RHSA-2017:0225

DSA-3762

94484

94747

https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3

This update for tiff fixes the following security issues :

  - CVE-2017-5225: Prevent heap buffer overflow in the     tools/tiffcp that could have caused DoS or code     execution via a crafted BitsPerSample value     (bsc#1019611)

  - CVE-2018-7456: Prevent a NULL pointer dereference in the     function TIFFPrintDirectory when using the tiffinfo tool     to print crafted TIFF information, a different     vulnerability than CVE-2017-18013 (bsc#1082825)

  - CVE-2017-11613: Prevent denial of service in the     TIFFOpen function. During the TIFFOpen process,     td_imagelength is not checked. The value of     td_imagelength can be directly controlled by an input     file. In the ChopUpSingleUncompressedStrip function, the
    _TIFFCheckMalloc function is called based on     td_imagelength. If the value of td_imagelength is set     close to the amount of system memory, it will hang the     system or trigger the OOM killer (bsc#1082332)

  - CVE-2016-10266: Prevent remote attackers to cause a     denial of service (divide-by-zero error and application     crash) via a crafted TIFF image, related to     libtiff/tif_read.c:351:22 (bsc#1031263)

  - CVE-2018-8905: Prevent heap-based buffer overflow in the     function LZWDecodeCompat via a crafted TIFF file     (bsc#1086408)

  - CVE-2016-9540: Prevent out-of-bounds write on tiled     images with odd tile width versus image width     (bsc#1011839).

  - CVE-2016-9535: tif_predict.h and tif_predict.c had     assertions that could have lead to assertion failures in     debug mode, or buffer overflows in release mode, when     dealing with unusual tile size like YCbCr with     subsampling (bsc#1011846).

  - CVE-2016-9535: tif_predict.h and tif_predict.c had     assertions that could have lead to assertion failures in     debug mode, or buffer overflows in release mode, when     dealing with unusual tile size like YCbCr with     subsampling (bsc#1011846).

  - Removed assert in readSeparateTilesIntoBuffer() function     (bsc#1017689).

  - CVE-2016-10095: Prevent stack-based buffer overflow in     the _TIFFVGetField function that allowed remote     attackers to cause a denial of service (crash) via a     crafted TIFF file (bsc#1017690).

  - CVE-2016-8331: Prevent remote code execution because of     incorrect handling of TIFF images. A crafted TIFF     document could have lead to a type confusion     vulnerability resulting in remote code execution. This     vulnerability could have been be triggered via a TIFF     file delivered to the application using LibTIFF's tag     extension functionality (bsc#1007276).

  - CVE-2016-3632: The _TIFFVGetField function allowed     remote attackers to cause a denial of service     (out-of-bounds write) or execute arbitrary code via a     crafted TIFF image (bsc#974621).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for libtiff is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fix(es) :

* Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files.
(CVE-2016-9533, CVE-2016-9534, CVE-2016-9535)

* Multiple flaws have been discovered in various libtiff tools (tiff2pdf, tiffcrop, tiffcp, bmp2tiff). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2015-8870, CVE-2016-5652, CVE-2016-9540, CVE-2016-9537, CVE-2016-9536)

Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the compat-libtiff3 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The (1) putcontig8bitYCbCr21tile function in     tif_getimage.c or (2) NeXTDecode function in tif_next.c     in LibTIFF allows remote attackers to cause a denial of     service (uninitialized memory access) via a crafted     TIFF image, as demonstrated by libtiff-cvs-1.tif and     libtiff-cvs-2.tif.(CVE-2014-8127,CVE-2014-8129,CVE-2014
    -8130,CVE-2014-9655)

  - A flaw was discovered in the bmp2tiff utility. By     tricking a user into processing a specially crafted     file, a remote attacker could exploit this flaw to     cause a crash or memory corruption and, possibly,     execute arbitrary code with the privileges of the user     running the libtiff     tool.(CVE-2014-9330,CVE-2015-7554,CVE-2015-8668,CVE-201     5-8665,CVE-2015-8781,CVE-2016-3632,CVE-2016-3945,CVE-20     16-3990,CVE-2016-3991,CVE-2016-5320,CVE-2016-5652,CVE-2     015-8683)

  - tools/tiffcp.c in libtiff has an out-of-bounds write on     tiled images with odd tile width versus image width.
    Reported as MSVR 35103, aka 'cpStripToTile     heap-buffer-overflow.'(CVE-2016-9540)

  - tif_predict.h and tif_predict.c in libtiff have     assertions that can lead to assertion failures in debug     mode, or buffer overflows in release mode, when dealing     with unusual tile size like YCbCr with subsampling.
    Reported as MSVR 35105, aka 'Predictor     heap-buffer-overflow.'(CVE-2016-9535,CVE-2016-9533,CVE-     2016-9534,CVE-2016-9536,CVE-2016-9537)

  - The NeXTDecode function in tif_next.c in LibTIFF allows     remote attackers to cause a denial of service     (uninitialized memory access) via a crafted TIFF image,     as demonstrated by libtiff5.tif.(CVE-2015-1547)

  - The NeXTDecode function in tif_next.c in LibTIFF allows     remote attackers to cause a denial of service     (out-of-bounds write) via a crafted TIFF image, as     demonstrated by libtiff5.tif.(CVE-2015-8784)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple flaws have been discovered in libtiff. A     remote attacker could exploit these flaws to cause a     crash or memory corruption and, possibly, execute     arbitrary code by tricking an application linked     against libtiff into processing specially crafted     files. (CVE-2016-9533, CVE-2016-9534, CVE-2016-9535)

  - Multiple flaws have been discovered in various libtiff     tools (tiff2pdf, tiffcrop, tiffcp, bmp2tiff). By     tricking a user into processing a specially crafted     file, a remote attacker could exploit these flaws to     cause a crash or memory corruption and, possibly,     execute arbitrary code with the privileges of the user     running the libtiff tool. (CVE-2015-8870,     CVE-2016-5652, CVE-2016-9540, CVE-2016-9537,     CVE-2016-9536)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of macOS that is 10.12.x prior to 10.12.4. It is, therefore, affected by multiple vulnerabilities in multiple components, some of which are remote code execution vulnerabilities. An unauthenticated, remote attacker can exploit these remote code execution vulnerabilities by convincing a user to visit a specially crafted website, resulting in the execution of arbitrary code in the context of the current user. The affected components are as follows :

  - apache
  - apache_mod_php
  - AppleGraphicsPowerManagement
  - AppleRAID
  - Audio
  - Bluetooth
  - Carbon
  - CoreGraphics
  - CoreMedia
  - CoreText
  - curl
  - EFI
  - FinderKit
  - FontParser
  - HTTPProtocol
  - Hypervisor
  - iBooks
  - ImageIO
  - Intel Graphics Driver
  - IOATAFamily
  - IOFireWireAVC
  - IOFireWireFamily
  - Kernel
  - Keyboards
  - libarchive
  - libc++abi
  - LibreSSL
  - MCX Client
  - Menus
  - Multi-Touch
  - OpenSSH
  - OpenSSL
  - Printing
  - python
  - QuickTime
  - Security
  - SecurityFoundation
  - sudo
  - System Integrity Protection
  - tcpdump
  - tiffutil
  - WebKit

Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files.
(CVE-2016-9533 , CVE-2016-9534 , CVE-2016-9535)

Multiple flaws have been discovered in various libtiff tools (tiff2pdf, tiffcrop, tiffcp, bmp2tiff). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2015-8870 , CVE-2016-5652 , CVE-2016-9540 , CVE-2016-9537 , CVE-2016-9536)

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

libtiff project reports :

Multiple flaws have been discovered in libtiff library and utilities.

Security Fix(es) :

  - Multiple flaws have been discovered in libtiff. A remote     attacker could exploit these flaws to cause a crash or     memory corruption and, possibly, execute arbitrary code     by tricking an application linked against libtiff into     processing specially crafted files. (CVE-2016-9533,     CVE-2016-9534, CVE-2016-9535)

  - Multiple flaws have been discovered in various libtiff     tools (tiff2pdf, tiffcrop, tiffcp, bmp2tiff). By     tricking a user into processing a specially crafted     file, a remote attacker could exploit these flaws to     cause a crash or memory corruption and, possibly,     execute arbitrary code with the privileges of the user     running the libtiff tool. (CVE-2015-8870, CVE-2016-5652,     CVE-2016-9540, CVE-2016-9537, CVE-2016-9536)

An update for libtiff is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fix(es) :

* Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files.
(CVE-2016-9533, CVE-2016-9534, CVE-2016-9535)

* Multiple flaws have been discovered in various libtiff tools (tiff2pdf, tiffcrop, tiffcp, bmp2tiff). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2015-8870, CVE-2016-5652, CVE-2016-9540, CVE-2016-9537, CVE-2016-9536)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix patch for (CVE-2016-5652)

  - Related: #1412078

  - Fix CWE-476 defect found by covscan

  - Related: #1412078

  - Add patches for CVEs :

  - CVE-2016-9533 CVE-2016-9534 (CVE-2016-9535)

  - CVE-2016-9536 CVE-2016-9537 (CVE-2016-9540)

  - (CVE-2016-5652)

  - Resolves: #1412078

From Red Hat Security Advisory 2017:0225 :

An update for libtiff is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fix(es) :

* Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files.
(CVE-2016-9533, CVE-2016-9534, CVE-2016-9535)

* Multiple flaws have been discovered in various libtiff tools (tiff2pdf, tiffcrop, tiffcp, bmp2tiff). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2015-8870, CVE-2016-5652, CVE-2016-9540, CVE-2016-9537, CVE-2016-9536)

Numerous security vulnerabilities have been found through fuzzing on various tiff-related binaries. Crafted TIFF images allows remote attacks to cause denial of service or, in certain cases arbitrary code execution through divide-by-zero, out of bunds write, integer and heap overflow.

CVE-2016-3622

The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image.

CVE-2016-3623

The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0. (Fixed along with CVE-2016-3624.)

CVE-2016-3624

The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the '-v' option to -1.

CVE-2016-3945

Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image, which triggers an out-of-bounds write.

CVE-2016-3990

Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image to tiffcp.

CVE-2016-9533

tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka 'PixarLog horizontalDifference heap-buffer-overflow.'

CVE-2016-9534

tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka 'TIFFFlushData1 heap-buffer-overflow.'

CVE-2016-9535

tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka 'Predictor heap-buffer-overflow.'

CVE-2016-9536

tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip().
Reported as MSVR 35098, aka 't2p_process_jpeg_strip heap-buffer-overflow.'

CVE-2016-9537

tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096, and MSVR 35097.

CVE-2016-9538

tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in readContigStripsIntoBuffer() because of a uint16 integer overflow.
Reported as MSVR 35100.

CVE-2016-9540

tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka cpStripToTile heap-buffer-overflow.

CVE-2016-10092

heap-buffer-overflow in tiffcrop

CVE-2016-10093 uint32 underflow/overflow that can cause heap-based buffer overflow in tiffcp

CVE-2017-5225

LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value.

Bug #846837

heap-based buffer verflow in TIFFFillStrip (tif_read.c)

For Debian 7 'Wheezy', these problems have been fixed in version 4.0.2-6+deb7u9.

We recommend that you upgrade your tiff packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the libtiff library and the included tools tiff2rgba, rgb2ycbcr, tiffcp, tiffcrop, tiff2pdf and tiffsplit, which may result in denial of service, memory disclosure or the execution of arbitrary code.

There were additional vulnerabilities in the tools bmp2tiff, gif2tiff, thumbnail and ras2tiff, but since these were addressed by the libtiff developers by removing the tools altogether, no patches are available and those tools were also removed from the tiff package in Debian stable. The change had already been made in Debian stretch before and no applications included in Debian are known to rely on these scripts.
If you use those tools in custom setups, consider using a different conversion/thumbnailing tool.

ID	Name	Product	Family	Severity
110803	SUSE SLES11 Security Update : tiff (SUSE-SU-2018:1835-1)	Nessus	SuSE Local Security Checks	high
101417	Virtuozzo 7 : libtiff / libtiff-devel / libtiff-static / etc (VZLSA-2017-0225)	Nessus	Virtuozzo Local Security Checks	high
99889	EulerOS 2.0 SP1 : compat-libtiff3 (EulerOS-SA-2017-1044)	Nessus	Huawei Local Security Checks	high
99888	EulerOS 2.0 SP2 : compat-libtiff3 (EulerOS-SA-2017-1043)	Nessus	Huawei Local Security Checks	high
99866	EulerOS 2.0 SP2 : libtiff (EulerOS-SA-2017-1020)	Nessus	Huawei Local Security Checks	high
99865	EulerOS 2.0 SP1 : libtiff (EulerOS-SA-2017-1019)	Nessus	Huawei Local Security Checks	high
99134	macOS 10.12.x < 10.12.4 Multiple Vulnerabilities (httpoxy)	Nessus	MacOS X Local Security Checks	critical
97554	Amazon Linux AMI : libtiff / compat-libtiff3 (ALAS-2017-802)	Nessus	Amazon Linux Local Security Checks	high
97434	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : tiff vulnerabilities (USN-3212-1)	Nessus	Ubuntu Local Security Checks	high
97035	FreeBSD : tiff -- multiple vulnerabilities (fb74eacc-ec8a-11e6-bc8a-0011d823eebd)	Nessus	FreeBSD Local Security Checks	high
96974	Scientific Linux Security Update : libtiff on SL6.x, SL7.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
96948	RHEL 6 / 7 : libtiff (RHSA-2017:0225)	Nessus	Red Hat Local Security Checks	high
96947	OracleVM 3.3 : libtiff (OVMSA-2017-0037)	Nessus	OracleVM Local Security Checks	high
96946	OracleVM 3.4 : libtiff (OVMSA-2017-0036)	Nessus	OracleVM Local Security Checks	high
96945	Oracle Linux 6 / 7 : libtiff (ELSA-2017-0225)	Nessus	Oracle Linux Local Security Checks	high
96929	CentOS 6 / 7 : libtiff (CESA-2017:0225)	Nessus	CentOS Local Security Checks	high
96704	Debian DLA-795-1 : tiff security update	Nessus	Debian Local Security Checks	high
96495	Debian DSA-3762-1 : tiff - security update	Nessus	Debian Local Security Checks	high

CVE-2016-9540

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins