In LibTIFF 4.0.7, a memory leak vulnerability was found in the function OJPEGReadHeaderInfoSecTablesQTable in tif_ojpeg.c, which allows attackers to cause a denial of service via a crafted file.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In LibTIFF 4.0.7, a memory leak vulnerability was found in the function OJPEGReadHeaderInfoSecTablesQTable     in tif_ojpeg.c, which allows attackers to cause a denial of service via a crafted file. (CVE-2017-9404)

Note that Nessus relies on the presence of the package as reported by the vendor.

According to the versions of the libtiff package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The TIFFFetchNormalTag function in LibTiff 4.0.6 allows     remote attackers to cause a denial of service     (out-of-bounds read) via crafted TIFF_SETGET_C16ASCII     or TIFF_SETGET_C32_ASCII tag values.(CVE-2016-9297)

  - There is a heap based buffer overflow in     tools/tiff2pdf.c of LibTIFF 4.0.8 via a     PlanarConfig=Contig image, which causes a more than one     hundred bytes out-of-bounds write (related to the     ZIPDecode function in tif_zip.c). A crafted input may     lead to a remote denial of service attack or an     arbitrary code execution attack.(CVE-2017-11335)

  - In LibTIFF 4.0.7, a memory leak vulnerability was found     in the function OJPEGReadHeaderInfoSecTablesQTable in     tif_ojpeg.c, which allows attackers to cause a denial     of service via a crafted file.(CVE-2017-9404)

  - ChopUpSingleUncompressedStrip in tif_dirread.c in     LibTIFF 4.0.9 allows remote attackers to cause a denial     of service (heap-based buffer overflow and application     crash) or possibly have unspecified other impact via a     crafted TIFF file, as demonstrated by     tiff2pdf.(CVE-2018-15209)

  - newoffsets handling in ChopUpSingleUncompressedStrip in     tif_dirread.c in LibTIFF 4.0.9 allows remote attackers     to cause a denial of service (heap-based buffer     overflow and application crash) or possibly have     unspecified other impact via a crafted TIFF file, as     demonstrated by tiff2pdf. This is a different     vulnerability than CVE-2018-15209.(CVE-2018-16335)

  - In LibTIFF 4.0.9, there is an uncontrolled resource     consumption in the TIFFSetDirectory function of     tif_dir.c. Remote attackers could leverage this     vulnerability to cause a denial of service via a     crafted tif file. This occurs because the declared     number of directory entries is not validated against     the actual number of directory entries.(CVE-2018-5784)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - ** RESERVED ** This candidate has been reserved by an     organization or individual that will use it when     announcing a new security problem. When the candidate     has been publicized, the details for this candidate     will be provided.(CVE-2017-16232)

  - In LibTIFF 4.0.7, a memory leak vulnerability was found     in the function OJPEGReadHeaderInfoSecTablesQTable in     tif_ojpeg.c, which allows attackers to cause a denial     of service via a crafted file.(CVE-2017-9404)

  - The TIFFFetchNormalTag function in LibTiff 4.0.6 allows     remote attackers to cause a denial of service (NULL     pointer dereference and crash) by setting the tags     TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII to values     that access 0-byte arrays. NOTE: this vulnerability     exists because of an incomplete fix for     CVE-2016-9297.(CVE-2016-9448)

  - An out-of-bounds heap read was discovered in libtiff. A     crafted file could cause the application to crash or,     potentially, disclose process memory.(CVE-2016-9297)

  - A heap-based buffer overflow flaw was found within     libtiff's tiff2pdf tool. A remote attacker could     potentially exploit this flaw to execute arbitrary code     by tricking a user into converting a specially crafted     file using the tiff2pdf tool.(CVE-2017-11335)

  - An integer overflow flaw was found in libtiff that     exists in the tif_getimage.c file. This flaw allows an     attacker to inject and execute arbitrary code when a     user opens a crafted TIFF file. The highest threat from     this vulnerability is to confidentiality, integrity, as     well as system availability.(CVE-2020-35523)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A heap-based buffer overflow flaw was found in libtiff     in the handling of TIFF images in libtiff's TIFF2PDF     tool. A specially crafted TIFF file can lead to     arbitrary code execution. The highest threat from this     vulnerability is to confidentiality, integrity, as well     as system availability.(CVE-2020-35524)

  - An integer overflow flaw was found in libtiff that     exists in the tif_getimage.c file. This flaw allows an     attacker to inject and execute arbitrary code when a     user opens a crafted TIFF file. The highest threat from     this vulnerability is to confidentiality, integrity, as     well as system availability.(CVE-2020-35523)

  - In LibTIFF 4.0.7, a memory leak vulnerability was found     in the function OJPEGReadHeaderInfoSecTablesQTable in     tif_ojpeg.c, which allows attackers to cause a denial     of service via a crafted file.(CVE-2017-9404)

  - In LibTIFF 4.0.7, the program processes BMP images     without verifying that biWidth and biHeight in the     bitmap-information header match the actual input,     leading to a heap-based buffer over-read in     bmp2tiff.(CVE-2017-9117)

  - LibTIFF version 4.0.7 is vulnerable to a heap-based     buffer over-read in tif_lzw.c resulting in DoS or code     execution via a crafted bmp image to     tools/bmp2tiff.(CVE-2017-5563)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the compat-libtiff3 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - LibTIFF 4.0.8 has multiple memory leak vulnerabilities,     which allow attackers to cause a denial of service     (memory consumption), as demonstrated by tif_open.c,     tif_lzw.c, and tif_aux.c. NOTE: Third parties were     unable to reproduce the issue.(CVE-2017-16232)

  - An integer overflow flaw was found in libtiff that     exists in the tif_getimage.c file. This flaw allows an     attacker to inject and execute arbitrary code when a     user opens a crafted TIFF file. The highest threat from     this vulnerability is to confidentiality, integrity, as     well as system availability.(CVE-2020-35523)

  - In LibTIFF 4.0.7, a memory leak vulnerability was found     in the function OJPEGReadHeaderInfoSecTablesQTable in     tif_ojpeg.c, which allows attackers to cause a denial     of service via a crafted file.(CVE-2017-9404)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The TIFFFetchNormalTag function in LibTiff 4.0.6 allows     remote attackers to cause a denial of service     (out-of-bounds read) via crafted TIFF_SETGET_C16ASCII     or TIFF_SETGET_C32_ASCII tag values.(CVE-2016-9297)

  - In LibTIFF 4.0.7, a memory leak vulnerability was found     in the function OJPEGReadHeaderInfoSecTablesQTable in     tif_ojpeg.c, which allows attackers to cause a denial     of service via a crafted file.(CVE-2017-9404)

  - The TIFFFetchNormalTag function in LibTiff 4.0.6 allows     remote attackers to cause a denial of service (NULL     pointer dereference and crash) by setting the tags     TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII to values     that access 0-byte arrays. NOTE: this vulnerability     exists because of an incomplete fix for     CVE-2016-9297.(CVE-2016-9448)

  - ** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak     vulnerabilities, which allow attackers to cause a     denial of service (memory consumption), as demonstrated     by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third     parties were unable to reproduce the     issue.(CVE-2017-16232)

  - There is a heap based buffer overflow in     tools/tiff2pdf.c of LibTIFF 4.0.8 via a     PlanarConfig=Contig image, which causes a more than one     hundred bytes out-of-bounds write (related to the     ZIPDecode function in tif_zip.c). A crafted input may     lead to a remote denial of service attack or an     arbitrary code execution attack.(CVE-2017-11335)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - There is a heap based buffer overflow in     tools/tiff2pdf.c of LibTIFF 4.0.8 via a     PlanarConfig=Contig image, which causes a more than one     hundred bytes out-of-bounds write (related to the     ZIPDecode function in tif_zip.c). A crafted input may     lead to a remote denial of service attack or an     arbitrary code execution attack.(CVE-2017-11335)

  - The TIFFFetchNormalTag function in LibTiff 4.0.6 allows     remote attackers to cause a denial of service     (out-of-bounds read) via crafted TIFF_SETGET_C16ASCII     or TIFF_SETGET_C32_ASCII tag values.(CVE-2016-9297)

  - The TIFFFetchNormalTag function in LibTiff 4.0.6 allows     remote attackers to cause a denial of service (NULL     pointer dereference and crash) by setting the tags     TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII to values     that access 0-byte arrays. NOTE: this vulnerability     exists because of an incomplete fix for     CVE-2016-9297.(CVE-2016-9448)

  - In LibTIFF 4.0.7, a memory leak vulnerability was found     in the function OJPEGReadHeaderInfoSecTablesQTable in     tif_ojpeg.c, which allows attackers to cause a denial     of service via a crafted file.(CVE-2017-9404)

  - LibTIFF 4.0.8 has multiple memory leak vulnerabilities,     which allow attackers to cause a denial of service     (memory consumption), as demonstrated by tif_open.c,     tif_lzw.c, and tif_aux.c. NOTE: Third parties were     unable to reproduce the issue.(CVE-2017-16232)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The TIFFFetchNormalTag function in LibTiff 4.0.6 allows     remote attackers to cause a denial of service     (out-of-bounds read) via crafted TIFF_SETGET_C16ASCII     or TIFF_SETGET_C32_ASCII tag values.(CVE-2016-9297)

  - The TIFFFetchNormalTag function in LibTiff 4.0.6 allows     remote attackers to cause a denial of service (NULL     pointer dereference and crash) by setting the tags     TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII to values     that access 0-byte arrays. NOTE: this vulnerability     exists because of an incomplete fix for     CVE-2016-9297.(CVE-2016-9448)

  - In LibTIFF 4.0.7, a memory leak vulnerability was found     in the function OJPEGReadHeaderInfoSecTablesQTable in     tif_ojpeg.c, which allows attackers to cause a denial     of service via a crafted file.(CVE-2017-9404)

  - There is a heap based buffer overflow in     tools/tiff2pdf.c of LibTIFF 4.0.8 via a     PlanarConfig=Contig image, which causes a more than one     hundred bytes out-of-bounds write (related to the     ZIPDecode function in tif_zip.c). A crafted input may     lead to a remote denial of service attack or an     arbitrary code execution attack.(CVE-2017-11335)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the compat-libtiff3 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - tools/tiffcrop.c in LibTIFF 4.0.7 allows remote     attackers to cause a denial of service (heap-based     buffer over-read and buffer overflow) or possibly have     unspecified other impact via a crafted TIFF image,     related to 'READ of size 1' and     libtiff/tif_fax3.c:413:13.(CVE-2016-10271)

  - In LibTIFF 4.0.7, a memory leak vulnerability was found     in the function OJPEGReadHeaderInfoSecTablesQTable in     tif_ojpeg.c, which allows attackers to cause a denial     of service via a crafted file.(CVE-2017-9404)

  - LibTIFF 4.0.8 has multiple memory leak vulnerabilities,     which allow attackers to cause a denial of service     (memory consumption), as demonstrated by tif_open.c,     tif_lzw.c, and tif_aux.c. NOTE: Third parties were     unable to reproduce the issue.(CVE-2017-16232)

  - There is a heap based buffer overflow in     tools/tiff2pdf.c of LibTIFF 4.0.8 via a     PlanarConfig=Contig image, which causes a more than one     hundred bytes out-of-bounds write (related to the     ZIPDecode function in tif_zip.c). A crafted input may     lead to a remote denial of service attack or an     arbitrary code execution attack.(CVE-2017-11335)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the compat-libtiff3 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - There is a heap based buffer overflow in     tools/tiff2pdf.c of LibTIFF 4.0.8 via a     PlanarConfig=Contig image, which causes a more than one     hundred bytes out-of-bounds write (related to the     ZIPDecode function in tif_zip.c). A crafted input may     lead to a remote denial of service attack or an     arbitrary code execution attack.(CVE-2017-11335)

  - tools/tiffcrop.c in LibTIFF 4.0.7 allows remote     attackers to cause a denial of service (heap-based     buffer over-read and buffer overflow) or possibly have     unspecified other impact via a crafted TIFF image,     related to 'READ of size 1' and     libtiff/tif_fax3.c:413:13.(CVE-2016-10271)

  - In LibTIFF 4.0.7, a memory leak vulnerability was found     in the function OJPEGReadHeaderInfoSecTablesQTable in     tif_ojpeg.c, which allows attackers to cause a denial     of service via a crafted file.(CVE-2017-9404)

  - LibTIFF 4.0.8 has multiple memory leak vulnerabilities,     which allow attackers to cause a denial of service     (memory consumption), as demonstrated by tif_open.c,     tif_lzw.c, and tif_aux.c. NOTE: Third parties were     unable to reproduce the issue.(CVE-2017-16232)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - There is a heap based buffer overflow in     tools/tiff2pdf.c of LibTIFF 4.0.8 via a     PlanarConfig=Contig image, which causes a more than one     hundred bytes out-of-bounds write (related to the     ZIPDecode function in tif_zip.c). A crafted input may     lead to a remote denial of service attack or an     arbitrary code execution attack.(CVE-2017-11335)

  - The TIFFFetchNormalTag function in LibTiff 4.0.6 allows     remote attackers to cause a denial of service     (out-of-bounds read) via crafted TIFF_SETGET_C16ASCII     or TIFF_SETGET_C32_ASCII tag values.(CVE-2016-9297)

  - The TIFFFetchNormalTag function in LibTiff 4.0.6 allows     remote attackers to cause a denial of service (NULL     pointer dereference and crash) by setting the tags     TIFF_SETGET_C16ASCII or TIFF_SETGET_C32_ASCII to values     that access 0-byte arrays. NOTE: this vulnerability     exists because of an incomplete fix for     CVE-2016-9297.(CVE-2016-9448)

  - In LibTIFF 4.0.7, a memory leak vulnerability was found     in the function OJPEGReadHeaderInfoSecTablesQTable in     tif_ojpeg.c, which allows attackers to cause a denial     of service via a crafted file.(CVE-2017-9404)

  - LibTIFF 4.0.8 has multiple memory leak vulnerabilities,     which allow attackers to cause a denial of service     (memory consumption), as demonstrated by tif_open.c,     tif_lzw.c, and tif_aux.c. NOTE: Third parties were     unable to reproduce the issue.(CVE-2017-16232)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3602-1 advisory.

    It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system     were tricked into opening a specially crafted image, a remote attacker could crash the application,     leading to a denial of service, or possibly execute arbitrary code with user privileges.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for tiff to version 4.0.8 fixes a several bugs and security issues :

These security issues were fixed :

  - CVE-2017-7595: The JPEGSetupEncode function allowed     remote attackers to cause a denial of service     (divide-by-zero error and application crash) via a     crafted image (bsc#1033127).

  - CVE-2016-10371: The TIFFWriteDirectoryTagCheckedRational     function allowed remote attackers to cause a denial of     service (assertion failure and application exit) via a     crafted TIFF file (bsc#1038438).

  - CVE-2017-7598: Error in tif_dirread.c allowed remote     attackers to cause a denial of service (divide-by-zero     error and application crash) via a crafted image     (bsc#1033118).

  - CVE-2017-7596: Undefined behavior because of floats     outside their expected value range, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted image (bsc#1033126).

  - CVE-2017-7597: Undefined behavior because of floats     outside their expected value range, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted image (bsc#1033120).

  - CVE-2017-7599: Undefined behavior because of shorts     outside their expected value range, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted image (bsc#1033113).

  - CVE-2017-7600: Undefined behavior because of chars     outside their expected value range, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted image (bsc#1033112).

  - CVE-2017-7601: Because of a shift exponent too large for     64-bit type long undefined behavior was caused, which     allowed remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted image (bsc#1033111).

  - CVE-2017-7602: Prevent signed integer overflow, which     allowed remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted image (bsc#1033109).

  - CVE-2017-7592: The putagreytile function had a     left-shift undefined behavior issue, which might allowed     remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted image (bsc#1033131).

  - CVE-2017-7593: Ensure that tif_rawdata is properly     initialized, to prevent remote attackers to obtain     sensitive information from process memory via a crafted     image (bsc#1033129).

  - CVE-2017-7594: The OJPEGReadHeaderInfoSecTablesDcTable     function allowed remote attackers to cause a denial of     service (memory leak) via a crafted image (bsc#1033128).

  - CVE-2017-9403: Prevent memory leak in function     TIFFReadDirEntryLong8Array, which allowed attackers to     cause a denial of service via a crafted file     (bsc#1042805).

  - CVE-2017-9404: Fixed memory leak vulnerability in     function OJPEGReadHeaderInfoSecTablesQTable, which     allowed attackers to cause a denial of service via a     crafted file (bsc#1042804).

These various other issues were fixed :

  - Fix uint32 overflow in TIFFReadEncodedStrip() that     caused an integer division by zero. Reported by Agostino     Sarubbo.

  - fix heap-based buffer overflow on generation of PixarLog     / LUV compressed files, with ColorMap, TransferFunction     attached and nasty plays with bitspersample. The fix for     LUV has not been tested, but suffers from the same kind     of issue of PixarLog.

  - modify ChopUpSingleUncompressedStrip() to instanciate     compute ntrips as TIFFhowmany_32(td->td_imagelength,     rowsperstrip), instead of a logic based on the total     size of data. Which is faulty is the total size of data     is not sufficient to fill the whole image, and thus     results in reading outside of the     StripByCounts/StripOffsets arrays when using     TIFFReadScanline()

  - make OJPEGDecode() early exit in case of failure in     OJPEGPreDecode(). This will avoid a divide by zero, and     potential other issues.

  - fix misleading indentation as warned by GCC.

  - revert change done on 2016-01-09 that made Param member     of TIFFFaxTabEnt structure a uint16 to reduce size of     the binary. It happens that the Hylafax software uses     the tables that follow this typedef (TIFFFaxMainTable,     TIFFFaxWhiteTable, TIFFFaxBlackTable), although they are     not in a public libtiff header.

  - add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt()     variants of the functions without ext, with an extra     argument to control the stop_on_error behaviour.

  - fix potential memory leaks in error code path of     TIFFRGBAImageBegin().

  - increase libjpeg max memory usable to 10 MB instead of     libjpeg 1MB default. This helps when creating files with     'big' tile, without using libjpeg temporary files.

  - add _TIFFcalloc()

  - return 0 in Encode functions instead of -1 when     TIFFFlushData1() fails.

  - only run JPEGFixupTagsSubsampling() if the     YCbCrSubsampling tag is not explicitly present. This     helps a bit to reduce the I/O amount when the tag is     present (especially on cloud hosted files).

  - in LZWPostEncode(), increase, if necessary, the code     bit-width after flushing the remaining code and before     emitting the EOI code.

  - fix memory leak in error code path of     PixarLogSetupDecode().

  - fix potential memory leak in     OJPEGReadHeaderInfoSecTablesQTable,     OJPEGReadHeaderInfoSecTablesDcTable and     OJPEGReadHeaderInfoSecTablesAcTable

  - avoid crash in Fax3Close() on empty file.

  - TIFFFillStrip(): add limitation to the number of bytes     read in case td_stripbytecount[strip] is bigger than     reasonable, so as to avoid excessive memory allocation.

  - fix memory leak when the underlying codec (ZIP,     PixarLog) succeeds its setupdecode() method, but     PredictorSetup fails.

  - TIFFFillStrip() and TIFFFillTile(): avoid excessive     memory allocation in case of shorten files. Only     effective on 64 bit builds and non-mapped cases.

  - TIFFFillStripPartial() / TIFFSeek(), avoid potential     integer overflows with read_ahead in     CHUNKY_STRIP_READ_SUPPORT mode.

  - avoid excessive memory allocation in case of shorten     files. Only effective on 64 bit builds.

  - update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT mode with     tif_rawdataloaded when calling TIFFStartStrip() or     TIFFFillStripPartial(). 

  - avoid potential int32 overflow in TIFFYCbCrToRGBInit()     Fixes

  - avoid potential int32 overflows in multiply_ms() and     add_ms().

  - fix out-of-buffer read in PackBitsDecode() Fixes

  - LogL16InitState(): avoid excessive memory allocation     when RowsPerStrip tag is missing.

  - update dec_bitsleft at beginning of LZWDecode(), and     update tif_rawcc at end of LZWDecode(). This is needed     to properly work with the latest chnges in tif_read.c in     CHUNKY_STRIP_READ_SUPPORT mode.

  - PixarLogDecode(): resync tif_rawcp with next_in and     tif_rawcc with avail_in at beginning and end of     function, similarly to what is done in LZWDecode().
    Likely needed so that it works properly with latest     chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode.

  - initYCbCrConversion(): add basic validation of luma and     refBlackWhite coefficients (just check they are not NaN     for now), to avoid potential float to int overflows.

  - _TIFFVSetField(): fix outside range cast of double to     float.

  - initYCbCrConversion(): check luma[1] is not zero to     avoid division by zero

  - _TIFFVSetField(): fix outside range cast of double to     float.

  - initYCbCrConversion(): check luma[1] is not zero to     avoid division by zero.

  - initYCbCrConversion(): stricter validation for     refBlackWhite coefficients values.

  - avoid uint32 underflow in cpDecodedStrips that can cause     various issues, such as buffer overflows in the library.

  - fix readContigStripsIntoBuffer() in -i (ignore) mode so     that the output buffer is correctly incremented to avoid     write outside bounds.

  - add 3 extra bytes at end of strip buffer in     readSeparateStripsIntoBuffer() to avoid read outside of     heap allocated buffer.

  - fix integer division by zero when BitsPerSample is     missing.

  - fix NULL pointer dereference in -r mode when the image     has no StripByteCount tag.

  - avoid potential division by zero is BitsPerSamples tag     is missing.

  - when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,     limit the return number of inks to SamplesPerPixel, so     that code that parses ink names doesn't go past the end     of the buffer.

  - avoid potential division by zero is BitsPerSamples tag     is missing.

  - fix uint32 underflow/overflow that can cause heap-based     buffer overflow.

  - replace assert( (bps % 8) == 0 ) by a non assert check.

  - fix 2 heap-based buffer overflows (in PSDataBW and     PSDataColorContig).

  - prevent heap-based buffer overflow in -j mode on a     paletted image.

  - fix wrong usage of memcpy() that can trigger unspecified     behaviour.

  - avoid potential invalid memory read in t2p_writeproc.

  - avoid potential heap-based overflow in     t2p_readwrite_pdf_image_tile().

  - remove extraneous TIFFClose() in error code path, that     caused double free.

  - error out cleanly in cpContig2SeparateByRow and     cpSeparate2ContigByRow if BitsPerSample != 8 to avoid     heap based overflow.

  - avoid integer division by zero.

  - call TIFFClose() in error code paths.

  - emit appropriate message if the input file is empty.

  - close TIFF handle in error code path.

This update was imported from the SUSE:SLE-12:Update update project.

This update for tiff to version 4.0.8 fixes a several bugs and security issues: These security issues were fixed :

  - CVE-2017-7595: The JPEGSetupEncode function allowed     remote attackers to cause a denial of service     (divide-by-zero error and application crash) via a     crafted image (bsc#1033127).

  - CVE-2016-10371: The TIFFWriteDirectoryTagCheckedRational     function allowed remote attackers to cause a denial of     service (assertion failure and application exit) via a     crafted TIFF file (bsc#1038438).

  - CVE-2017-7598: Error in tif_dirread.c allowed remote     attackers to cause a denial of service (divide-by-zero     error and application crash) via a crafted image     (bsc#1033118).

  - CVE-2017-7596: Undefined behavior because of floats     outside their expected value range, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted image (bsc#1033126).

  - CVE-2017-7597: Undefined behavior because of floats     outside their expected value range, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted image (bsc#1033120).

  - CVE-2017-7599: Undefined behavior because of shorts     outside their expected value range, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted image (bsc#1033113).

  - CVE-2017-7600: Undefined behavior because of chars     outside their expected value range, which allowed remote     attackers to cause a denial of service (application     crash) or possibly have unspecified other impact via a     crafted image (bsc#1033112).

  - CVE-2017-7601: Because of a shift exponent too large for     64-bit type long undefined behavior was caused, which     allowed remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted image (bsc#1033111).

  - CVE-2017-7602: Prevent signed integer overflow, which     allowed remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted image (bsc#1033109).

  - CVE-2017-7592: The putagreytile function had a     left-shift undefined behavior issue, which might allowed     remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted image (bsc#1033131).

  - CVE-2017-7593: Ensure that tif_rawdata is properly     initialized, to prevent remote attackers to obtain     sensitive information from process memory via a crafted     image (bsc#1033129).

  - CVE-2017-7594: The OJPEGReadHeaderInfoSecTablesDcTable     function allowed remote attackers to cause a denial of     service (memory leak) via a crafted image (bsc#1033128).

  - CVE-2017-9403: Prevent memory leak in function     TIFFReadDirEntryLong8Array, which allowed attackers to     cause a denial of service via a crafted file     (bsc#1042805).

  - CVE-2017-9404: Fixed memory leak vulnerability in     function OJPEGReadHeaderInfoSecTablesQTable, which     allowed attackers to cause a denial of service via a     crafted file (bsc#1042804). These various other issues     were fixed :

  - Fix uint32 overflow in TIFFReadEncodedStrip() that     caused an integer division by zero. Reported by Agostino     Sarubbo.

  - fix heap-based buffer overflow on generation of PixarLog     / LUV compressed files, with ColorMap, TransferFunction     attached and nasty plays with bitspersample. The fix for     LUV has not been tested, but suffers from the same kind     of issue of PixarLog.

  - modify ChopUpSingleUncompressedStrip() to instanciate     compute ntrips as TIFFhowmany_32(td->td_imagelength,     rowsperstrip), instead of a logic based on the total     size of data. Which is faulty is the total size of data     is not sufficient to fill the whole image, and thus     results in reading outside of the     StripByCounts/StripOffsets arrays when using     TIFFReadScanline()

  - make OJPEGDecode() early exit in case of failure in     OJPEGPreDecode(). This will avoid a divide by zero, and     potential other issues.

  - fix misleading indentation as warned by GCC.

  - revert change done on 2016-01-09 that made Param member     of TIFFFaxTabEnt structure a uint16 to reduce size of     the binary. It happens that the Hylafax software uses     the tables that follow this typedef (TIFFFaxMainTable,     TIFFFaxWhiteTable, TIFFFaxBlackTable), although they are     not in a public libtiff header.

  - add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt()     variants of the functions without ext, with an extra     argument to control the stop_on_error behaviour.

  - fix potential memory leaks in error code path of     TIFFRGBAImageBegin().

  - increase libjpeg max memory usable to 10 MB instead of     libjpeg 1MB default. This helps when creating files with     'big' tile, without using libjpeg temporary files.

  - add _TIFFcalloc()

  - return 0 in Encode functions instead of -1 when     TIFFFlushData1() fails.

  - only run JPEGFixupTagsSubsampling() if the     YCbCrSubsampling tag is not explicitly present. This     helps a bit to reduce the I/O amount when the tag is     present (especially on cloud hosted files).

  - in LZWPostEncode(), increase, if necessary, the code     bit-width after flushing the remaining code and before     emitting the EOI code.

  - fix memory leak in error code path of     PixarLogSetupDecode().

  - fix potential memory leak in     OJPEGReadHeaderInfoSecTablesQTable,     OJPEGReadHeaderInfoSecTablesDcTable and     OJPEGReadHeaderInfoSecTablesAcTable

  - avoid crash in Fax3Close() on empty file.

  - TIFFFillStrip(): add limitation to the number of bytes     read in case td_stripbytecount[strip] is bigger than     reasonable, so as to avoid excessive memory allocation.

  - fix memory leak when the underlying codec (ZIP,     PixarLog) succeeds its setupdecode() method, but     PredictorSetup fails.

  - TIFFFillStrip() and TIFFFillTile(): avoid excessive     memory allocation in case of shorten files. Only     effective on 64 bit builds and non-mapped cases.

  - TIFFFillStripPartial() / TIFFSeek(), avoid potential     integer overflows with read_ahead in     CHUNKY_STRIP_READ_SUPPORT mode.

  - avoid excessive memory allocation in case of shorten     files. Only effective on 64 bit builds.

  - update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT mode with     tif_rawdataloaded when calling TIFFStartStrip() or     TIFFFillStripPartial().

  - avoid potential int32 overflow in TIFFYCbCrToRGBInit()     Fixes

  - avoid potential int32 overflows in multiply_ms() and     add_ms().

  - fix out-of-buffer read in PackBitsDecode() Fixes

  - LogL16InitState(): avoid excessive memory allocation     when RowsPerStrip tag is missing.

  - update dec_bitsleft at beginning of LZWDecode(), and     update tif_rawcc at end of LZWDecode(). This is needed     to properly work with the latest chnges in tif_read.c in     CHUNKY_STRIP_READ_SUPPORT mode.

  - PixarLogDecode(): resync tif_rawcp with next_in and     tif_rawcc with avail_in at beginning and end of     function, similarly to what is done in LZWDecode().
    Likely needed so that it works properly with latest     chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode.

  - initYCbCrConversion(): add basic validation of luma and     refBlackWhite coefficients (just check they are not NaN     for now), to avoid potential float to int overflows.

  - _TIFFVSetField(): fix outside range cast of double to     float.

  - initYCbCrConversion(): check luma[1] is not zero to     avoid division by zero

  - _TIFFVSetField(): fix outside range cast of double to     float.

  - initYCbCrConversion(): check luma[1] is not zero to     avoid division by zero.

  - initYCbCrConversion(): stricter validation for     refBlackWhite coefficients values.

  - avoid uint32 underflow in cpDecodedStrips that can cause     various issues, such as buffer overflows in the library.

  - fix readContigStripsIntoBuffer() in -i (ignore) mode so     that the output buffer is correctly incremented to avoid     write outside bounds.

  - add 3 extra bytes at end of strip buffer in     readSeparateStripsIntoBuffer() to avoid read outside of     heap allocated buffer.

  - fix integer division by zero when BitsPerSample is     missing.

  - fix NULL pointer dereference in -r mode when the image     has no StripByteCount tag.

  - avoid potential division by zero is BitsPerSamples tag     is missing.

  - when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,     limit the return number of inks to SamplesPerPixel, so     that code that parses ink names doesn't go past the end     of the buffer.

  - avoid potential division by zero is BitsPerSamples tag     is missing.

  - fix uint32 underflow/overflow that can cause heap-based     buffer overflow.

  - replace assert( (bps % 8) == 0 ) by a non assert check.

  - fix 2 heap-based buffer overflows (in PSDataBW and     PSDataColorContig).

  - prevent heap-based buffer overflow in -j mode on a     paletted image.

  - fix wrong usage of memcpy() that can trigger unspecified     behaviour.

  - avoid potential invalid memory read in t2p_writeproc.

  - avoid potential heap-based overflow in     t2p_readwrite_pdf_image_tile().

  - remove extraneous TIFFClose() in error code path, that     caused double free.

  - error out cleanly in cpContig2SeparateByRow and     cpSeparate2ContigByRow if BitsPerSample != 8 to avoid     heap based overflow.

  - avoid integer division by zero.

  - call TIFFClose() in error code paths.

  - emit appropriate message if the input file is empty.

  - close TIFF handle in error code path.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code.

tiff was affected by multiple memory leaks (CVE-2017-9403, CVE-2017-9404) that could result in denial of service. Furthermore, while the current version in Debian was already patched for
_TIFFVGetField issues (CVE-2016-10095, CVE-2017-9147), we replaced our Debian-specific patches by the upstream provided patches to stay closer to upstream.

For Debian 7 'Wheezy', these problems have been fixed in version 4.0.2-6+deb7u14.

We recommend that you upgrade your tiff packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

tiff3 was affected by multiple memory leaks (CVE-2017-9403, CVE-2017-9404) that could result in denial of service. Furthermore, while the current version in Debian was already patched for
_TIFFVGetField issues (CVE-2016-10095, CVE-2017-9147), we replaced our Debian-specific patches by the upstream provided patches to stay closer to upstream.

For Debian 7 'Wheezy', these problems have been fixed in version 3.9.6-11+deb7u6.

We recommend that you upgrade your tiff3 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
221328	Linux Distros Unpatched Vulnerability : CVE-2017-9404	Nessus	Misc.	medium
151389	EulerOS Virtualization 3.0.2.2 : libtiff (EulerOS-SA-2021-2145)	Nessus	Huawei Local Security Checks	high
151343	EulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2021-2119)	Nessus	Huawei Local Security Checks	high
149117	EulerOS 2.0 SP3 : libtiff (EulerOS-SA-2021-1813)	Nessus	Huawei Local Security Checks	critical
149107	EulerOS 2.0 SP3 : compat-libtiff3 (EulerOS-SA-2021-1770)	Nessus	Huawei Local Security Checks	high
147566	EulerOS Virtualization 3.0.2.6 : libtiff (EulerOS-SA-2021-1439)	Nessus	Huawei Local Security Checks	high
147129	EulerOS Virtualization 3.0.6.6 : libtiff (EulerOS-SA-2021-1492)	Nessus	Huawei Local Security Checks	high
146709	EulerOS 2.0 SP2 : libtiff (EulerOS-SA-2021-1320)	Nessus	Huawei Local Security Checks	high
146680	EulerOS 2.0 SP2 : compat-libtiff3 (EulerOS-SA-2021-1285)	Nessus	Huawei Local Security Checks	high
146160	EulerOS 2.0 SP5 : compat-libtiff3 (EulerOS-SA-2021-1184)	Nessus	Huawei Local Security Checks	high
146131	EulerOS 2.0 SP5 : libtiff (EulerOS-SA-2021-1207)	Nessus	Huawei Local Security Checks	high
108513	Ubuntu 14.04 LTS / 16.04 LTS : LibTIFF vulnerabilities (USN-3602-1)	Nessus	Ubuntu Local Security Checks	high
103658	openSUSE Security Update : tiff (openSUSE-2017-1118)	Nessus	SuSE Local Security Checks	high
103503	SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2017:2569-1)	Nessus	SuSE Local Security Checks	high
101241	Debian DSA-3903-1 : tiff - security update	Nessus	Debian Local Security Checks	high
100772	Debian DLA-984-1 : tiff security update	Nessus	Debian Local Security Checks	medium
100771	Debian DLA-983-1 : tiff3 security update	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2017-9404

medium

Tenable Plugins

medium

high

high

critical

high

high

high

high

high

high

high

high

high

high

high

medium

medium