http://bugzilla.maptools.org/show_bug.cgi?id=2795

RHSA-2019:2053

[debian-lts-announce] 20180702 [SECURITY] [DLA 1411-1] tiff security update

USN-3864-1

DSA-4349

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libtiff packages installed that are affected by multiple vulnerabilities:

  - Buffer overflow in the readextension function in     gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to     cause a denial of service (application crash) via a     crafted GIF file. (CVE-2016-3186)

  - Heap-based buffer overflow in the     cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF     4.0.9 allows remote attackers to cause a denial of     service (crash) or possibly have unspecified other     impact via a crafted TIFF file. (CVE-2018-12900)

  - The TIFFWriteDirectorySec() function in tif_dirwrite.c     in LibTIFF through 4.0.9 allows remote attackers to     cause a denial of service (assertion failure and     application crash) via a crafted file, a different     vulnerability than CVE-2017-13726. (CVE-2018-10963)

  - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a     heap-based buffer over-read, as demonstrated by     bmp2tiff. (CVE-2018-10779)

  - In LibTIFF 4.0.9, a heap-based buffer overflow occurs in     the function LZWDecodeCompat in tif_lzw.c via a crafted     TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905)

  - A NULL Pointer Dereference occurs in the function     TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when     using the tiffinfo tool to print crafted TIFF     information, a different vulnerability than     CVE-2017-18013. (This affects an earlier part of the     TIFFPrintDirectory function that was not addressed by     the CVE-2017-18013 patch.) (CVE-2018-7456)

  - An issue was discovered in LibTIFF 4.0.9. There is a     int32 overflow in multiply_ms in tools/ppm2tiff.c, which     can cause a denial of service (crash) or possibly have     unspecified other impact via a crafted image file.
    (CVE-2018-17100)

  - An issue was discovered in LibTIFF 4.0.9. There are two     out-of-bounds writes in cpTags in tools/tiff2bw.c and     tools/pal2rgb.c, which can cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted image file. (CVE-2018-17101)

  - LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-     sized JBIG into a buffer, ignoring the buffer size,     which leads to a tif_jbig.c JBIGDecode out-of-bounds     write. (CVE-2018-18557)

  - An issue was discovered in LibTIFF 4.0.9. There is a     NULL pointer dereference in the function LZWDecode in     the file tif_lzw.c. (CVE-2018-18661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.(CVE-2016-3186)

An integer overflow has been discovered in libtiff in TIFFSetupStrips:tif_write.c, which could lead to a heap-based buffer overflow in TIFFWriteScanline:tif_write.c. An attacker may use this vulnerability to corrupt memory or cause Denial of Service.(CVE-2018-10779)

The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726 .(CVE-2018-10963)

Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2018-12900)

An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100)

An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17101)

LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.(CVE-2018-18557)

An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.(CVE-2018-18661)

A NULL pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 . (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)(CVE-2018-7456)

In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.(CVE-2018-8905)

An update for libtiff is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fix(es) :

* libtiff: buffer overflow in gif2tiff (CVE-2016-3186)

* libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service or possibly code execution (CVE-2018-12900)

* libtiff: Out-of-bounds write in tif_jbig.c (CVE-2018-18557)

* libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes a denial of service (CVE-2018-7456)

* libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat() allows for denial of service (CVE-2018-8905)

* libtiff: heap-based buffer over-read in TIFFWriteScanline function in tif_write.c (CVE-2018-10779)

* libtiff: reachable assertion in TIFFWriteDirectorySec function in tif_dirwrite.c (CVE-2018-10963)

* libtiff: Integer overflow in multiply_ms in tools/ppm2tiff.c (CVE-2018-17100)

* libtiff: Two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/ pal2rgb.c (CVE-2018-17101)

* libtiff: tiff2bw tool failed memory allocation leads to crash (CVE-2018-18661)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Security Fix(es) :

  - libtiff: buffer overflow in gif2tiff (CVE-2016-3186)

  - libtiff: Heap-based buffer overflow in the     cpSeparateBufToContigBuf function resulting in a denial     of service or possibly code execution (CVE-2018-12900)

  - libtiff: Out-of-bounds write in tif_jbig.c     (CVE-2018-18557)

  - libtiff: NULL pointer dereference in     tif_print.c:TIFFPrintDirectory() causes a denial of     service (CVE-2018-7456)

  - libtiff: heap-based buffer overflow in     tif_lzw.c:LZWDecodeCompat() allows for denial of service     (CVE-2018-8905)

  - libtiff: heap-based buffer over-read in     TIFFWriteScanline function in tif_write.c     (CVE-2018-10779)

  - libtiff: reachable assertion in TIFFWriteDirectorySec     function in tif_dirwrite.c (CVE-2018-10963)

  - libtiff: Integer overflow in multiply_ms in     tools/ppm2tiff.c (CVE-2018-17100)

  - libtiff: Two out-of-bounds writes in cpTags in     tools/tiff2bw.c and tools/pal2rgb.c (CVE-2018-17101)

  - libtiff: tiff2bw tool failed memory allocation leads to     crash (CVE-2018-18661)

This update for tiff fixes the following security issues :

These security issues were fixed :

  - CVE-2017-18013: Fixed a NULL pointer dereference in the     tif_print.cTIFFPrintDirectory function that could have     lead to denial of service (bsc#1074317).

  - CVE-2018-10963: Fixed an assertion failure in the     TIFFWriteDirectorySec() function in tif_dirwrite.c,     which allowed remote attackers to cause a denial of     service via a crafted file (bsc#1092949).

  - CVE-2018-7456: Prevent a NULL pointer dereference in the     function TIFFPrintDirectory when using the tiffinfo tool     to print crafted TIFF information, a different     vulnerability than CVE-2017-18013 (bsc#1082825).

  - CVE-2017-11613: Prevent denial of service in the     TIFFOpen function. During the TIFFOpen process,     td_imagelength is not checked. The value of     td_imagelength can be directly controlled by an input     file. In the ChopUpSingleUncompressedStrip function, the
    _TIFFCheckMalloc function is called based on     td_imagelength. If the value of td_imagelength is set     close to the amount of system memory, it will hang the     system or trigger the OOM killer (bsc#1082332).

  - CVE-2018-8905: Prevent heap-based buffer overflow in the     function LZWDecodeCompat via a crafted TIFF file     (bsc#1086408).

This update was imported from the SUSE:SLE-15:Update update project.

An update of the libtiff package has been released.

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Added fixes for :

  - **CVE-2017-9935**

  - **CVE-2017-18013**

  - **CVE-2018-8905**

  - **CVE-2018-10963**

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following security issues: These security issues were fixed :

  - CVE-2017-18013: Fixed a NULL pointer dereference in the     tif_print.cTIFFPrintDirectory function that could have     lead to denial of service (bsc#1074317).

  - CVE-2018-10963: Fixed an assertion failure in the     TIFFWriteDirectorySec() function in tif_dirwrite.c,     which allowed remote attackers to cause a denial of     service via a crafted file (bsc#1092949).

  - CVE-2018-7456: Prevent a NULL pointer dereference in the     function TIFFPrintDirectory when using the tiffinfo tool     to print crafted TIFF information, a different     vulnerability than CVE-2017-18013 (bsc#1082825).

  - CVE-2017-11613: Prevent denial of service in the     TIFFOpen function. During the TIFFOpen process,     td_imagelength is not checked. The value of     td_imagelength can be directly controlled by an input     file. In the ChopUpSingleUncompressedStrip function, the
    _TIFFCheckMalloc function is called based on     td_imagelength. If the value of td_imagelength is set     close to the amount of system memory, it will hang the     system or trigger the OOM killer (bsc#1082332).

  - CVE-2018-8905: Prevent heap-based buffer overflow in the     function LZWDecodeCompat via a crafted TIFF file     (bsc#1086408).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.

New libtiff packages are available for Slackware 14.2 and -current to fix security issues.

An update of {'libtiff', 'glibc', 'libsoup'} packages of Photon OS has been released.

Several issues were discovered in TIFF, the Tag Image File Format library, that allowed remote attackers to cause a denial of service or other unspecified impact via a crafted image file.

CVE-2017-11613: DoS vulnerability A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the
_TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer.

CVE-2018-10963: DoS vulnerability The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.

CVE-2018-5784: DoS vulnerability In LibTIFF, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c.
Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries.

CVE-2018-7456: NULL pointer Dereference A NULL pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)

CVE-2018-8905: Heap-based buffer overflow In LibTIFF, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.

For Debian 8 'Jessie', these problems have been fixed in version 4.0.3-12.3+deb8u6.

We recommend that you upgrade your tiff packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

These security issues were fixed :

  - CVE-2017-18013: There was a NULL pointer Dereference in     the tif_print.c TIFFPrintDirectory function, as     demonstrated by a tiffinfo crash. (bsc#1074317)

  - CVE-2018-10963: The TIFFWriteDirectorySec() function in     tif_dirwrite.c allowed remote attackers to cause a     denial of service (assertion failure and application     crash) via a crafted file, a different vulnerability     than CVE-2017-13726. (bsc#1092949)

  - CVE-2018-7456: Prevent a NULL pointer dereference in the     function TIFFPrintDirectory when using the tiffinfo tool     to print crafted TIFF information, a different     vulnerability than CVE-2017-18013 (bsc#1082825)

  - CVE-2017-11613: Prevent denial of service in the     TIFFOpen function. During the TIFFOpen process,     td_imagelength is not checked. The value of     td_imagelength can be directly controlled by an input     file. In the ChopUpSingleUncompressedStrip function, the
    _TIFFCheckMalloc function is called based on     td_imagelength. If the value of td_imagelength is set     close to the amount of system memory, it will hang the     system or trigger the OOM killer (bsc#1082332)

  - CVE-2018-8905: Prevent heap-based buffer overflow in the     function LZWDecodeCompat via a crafted TIFF file     (bsc#1086408)

  - CVE-2016-8331: Prevent remote code execution because of     incorrect handling of TIFF images. A crafted TIFF     document could have lead to a type confusion     vulnerability resulting in remote code execution. This     vulnerability could have been be triggered via a TIFF     file delivered to the application using LibTIFF's tag     extension functionality (bsc#1007276)

  - CVE-2016-3632: The _TIFFVGetField function allowed     remote attackers to cause a denial of service     (out-of-bounds write) or execute arbitrary code via a     crafted TIFF image (bsc#974621)

This update was imported from the SUSE:SLE-12:Update update project.

This update for tiff fixes the following issues: These security issues were fixed :

  - CVE-2017-18013: There was a NULL pointer Dereference in     the tif_print.c TIFFPrintDirectory function, as     demonstrated by a tiffinfo crash. (bsc#1074317)

  - CVE-2018-10963: The TIFFWriteDirectorySec() function in     tif_dirwrite.c allowed remote attackers to cause a     denial of service (assertion failure and application     crash) via a crafted file, a different vulnerability     than CVE-2017-13726. (bsc#1092949)

  - CVE-2018-7456: Prevent a NULL pointer dereference in the     function TIFFPrintDirectory when using the tiffinfo tool     to print crafted TIFF information, a different     vulnerability than CVE-2017-18013 (bsc#1082825)

  - CVE-2017-11613: Prevent denial of service in the     TIFFOpen function. During the TIFFOpen process,     td_imagelength is not checked. The value of     td_imagelength can be directly controlled by an input     file. In the ChopUpSingleUncompressedStrip function, the
    _TIFFCheckMalloc function is called based on     td_imagelength. If the value of td_imagelength is set     close to the amount of system memory, it will hang the     system or trigger the OOM killer (bsc#1082332)

  - CVE-2018-8905: Prevent heap-based buffer overflow in the     function LZWDecodeCompat via a crafted TIFF file     (bsc#1086408)

  - CVE-2016-8331: Prevent remote code execution because of     incorrect handling of TIFF images. A crafted TIFF     document could have lead to a type confusion     vulnerability resulting in remote code execution. This     vulnerability could have been be triggered via a TIFF     file delivered to the application using LibTIFF's tag     extension functionality (bsc#1007276)

  - CVE-2016-3632: The _TIFFVGetField function allowed     remote attackers to cause a denial of service     (out-of-bounds write) or execute arbitrary code via a     crafted TIFF image (bsc#974621)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
129913	NewStart CGSL CORE 5.04 / MAIN 5.04 : libtiff Multiple Vulnerabilities (NS-SA-2019-0185)	Nessus	NewStart CGSL Local Security Checks	medium
129796	Amazon Linux AMI : libtiff (ALAS-2019-1306)	Nessus	Amazon Linux Local Security Checks	medium
128343	CentOS 7 : libtiff (CESA-2019:2053)	Nessus	CentOS Local Security Checks	medium
128236	Scientific Linux Security Update : libtiff on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	medium
127662	RHEL 7 : libtiff (RHSA-2019:2053)	Nessus	Red Hat Local Security Checks	medium
123213	openSUSE Security Update : tiff (openSUSE-2019-508)	Nessus	SuSE Local Security Checks	medium
121958	Photon OS 2.0: Libtiff PHSA-2018-2.0-0060	Nessus	PhotonOS Local Security Checks	high
121329	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : tiff vulnerabilities (USN-3864-1)	Nessus	Ubuntu Local Security Checks	medium
120824	Fedora 28 : libtiff (2018-d41d114d3e)	Nessus	Fedora Local Security Checks	medium
120035	SUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2018:1889-1)	Nessus	SuSE Local Security Checks	medium
119314	Debian DSA-4349-1 : tiff - security update	Nessus	Debian Local Security Checks	medium
118903	Slackware 14.2 / current : libtiff (SSA:2018-316-01)	Nessus	Slackware Local Security Checks	medium
111309	Photon OS 2.0 : libtiff / glibc / libsoup (PhotonOS-PHSA-2018-2.0-0060) (deprecated)	Nessus	PhotonOS Local Security Checks	high
111099	openSUSE Security Update : tiff (openSUSE-2018-728)	Nessus	SuSE Local Security Checks	medium
110840	Debian DLA-1411-1 : tiff security update	Nessus	Debian Local Security Checks	medium
110802	openSUSE Security Update : tiff (openSUSE-2018-677)	Nessus	SuSE Local Security Checks	medium
110763	SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:1826-1)	Nessus	SuSE Local Security Checks	medium
110388	Fedora 27 : libtiff (2018-44c6f91560)	Nessus	Fedora Local Security Checks	medium

CVE-2018-10963

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins