http://bugzilla.maptools.org/show_bug.cgi?id=2554

openSUSE-SU-2016:3035

openSUSE-SU-2016:1889

openSUSE-SU-2016:2321

openSUSE-SU-2016:2375

[oss-security] 20160615 CVE-2016-5314: libtiff 4.0.6 PixarLogDecode() out-of-bound writes

[oss-security] 20160615 CVE-2016-5320: libtiff 4.0.6 rgb2ycbcr: command excution

[oss-security] 20160630 Re: Re: CVE request: Heap-based buffer overflow in LibTIFF when using the PixarLog compression format

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

91195

91245

https://bugzilla.redhat.com/show_bug.cgi?id=1346687

https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2

GLSA-201701-16

DSA-3762

This update for tiff fixes the following issues: Security issues fixed :

  - CVE-2016-5315: The setByteArray function in tif_dir.c     allowed remote attackers to cause a denial of service     (out-of-bounds read) via a crafted tiff image.
    (bsc#984809)

  - CVE-2016-10267: LibTIFF allowed remote attackers to     cause a denial of service (divide-by-zero error and     application crash) via a crafted TIFF image, related to     libtiff/tif_ojpeg.c:816:8. (bsc#1017694)

  - CVE-2016-10269: LibTIFF allowed remote attackers to     cause a denial of service (heap-based buffer over-read)     or possibly have unspecified other impact via a crafted     TIFF image, related to 'READ of size 512' and     libtiff/tif_unix.c:340:2. (bsc#1031254)

  - CVE-2016-10270: LibTIFF allowed remote attackers to     cause a denial of service (heap-based buffer over-read)     or possibly have unspecified other impact via a crafted     TIFF image, related to 'READ of size 8' and     libtiff/tif_read.c:523:22. (bsc#1031250)

  - CVE-2017-18013: In LibTIFF, there was a NULL pointer     Dereference in the tif_print.c TIFFPrintDirectory     function, as demonstrated by a tiffinfo crash.
    (bsc#1074317)

  - CVE-2017-7593: tif_read.c did not ensure that     tif_rawdata is properly initialized, which might have     allowed remote attackers to obtain sensitive information     from process memory via a crafted image. (bsc#1033129)

  - CVE-2017-7595: The JPEGSetupEncode function in     tiff_jpeg.c allowed remote attackers to cause a denial     of service (divide-by-zero error and application crash)     via a crafted image. (bsc#1033127)

  - CVE-2017-7596: LibTIFF had an 'outside the range of     representable values of type float' undefined behavior     issue, which might have allowed remote attackers to     cause a denial of service (application crash) or     possibly have unspecified other impact via a crafted     image. (bsc#1033126)

  - CVE-2017-7597: tif_dirread.c had an 'outside the range     of representable values of type float' undefined     behavior issue, which might have allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted image. (bsc#1033120)

  - CVE-2017-7599: LibTIFF had an 'outside the range of     representable values of type short' undefined behavior     issue, which might have allowed remote attackers to     cause a denial of service (application crash) or     possibly have unspecified other impact via a crafted     image. (bsc#1033113)

  - CVE-2017-7600: LibTIFF had an 'outside the range of     representable values of type unsigned char' undefined     behavior issue, which might have allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted image. (bsc#1033112)

  - CVE-2017-7601: LibTIFF had a 'shift exponent too large     for 64-bit type long' undefined behavior issue, which     might have allowed remote attackers to cause a denial of     service (application crash) or possibly have unspecified     other impact via a crafted image. (bsc#1033111)

  - CVE-2017-7602: LibTIFF had a signed integer overflow,     which might have allowed remote attackers to cause a     denial of service (application crash) or possibly have     unspecified other impact via a crafted image.
    (bsc#1033109)

  - Multiple divide by zero issues

  - CVE-2016-5314: Buffer overflow in the PixarLogDecode     function in tif_pixarlog.c allowed remote attackers to     cause a denial of service (application crash) or     possibly have unspecified other impact via a crafted     TIFF image, as demonstrated by overwriting the     vgetparent function pointer with rgb2ycbcr. (bsc#987351     bsc#984808 bsc#984831)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the libtiff library and the included tools tiff2rgba, rgb2ycbcr, tiffcp, tiffcrop, tiff2pdf and tiffsplit, which may result in denial of service, memory disclosure or the execution of arbitrary code.

There were additional vulnerabilities in the tools bmp2tiff, gif2tiff, thumbnail and ras2tiff, but since these were addressed by the libtiff developers by removing the tools altogether, no patches are available and those tools were also removed from the tiff package in Debian stable. The change had already been made in Debian stretch before and no applications included in Debian are known to rely on these scripts.
If you use those tools in custom setups, consider using a different conversion/thumbnailing tool.

The remote host is affected by the vulnerability described in GLSA-201701-16 (libTIFF: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libTIFF. Please review       the CVE identifier and bug reports referenced for details.
  Impact :

    A remote attacker could entice a user to process a specially crafted       image file, possibly resulting in execution of arbitrary code with the       privileges of the process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

CVE-2016-5314

Buffer overflow in the PixarLogDecode function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by overwriting the vgetparent function pointer with rgb2ycbcr.

Note : This was previously referenced as CVE-2016-5320. All CVE users should reference CVE-2016-5314 instead of CVE-2016-5320.

CVE-2015-8784 The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif.

Impact

An attacker can use specially crafted TIFF files to execute arbitrary code with the limited privileges of the image optimization process.

This update for tiff fixes the following issues :

  - CVE-2016-3622: Specially crafted TIFF images could     trigger a crash in tiff2rgba (bsc#974449)

  - Various out-of-bound write vulnerabilities with     unspecified impact (MSVR 35093, MSVR 35094, MSVR 35095,     MSVR 35096, MSVR 35097, MSVR 35098)

  - CVE-2016-5314: Specially crafted TIFF images could     trigger a crash that could result in DoS (bsc#984831)

  - CVE-2016-5316: Specially crafted TIFF images could     trigger a crash in the rgb2ycbcr tool, leading to Doa     (bsc#984837)

  - CVE-2016-5317: Specially crafted TIFF images could     trigger a crash through an out of bound write     (bsc#984842)

  - CVE-2016-5320: Specially crafted TIFF images could     trigger a crash or potentially allow remote code     execution when using the rgb2ycbcr command (bsc#984808)

  - CVE-2016-5875: Specially crafted TIFF images could     trigger could allow arbitrary code execution     (bsc#987351)

  - CVE-2016-3623: Specially crafted TIFF images could     trigger a crash in rgb2ycbcr (bsc#974618)

  - CVE-2016-3945: Specially crafted TIFF images could     trigger a crash or allow for arbitrary command execution     via tiff2rgba (bsc#974614)

  - CVE-2016-3990: Specially crafted TIFF images could     trigger a crash or allow for arbitrary command execution     (bsc#975069)

  - CVE-2016-3186: Specially crafted TIFF imaged could     trigger a crash in the gif2tiff command via a buffer     overflow (bsc#973340)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

  - CVE-2015-8781, CVE-2015-8782, CVE-2015-8783:
    Out-of-bounds writes for invalid images (bsc#964225)

  - CVE-2016-3186: Buffer overflow in gif2tiff (bnc#973340).

  - CVE-2016-5875: heap-based buffer overflow when using the     PixarLog compressionformat (bsc#987351)

  - CVE-2016-5316: Out-of-bounds read in PixarLogCleanup()     function in tif_pixarlog.c (bsc#984837)

  - CVE-2016-5314: Out-of-bounds write in PixarLogDecode()     function (bsc#984831)

  - CVE-2016-5317: Out-of-bounds write in PixarLogDecode()     function in libtiff.so (bsc#984842)

  - CVE-2016-5320: Out-of-bounds write in PixarLogDecode()     function in tif_pixarlog.c (bsc#984808)

This update for tiff fixes the following issues :

  - CVE-2015-8781, CVE-2015-8782, CVE-2015-8783:
    Out-of-bounds writes for invalid images (bsc#964225)

  - CVE-2016-3186: Buffer overflow in gif2tiff (bnc#973340).

  - CVE-2016-5875: heap-based buffer overflow when using the     PixarLog compressionformat (bsc#987351)

  - CVE-2016-5316: Out-of-bounds read in PixarLogCleanup()     function in tif_pixarlog.c (bsc#984837)

  - CVE-2016-5314: Out-of-bounds write in PixarLogDecode()     function (bsc#984831)

  - CVE-2016-5317: Out-of-bounds write in PixarLogDecode()     function in libtiff.so (bsc#984842)

  - CVE-2016-5320: Out-of-bounds write in PixarLogDecode()     function in tif_pixarlog.c (bsc#984808) 

This update was imported from the SUSE:SLE-12:Update update project.

This update for tiff fixes the following issues :

  - CVE-2015-8781, CVE-2015-8782, CVE-2015-8783:
    Out-of-bounds writes for invalid images (bsc#964225)

  - CVE-2016-3186: Buffer overflow in gif2tiff (bnc#973340).

  - CVE-2016-5875: heap-based buffer overflow when using the     PixarLog compressionformat (bsc#987351)

  - CVE-2016-5316: Out-of-bounds read in PixarLogCleanup()     function in tif_pixarlog.c (bsc#984837)

  - CVE-2016-5314: Out-of-bounds write in PixarLogDecode()     function (bsc#984831)

  - CVE-2016-5317: Out-of-bounds write in PixarLogDecode()     function in libtiff.so (bsc#984842)

  - CVE-2016-5320: Out-of-bounds write in PixarLogDecode()     function in tif_pixarlog.c (bsc#984808)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Version 3.9.6-11+deb7u1 and 3.9.6-11+deb7u2 introduced changes that resulted in libtiff writing out invalid tiff files when the compression scheme in use relies on codec-specific TIFF tags embedded in the image.

For Debian 7 'Wheezy', these problems have been fixed in version 3.9.6-11+deb7u3.

We recommend that you upgrade your tiff3 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were found in the tiff library, potentially causing denial of services to applications using it.

For Debian 7 'Wheezy', these problems have been fixed in version 4.0.2-6+deb7u6.

We recommend that you upgrade your tiff packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

Security issues fixed :

  - CVE-2016-5314: Fixed an out-of-bounds write in     PixarLogDecode() function (boo#984831)

  - CVE-2016-5316: Fixed an out-of-bounds read in     PixarLogCleanup() function in tif_pixarlog.c     (boo#984837)

  - CVE-2016-5317: Fixed an out-of-bounds write in     PixarLogDecode() function in libtiff.so (boo#984842)

  - CVE-2016-5320: Fixed an out-of-bounds write in     PixarLogDecode() function in tif_pixarlog.c (boo#984808)

  - CVE-2016-5875: Fixed a heap-based buffer overflow when     using the PixarLog compressionformat (boo#987351)

Bugs fixed :

  - boo#964225: Fixed writes for invalid images (upstream     bug #2522)

Mathias Svensson reports :

potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images

ID	Name	Product	Family	Severity
110258	SUSE SLES11 Security Update : tiff (SUSE-SU-2018:1472-1)	Nessus	SuSE Local Security Checks	medium
97434	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : tiff vulnerabilities (USN-3212-1)	Nessus	Ubuntu Local Security Checks	high
96495	Debian DSA-3762-1 : tiff - security update	Nessus	Debian Local Security Checks	high
96373	GLSA-201701-16 : libTIFF: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
94648	F5 Networks BIG-IP : LibTIFF vulnerabilities (K89096577)	Nessus	F5 Networks Local Security Checks	medium
94067	SUSE SLES11 Security Update : tiff (SUSE-SU-2016:2527-1)	Nessus	SuSE Local Security Checks	medium
93707	openSUSE Security Update : tiff (openSUSE-2016-1122)	Nessus	SuSE Local Security Checks	medium
93585	openSUSE Security Update : tiff (openSUSE-2016-1089)	Nessus	SuSE Local Security Checks	medium
93439	SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2016:2271-1)	Nessus	SuSE Local Security Checks	medium
93322	Debian DLA-610-2 : tiff3 regression update	Nessus	Debian Local Security Checks	high
93236	Debian DLA-606-1 : tiff security update	Nessus	Debian Local Security Checks	medium
92597	openSUSE Security Update : tiff (openSUSE-2016-911)	Nessus	SuSE Local Security Checks	medium
92339	FreeBSD : tiff -- buffer overflow (0ab66088-4aa5-11e6-a7bd-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	medium

CVE-2016-5314

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins