
94474	Debian DLA-693-2 : tiff regression update	Nessus	Debian Local Security Checks	critical

CVE-2016-3619

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

critical

critical

critical

critical