99977

https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f

[debian-lts-announce] 20180531 [SECURITY] [DLA 1391-1] tiff security update

[debian-lts-announce] 20180702 [SECURITY] [DLA 1411-1] tiff security update

USN-3606-1

DSA-4349

This update for tiff fixes the following security issues :

These security issues were fixed :

  - CVE-2017-18013: Fixed a NULL pointer dereference in the     tif_print.cTIFFPrintDirectory function that could have     lead to denial of service (bsc#1074317).

  - CVE-2018-10963: Fixed an assertion failure in the     TIFFWriteDirectorySec() function in tif_dirwrite.c,     which allowed remote attackers to cause a denial of     service via a crafted file (bsc#1092949).

  - CVE-2018-7456: Prevent a NULL pointer dereference in the     function TIFFPrintDirectory when using the tiffinfo tool     to print crafted TIFF information, a different     vulnerability than CVE-2017-18013 (bsc#1082825).

  - CVE-2017-11613: Prevent denial of service in the     TIFFOpen function. During the TIFFOpen process,     td_imagelength is not checked. The value of     td_imagelength can be directly controlled by an input     file. In the ChopUpSingleUncompressedStrip function, the
    _TIFFCheckMalloc function is called based on     td_imagelength. If the value of td_imagelength is set     close to the amount of system memory, it will hang the     system or trigger the OOM killer (bsc#1082332).

  - CVE-2018-8905: Prevent heap-based buffer overflow in the     function LZWDecodeCompat via a crafted TIFF file     (bsc#1086408).

This update was imported from the SUSE:SLE-15:Update update project.

An update of the libtiff package has been released.

Fix for **CVE-2017-11613**.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following security issues: These security issues were fixed :

  - CVE-2017-18013: Fixed a NULL pointer dereference in the     tif_print.cTIFFPrintDirectory function that could have     lead to denial of service (bsc#1074317).

  - CVE-2018-10963: Fixed an assertion failure in the     TIFFWriteDirectorySec() function in tif_dirwrite.c,     which allowed remote attackers to cause a denial of     service via a crafted file (bsc#1092949).

  - CVE-2018-7456: Prevent a NULL pointer dereference in the     function TIFFPrintDirectory when using the tiffinfo tool     to print crafted TIFF information, a different     vulnerability than CVE-2017-18013 (bsc#1082825).

  - CVE-2017-11613: Prevent denial of service in the     TIFFOpen function. During the TIFFOpen process,     td_imagelength is not checked. The value of     td_imagelength can be directly controlled by an input     file. In the ChopUpSingleUncompressedStrip function, the
    _TIFFCheckMalloc function is called based on     td_imagelength. If the value of td_imagelength is set     close to the amount of system memory, it will hang the     system or trigger the OOM killer (bsc#1082332).

  - CVE-2018-8905: Prevent heap-based buffer overflow in the     function LZWDecodeCompat via a crafted TIFF file     (bsc#1086408).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.

This update for tiff fixes the following issues :

CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
(bsc#1108637)

CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627)

CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.
(bsc#1110358)

CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209.
(bsc#1106853)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

  - CVE-2018-17100: There is a int32 overflow in multiply_ms     in tools/ppm2tiff.c, which can cause a denial of service     (crash) or possibly have unspecified other impact via a     crafted image file. (bsc#1108637)

  - CVE-2018-17101: There are two out-of-bounds writes in     cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can     cause a denial of service (application crash) or     possibly have unspecified other impact via a crafted     image file. (bsc#1108627)

  - CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c     allowed remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     TIFF file, a similar issue to CVE-2017-9935.
    (bsc#1110358)

  - CVE-2018-16335: newoffsets handling in     ChopUpSingleUncompressedStrip in tif_dirread.c allowed     remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     TIFF file, as demonstrated by tiff2pdf. This is a     different vulnerability than CVE-2018-15209.
    (bsc#1106853)

This update was imported from the SUSE:SLE-12:Update update project.

An update of {'openjdk8', 'httpd', 'librelp', 'zsh', 'libvirt', 'libtiff'} packages of Photon OS has been released.

Several issues were discovered in TIFF, the Tag Image File Format library, that allowed remote attackers to cause a denial of service or other unspecified impact via a crafted image file.

CVE-2017-11613: DoS vulnerability A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the
_TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer.

CVE-2018-10963: DoS vulnerability The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.

CVE-2018-5784: DoS vulnerability In LibTIFF, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c.
Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries.

CVE-2018-7456: NULL pointer Dereference A NULL pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)

CVE-2018-8905: Heap-based buffer overflow In LibTIFF, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.

For Debian 8 'Jessie', these problems have been fixed in version 4.0.3-12.3+deb8u6.

We recommend that you upgrade your tiff packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following security issues :

  - CVE-2017-5225: Prevent heap buffer overflow in the     tools/tiffcp that could have caused DoS or code     execution via a crafted BitsPerSample value     (bsc#1019611)

  - CVE-2018-7456: Prevent a NULL pointer dereference in the     function TIFFPrintDirectory when using the tiffinfo tool     to print crafted TIFF information, a different     vulnerability than CVE-2017-18013 (bsc#1082825)

  - CVE-2017-11613: Prevent denial of service in the     TIFFOpen function. During the TIFFOpen process,     td_imagelength is not checked. The value of     td_imagelength can be directly controlled by an input     file. In the ChopUpSingleUncompressedStrip function, the
    _TIFFCheckMalloc function is called based on     td_imagelength. If the value of td_imagelength is set     close to the amount of system memory, it will hang the     system or trigger the OOM killer (bsc#1082332)

  - CVE-2016-10266: Prevent remote attackers to cause a     denial of service (divide-by-zero error and application     crash) via a crafted TIFF image, related to     libtiff/tif_read.c:351:22 (bsc#1031263)

  - CVE-2018-8905: Prevent heap-based buffer overflow in the     function LZWDecodeCompat via a crafted TIFF file     (bsc#1086408)

  - CVE-2016-9540: Prevent out-of-bounds write on tiled     images with odd tile width versus image width     (bsc#1011839).

  - CVE-2016-9535: tif_predict.h and tif_predict.c had     assertions that could have lead to assertion failures in     debug mode, or buffer overflows in release mode, when     dealing with unusual tile size like YCbCr with     subsampling (bsc#1011846).

  - CVE-2016-9535: tif_predict.h and tif_predict.c had     assertions that could have lead to assertion failures in     debug mode, or buffer overflows in release mode, when     dealing with unusual tile size like YCbCr with     subsampling (bsc#1011846).

  - Removed assert in readSeparateTilesIntoBuffer() function     (bsc#1017689).

  - CVE-2016-10095: Prevent stack-based buffer overflow in     the _TIFFVGetField function that allowed remote     attackers to cause a denial of service (crash) via a     crafted TIFF file (bsc#1017690).

  - CVE-2016-8331: Prevent remote code execution because of     incorrect handling of TIFF images. A crafted TIFF     document could have lead to a type confusion     vulnerability resulting in remote code execution. This     vulnerability could have been be triggered via a TIFF     file delivered to the application using LibTIFF's tag     extension functionality (bsc#1007276).

  - CVE-2016-3632: The _TIFFVGetField function allowed     remote attackers to cause a denial of service     (out-of-bounds write) or execute arbitrary code via a     crafted TIFF image (bsc#974621).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

These security issues were fixed :

  - CVE-2017-18013: There was a NULL pointer Dereference in     the tif_print.c TIFFPrintDirectory function, as     demonstrated by a tiffinfo crash. (bsc#1074317)

  - CVE-2018-10963: The TIFFWriteDirectorySec() function in     tif_dirwrite.c allowed remote attackers to cause a     denial of service (assertion failure and application     crash) via a crafted file, a different vulnerability     than CVE-2017-13726. (bsc#1092949)

  - CVE-2018-7456: Prevent a NULL pointer dereference in the     function TIFFPrintDirectory when using the tiffinfo tool     to print crafted TIFF information, a different     vulnerability than CVE-2017-18013 (bsc#1082825)

  - CVE-2017-11613: Prevent denial of service in the     TIFFOpen function. During the TIFFOpen process,     td_imagelength is not checked. The value of     td_imagelength can be directly controlled by an input     file. In the ChopUpSingleUncompressedStrip function, the
    _TIFFCheckMalloc function is called based on     td_imagelength. If the value of td_imagelength is set     close to the amount of system memory, it will hang the     system or trigger the OOM killer (bsc#1082332)

  - CVE-2018-8905: Prevent heap-based buffer overflow in the     function LZWDecodeCompat via a crafted TIFF file     (bsc#1086408)

  - CVE-2016-8331: Prevent remote code execution because of     incorrect handling of TIFF images. A crafted TIFF     document could have lead to a type confusion     vulnerability resulting in remote code execution. This     vulnerability could have been be triggered via a TIFF     file delivered to the application using LibTIFF's tag     extension functionality (bsc#1007276)

  - CVE-2016-3632: The _TIFFVGetField function allowed     remote attackers to cause a denial of service     (out-of-bounds write) or execute arbitrary code via a     crafted TIFF image (bsc#974621)

This update was imported from the SUSE:SLE-12:Update update project.

This update for tiff fixes the following issues: These security issues were fixed :

  - CVE-2017-18013: There was a NULL pointer Dereference in     the tif_print.c TIFFPrintDirectory function, as     demonstrated by a tiffinfo crash. (bsc#1074317)

  - CVE-2018-10963: The TIFFWriteDirectorySec() function in     tif_dirwrite.c allowed remote attackers to cause a     denial of service (assertion failure and application     crash) via a crafted file, a different vulnerability     than CVE-2017-13726. (bsc#1092949)

  - CVE-2018-7456: Prevent a NULL pointer dereference in the     function TIFFPrintDirectory when using the tiffinfo tool     to print crafted TIFF information, a different     vulnerability than CVE-2017-18013 (bsc#1082825)

  - CVE-2017-11613: Prevent denial of service in the     TIFFOpen function. During the TIFFOpen process,     td_imagelength is not checked. The value of     td_imagelength can be directly controlled by an input     file. In the ChopUpSingleUncompressedStrip function, the
    _TIFFCheckMalloc function is called based on     td_imagelength. If the value of td_imagelength is set     close to the amount of system memory, it will hang the     system or trigger the OOM killer (bsc#1082332)

  - CVE-2018-8905: Prevent heap-based buffer overflow in the     function LZWDecodeCompat via a crafted TIFF file     (bsc#1086408)

  - CVE-2016-8331: Prevent remote code execution because of     incorrect handling of TIFF images. A crafted TIFF     document could have lead to a type confusion     vulnerability resulting in remote code execution. This     vulnerability could have been be triggered via a TIFF     file delivered to the application using LibTIFF's tag     extension functionality (bsc#1007276)

  - CVE-2016-3632: The _TIFFVGetField function allowed     remote attackers to cause a denial of service     (out-of-bounds write) or execute arbitrary code via a     crafted TIFF image (bsc#974621)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service :

CVE-2017-11613

Ddenial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack and can either make the system hand or trigger the OOM killer.

CVE-2018-5784

There is an uncontrolled resource consumption in TIFFSetDirectory function of src/libtiff/tif_dir.c, which can cause denial of service through a crafted tif file.

For Debian 7 'Wheezy', these problems have been fixed in version 4.0.2-6+deb7u21.

We recommend that you upgrade your tiff packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
123213	openSUSE Security Update : tiff (openSUSE-2019-508)	Nessus	SuSE Local Security Checks	medium
121936	Photon OS 2.0: Libtiff PHSA-2018-2.0-0039	Nessus	PhotonOS Local Security Checks	high
120346	Fedora 28 : libtiff (2018-35d435f362)	Nessus	Fedora Local Security Checks	medium
120035	SUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2018:1889-1)	Nessus	SuSE Local Security Checks	medium
119314	Debian DSA-4349-1 : tiff - security update	Nessus	Debian Local Security Checks	medium
118391	SUSE SLES11 Security Update : tiff (SUSE-SU-2018:3391-1)	Nessus	SuSE Local Security Checks	medium
118384	openSUSE Security Update : tiff (openSUSE-2018-1249)	Nessus	SuSE Local Security Checks	medium
118321	SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:3289-1)	Nessus	SuSE Local Security Checks	medium
111298	Photon OS 2.0 : openjdk8 / httpd / librelp / zsh / libvirt (PhotonOS-PHSA-2018-2.0-0039) (deprecated)	Nessus	PhotonOS Local Security Checks	high
111099	openSUSE Security Update : tiff (openSUSE-2018-728)	Nessus	SuSE Local Security Checks	medium
110840	Debian DLA-1411-1 : tiff security update	Nessus	Debian Local Security Checks	medium
110803	SUSE SLES11 Security Update : tiff (SUSE-SU-2018:1835-1)	Nessus	SuSE Local Security Checks	high
110802	openSUSE Security Update : tiff (openSUSE-2018-677)	Nessus	SuSE Local Security Checks	medium
110763	SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:1826-1)	Nessus	SuSE Local Security Checks	medium
110576	Fedora 27 : libtiff (2018-9e0a37e7a2)	Nessus	Fedora Local Security Checks	medium
110313	Debian DLA-1391-1 : tiff security update	Nessus	Debian Local Security Checks	medium
108657	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : tiff vulnerabilities (USN-3606-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2017-11613

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins