http://bugzilla.maptools.org/show_bug.cgi?id=2704

99296

[debian-lts-announce] 20171213 [SECURITY] [DLA 1206-1] tiff security update

USN-3606-1

DSA-4100

This update for tiff fixes the following issues :

Security issue fixed :

  - CVE-2018-10779: TIFFWriteScanline in tif_write.c had a     heap-based buffer over-read, as demonstrated by     bmp2tiff.(bsc#1092480)

  - CVE-2018-17100: There is a int32 overflow in multiply_ms     in tools/ppm2tiff.c, which can cause a denial of service     (crash) or possibly have unspecified other impact via a     crafted image file. (bsc#1108637)

  - CVE-2018-17101: There are two out-of-bounds writes in     cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can     cause a denial of service (application crash) or     possibly have unspecified other impact via a crafted     image file. (bsc#1108627)

  - CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c     allowed remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     TIFF file, a similar issue to CVE-2017-9935.
    (bsc#1110358)

  - CVE-2018-16335: newoffsets handling in     ChopUpSingleUncompressedStrip in tif_dirread.c allowed     remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     TIFF file, as demonstrated by tiff2pdf. This is a     different vulnerability than CVE-2018-15209.
    (bsc#1106853)

This update was imported from the SUSE:SLE-15:Update update project.

An update of the libtiff package has been released.

Added fixes for :

  - **CVE-2017-9935**

  - **CVE-2017-18013**

  - **CVE-2018-8905**

  - **CVE-2018-10963**

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

Security issue fixed :

CVE-2018-10779: TIFFWriteScanline in tif_write.c had a heap-based buffer over-read, as demonstrated by bmp2tiff.(bsc#1092480)

CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
(bsc#1108637)

CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627)

CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.
(bsc#1110358)

CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209.
(bsc#1106853)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.
(bsc#1108637)

CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627)

CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.
(bsc#1110358)

CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209.
(bsc#1106853)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

  - CVE-2018-17100: There is a int32 overflow in multiply_ms     in tools/ppm2tiff.c, which can cause a denial of service     (crash) or possibly have unspecified other impact via a     crafted image file. (bsc#1108637)

  - CVE-2018-17101: There are two out-of-bounds writes in     cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can     cause a denial of service (application crash) or     possibly have unspecified other impact via a crafted     image file. (bsc#1108627)

  - CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c     allowed remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     TIFF file, a similar issue to CVE-2017-9935.
    (bsc#1110358)

  - CVE-2018-16335: newoffsets handling in     ChopUpSingleUncompressedStrip in tif_dirread.c allowed     remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     TIFF file, as demonstrated by tiff2pdf. This is a     different vulnerability than CVE-2018-15209.
    (bsc#1106853)

This update was imported from the SUSE:SLE-12:Update update project.

An update of 'krb5', 'libjpeg-turbo', 'libtiff' packages of Photon OS has been released.

An update of {'linux', 'curl', 'binutils', 'postgresql', 'libtiff'} packages of Photon OS has been released.

This update for tiff fixes the following issues :

  - CVE-2017-9935: There was a heap-based buffer overflow in     the t2p_write_pdf function in tools/tiff2pdf.c. This     heap overflow could lead to different damages. For     example, a crafted TIFF document can lead to an     out-of-bounds read in TIFFCleanup, an invalid free in     TIFFClose or t2p_free, memory corruption in     t2p_readwrite_pdf_image, or a double free in t2p_free.
    Given these possibilities, it probably could cause     arbitrary code execution (bsc#1046077)

  - CVE-2017-17973: There is a heap-based use-after-free in     the t2p_writeproc function in tiff2pdf.c. (bsc#1074318)

  - CVE-2018-5784: There is an uncontrolled resource     consumption in the TIFFSetDirectory function of     tif_dir.c. Remote attackers could leverage this     vulnerability to cause a denial of service via a crafted     tif file. This occurs because the declared number of     directory entries is not validated against the actual     number of directory entries (bsc#1081690)

This update was imported from the SUSE:SLE-12:Update update project.

This update for tiff fixes the following issues :

  - CVE-2017-9935: There was a heap-based buffer overflow in     the t2p_write_pdf function in tools/tiff2pdf.c. This     heap overflow could lead to different damages. For     example, a crafted TIFF document can lead to an     out-of-bounds read in TIFFCleanup, an invalid free in     TIFFClose or t2p_free, memory corruption in     t2p_readwrite_pdf_image, or a double free in t2p_free.
    Given these possibilities, it probably could cause     arbitrary code execution (bsc#1046077)

  - CVE-2017-17973: There is a heap-based use-after-free in     the t2p_writeproc function in tiff2pdf.c. (bsc#1074318)

  - CVE-2018-5784: There is an uncontrolled resource     consumption in the TIFFSetDirectory function of     tif_dir.c. Remote attackers could leverage this     vulnerability to cause a denial of service via a crafted     tif file. This occurs because the declared number of     directory entries is not validated against the actual     number of directory entries (bsc#1081690)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

  - CVE-2016-9453: The t2p_readwrite_pdf_image_tile function     allowed remote attackers to cause a denial of service     (out-of-bounds write and crash) or possibly execute     arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES     of length one (bsc#1011107).

  - CVE-2016-5652: An exploitable heap-based buffer overflow     existed in the handling of TIFF images in the TIFF2PDF     tool. A crafted TIFF document can lead to a heap-based     buffer overflow resulting in remote code execution.
    Vulnerability can be triggered via a saved TIFF file     delivered by other means (bsc#1007280).

  - CVE-2017-11335: There is a heap-based buffer overflow in     tools/tiff2pdf.c via a PlanarConfig=Contig image, which     caused a more than one hundred bytes out-of-bounds write     (related to the ZIPDecode function in tif_zip.c). A     crafted input may lead to a remote denial of service     attack or an arbitrary code execution attack     (bsc#1048937).

  - CVE-2016-9536: tools/tiff2pdf.c had an out-of-bounds     write vulnerabilities in heap allocated buffers in     t2p_process_jpeg_strip(). Reported as MSVR 35098, aka     't2p_process_jpeg_strip heap-buffer-overflow.'     (bsc#1011845)

  - CVE-2017-9935: In LibTIFF, there was a heap-based buffer     overflow in the t2p_write_pdf function in     tools/tiff2pdf.c. This heap overflow could lead to     different damages. For example, a crafted TIFF document     can lead to an out-of-bounds read in TIFFCleanup, an     invalid free in TIFFClose or t2p_free, memory corruption     in t2p_readwrite_pdf_image, or a double free in     t2p_free. Given these possibilities, it probably could     cause arbitrary code execution (bsc#1046077).

  - CVE-2017-17973: There is a heap-based use-after-free in     the t2p_writeproc function in tiff2pdf.c. (bsc#1074318)

  - CVE-2015-7554: The _TIFFVGetField function in tif_dir.c     allowed attackers to cause a denial of service (invalid     memory write and crash) or possibly have unspecified     other impact via crafted field data in an extension tag     in a TIFF image (bsc#960341).

  - CVE-2016-5318: Stack-based buffer overflow in the
    _TIFFVGetField function allowed remote attackers to     crash the application via a crafted tiff (bsc#983436).

  - CVE-2016-10095: Stack-based buffer overflow in the
    _TIFFVGetField function in tif_dir.c allowed remote     attackers to cause a denial of service (crash) via a     crafted TIFF file (bsc#1017690,).

  - CVE-2016-10268: tools/tiffcp.c allowed remote attackers     to cause a denial of service (integer underflow and     heap-based buffer under-read) or possibly have     unspecified other impact via a crafted TIFF image,     related to 'READ of size 78490' and     libtiff/tif_unix.c:115:23 (bsc#1031255)

  - An overlapping of memcpy parameters was fixed which     could lead to content corruption (bsc#1017691).

  - Fixed an invalid memory read which could lead to a crash     (bsc#1017692).

  - Fixed a NULL pointer dereference in TIFFReadRawData     (tiffinfo.c) that could crash the decoder (bsc#1017688).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Debian Security Advisory reports :

Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code.

Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code.

In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.

This overflow is linked to an underlying assumption that all pages in a tiff document will have the same transfer function. There is nothing in the tiff standard that says this needs to be the case.

For Debian 7 'Wheezy', these problems have been fixed in version 4.0.2-6+deb7u17.

We recommend that you upgrade your tiff packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
123354	openSUSE Security Update : tiff (openSUSE-2019-847)	Nessus	SuSE Local Security Checks	medium
121917	Photon OS 2.0: Libtiff PHSA-2018-2.0-0016	Nessus	PhotonOS Local Security Checks	high
121790	Photon OS 2.0: Libtiff PHSA-2017-2.0-0007	Nessus	PhotonOS Local Security Checks	high
120824	Fedora 28 : libtiff (2018-d41d114d3e)	Nessus	Fedora Local Security Checks	medium
120140	SUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2018:3327-1)	Nessus	SuSE Local Security Checks	medium
118391	SUSE SLES11 Security Update : tiff (SUSE-SU-2018:3391-1)	Nessus	SuSE Local Security Checks	medium
118384	openSUSE Security Update : tiff (openSUSE-2018-1249)	Nessus	SuSE Local Security Checks	medium
118378	openSUSE Security Update : tiff (openSUSE-2018-1242)	Nessus	SuSE Local Security Checks	medium
118321	SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:3289-1)	Nessus	SuSE Local Security Checks	medium
111905	Photon OS 2.0: Krb5 / Libjpeg / Libtiff PHSA-2017-2.0-0007 (deprecated)	Nessus	PhotonOS Local Security Checks	high
111286	Photon OS 2.0 : Linux / Postgresql / Binutils / Curl / Libtiff (PhotonOS-PHSA-2018-2.0-0016) (deprecated)	Nessus	PhotonOS Local Security Checks	high
110388	Fedora 27 : libtiff (2018-44c6f91560)	Nessus	Fedora Local Security Checks	medium
109716	openSUSE Security Update : tiff (openSUSE-2018-443)	Nessus	SuSE Local Security Checks	medium
109675	SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:1180-1)	Nessus	SuSE Local Security Checks	medium
109674	SUSE SLES11 Security Update : tiff (SUSE-SU-2018:1179-1)	Nessus	SuSE Local Security Checks	high
108657	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : tiff vulnerabilities (USN-3606-1)	Nessus	Ubuntu Local Security Checks	high
106700	FreeBSD : tiff -- multiple vulnerabilities (b38e8150-0535-11e8-96ab-0800271d4b9c)	Nessus	FreeBSD Local Security Checks	medium
106414	Debian DSA-4100-1 : tiff - security update	Nessus	Debian Local Security Checks	medium
105194	Debian DLA-1206-1 : tiff security update	Nessus	Debian Local Security Checks	medium

CVE-2017-9935

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins