http://bugzilla.maptools.org/show_bug.cgi?id=2819

105762

RHSA-2019:2053

USN-3864-1

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libtiff packages installed that are affected by multiple vulnerabilities:

  - Buffer overflow in the readextension function in     gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to     cause a denial of service (application crash) via a     crafted GIF file. (CVE-2016-3186)

  - Heap-based buffer overflow in the     cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF     4.0.9 allows remote attackers to cause a denial of     service (crash) or possibly have unspecified other     impact via a crafted TIFF file. (CVE-2018-12900)

  - The TIFFWriteDirectorySec() function in tif_dirwrite.c     in LibTIFF through 4.0.9 allows remote attackers to     cause a denial of service (assertion failure and     application crash) via a crafted file, a different     vulnerability than CVE-2017-13726. (CVE-2018-10963)

  - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a     heap-based buffer over-read, as demonstrated by     bmp2tiff. (CVE-2018-10779)

  - In LibTIFF 4.0.9, a heap-based buffer overflow occurs in     the function LZWDecodeCompat in tif_lzw.c via a crafted     TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905)

  - A NULL Pointer Dereference occurs in the function     TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when     using the tiffinfo tool to print crafted TIFF     information, a different vulnerability than     CVE-2017-18013. (This affects an earlier part of the     TIFFPrintDirectory function that was not addressed by     the CVE-2017-18013 patch.) (CVE-2018-7456)

  - An issue was discovered in LibTIFF 4.0.9. There is a     int32 overflow in multiply_ms in tools/ppm2tiff.c, which     can cause a denial of service (crash) or possibly have     unspecified other impact via a crafted image file.
    (CVE-2018-17100)

  - An issue was discovered in LibTIFF 4.0.9. There are two     out-of-bounds writes in cpTags in tools/tiff2bw.c and     tools/pal2rgb.c, which can cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted image file. (CVE-2018-17101)

  - LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-     sized JBIG into a buffer, ignoring the buffer size,     which leads to a tif_jbig.c JBIGDecode out-of-bounds     write. (CVE-2018-18557)

  - An issue was discovered in LibTIFF 4.0.9. There is a     NULL pointer dereference in the function LZWDecode in     the file tif_lzw.c. (CVE-2018-18661)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.(CVE-2016-3186)

An integer overflow has been discovered in libtiff in TIFFSetupStrips:tif_write.c, which could lead to a heap-based buffer overflow in TIFFWriteScanline:tif_write.c. An attacker may use this vulnerability to corrupt memory or cause Denial of Service.(CVE-2018-10779)

The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726 .(CVE-2018-10963)

Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2018-12900)

An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100)

An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17101)

LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.(CVE-2018-18557)

An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.(CVE-2018-18661)

A NULL pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 . (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)(CVE-2018-7456)

In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.(CVE-2018-8905)

An update for libtiff is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Security Fix(es) :

* libtiff: buffer overflow in gif2tiff (CVE-2016-3186)

* libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service or possibly code execution (CVE-2018-12900)

* libtiff: Out-of-bounds write in tif_jbig.c (CVE-2018-18557)

* libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes a denial of service (CVE-2018-7456)

* libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat() allows for denial of service (CVE-2018-8905)

* libtiff: heap-based buffer over-read in TIFFWriteScanline function in tif_write.c (CVE-2018-10779)

* libtiff: reachable assertion in TIFFWriteDirectorySec function in tif_dirwrite.c (CVE-2018-10963)

* libtiff: Integer overflow in multiply_ms in tools/ppm2tiff.c (CVE-2018-17100)

* libtiff: Two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/ pal2rgb.c (CVE-2018-17101)

* libtiff: tiff2bw tool failed memory allocation leads to crash (CVE-2018-18661)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Security Fix(es) :

  - libtiff: buffer overflow in gif2tiff (CVE-2016-3186)

  - libtiff: Heap-based buffer overflow in the     cpSeparateBufToContigBuf function resulting in a denial     of service or possibly code execution (CVE-2018-12900)

  - libtiff: Out-of-bounds write in tif_jbig.c     (CVE-2018-18557)

  - libtiff: NULL pointer dereference in     tif_print.c:TIFFPrintDirectory() causes a denial of     service (CVE-2018-7456)

  - libtiff: heap-based buffer overflow in     tif_lzw.c:LZWDecodeCompat() allows for denial of service     (CVE-2018-8905)

  - libtiff: heap-based buffer over-read in     TIFFWriteScanline function in tif_write.c     (CVE-2018-10779)

  - libtiff: reachable assertion in TIFFWriteDirectorySec     function in tif_dirwrite.c (CVE-2018-10963)

  - libtiff: Integer overflow in multiply_ms in     tools/ppm2tiff.c (CVE-2018-17100)

  - libtiff: Two out-of-bounds writes in cpTags in     tools/tiff2bw.c and tools/pal2rgb.c (CVE-2018-17101)

  - libtiff: tiff2bw tool failed memory allocation leads to     crash (CVE-2018-18661)

This update for tiff fixes the following issues :

Security issues fixed :

  - CVE-2018-12900: Fixed heap-based buffer overflow in the     cpSeparateBufToContigBuf (bsc#1099257).

  - CVE-2018-18661: Fixed NULL pointer dereference in the     function LZWDecode in the file tif_lzw.c (bsc#1113672).

  - CVE-2018-18557: Fixed JBIG decode can lead to     out-of-bounds write (bsc#1113094).

Non-security issues fixed :

  - asan_build: build ASAN included

  - debug_build: build more suitable for debugging

This update was imported from the SUSE:SLE-15:Update update project.

An update of the libtiff package has been released.

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New release with a lot of security fixes:
http://www.simplesystems.org/libtiff/v4.0.10.html

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

Security issues fixed :

CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257).

CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672).

CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094).

Non-security issues fixed: asan_build: build ASAN included

debug_build: build more suitable for debugging

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

Security issues fixed :

  - CVE-2018-12900: Fixed heap-based buffer overflow in the     cpSeparateBufToContigBuf (bsc#1099257). 

  - CVE-2018-18661: Fixed NULL pointer dereference in the     function LZWDecode in the file tif_lzw.c (bsc#1113672). 

  - CVE-2018-18557: Fixed JBIG decode can lead to     out-of-bounds write (bsc#1113094).

Non-security issues fixed :

  - asan_build: build ASAN included

  - debug_build: build more suitable for debugging

This update was imported from the SUSE:SLE-12:Update update project.

This update for tiff fixes the following issues :

Security issues fixed :

CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672).

CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257).

CVE-2017-9147: Fixed invalid read in the _TIFFVGetField function in tif_dir.c, that allowed remote attackers to cause a DoS via acrafted TIFF file (bsc#1040322).

CVE-2017-9117: Fixed BMP images processing that was verified without biWidth and biHeight values (bsc#1040080).

CVE-2017-17942: Fixed issue in the function PackBitsEncode that could have led to a heap overflow and caused a DoS (bsc#1074186).

CVE-2016-9273: Fixed heap-based buffer overflow issue (bsc#1010163).

CVE-2016-5319: Fixed heap-based buffer overflow in PackBitsEncode (bsc#983440).

CVE-2016-3621: Fixed out-of-bounds read in the bmp2tiff tool (lzw packing) (bsc#974448).

CVE-2016-3620: Fixed out-of-bounds read in the bmp2tiff tool (zip packing) (bsc#974447)

CVE-2016-3619: Fixed out-of-bounds read in the bmp2tiff tool (none packing) (bsc#974446)

CVE-2015-8870: Fixed integer overflow in tools/bmp2tiff.c that allowed remote attackers to causea DOS (bsc#1014461).

Non-security issues fixed: asan_build: build ASAN included

debug_build: build more suitable for debugging

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New libtiff packages are available for Slackware 14.2 and -current to fix security issues.

ID	Name	Product	Family	Severity
129913	NewStart CGSL CORE 5.04 / MAIN 5.04 : libtiff Multiple Vulnerabilities (NS-SA-2019-0185)	Nessus	NewStart CGSL Local Security Checks	medium
129796	Amazon Linux AMI : libtiff (ALAS-2019-1306)	Nessus	Amazon Linux Local Security Checks	medium
128343	CentOS 7 : libtiff (CESA-2019:2053)	Nessus	CentOS Local Security Checks	medium
128236	Scientific Linux Security Update : libtiff on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	medium
127662	RHEL 7 : libtiff (RHSA-2019:2053)	Nessus	Red Hat Local Security Checks	medium
123390	openSUSE Security Update : tiff (openSUSE-2019-962)	Nessus	SuSE Local Security Checks	medium
122024	Photon OS 2.0: Libtiff PHSA-2019-2.0-0118	Nessus	PhotonOS Local Security Checks	medium
121329	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : tiff vulnerabilities (USN-3864-1)	Nessus	Ubuntu Local Security Checks	medium
120748	Fedora 29 : libtiff (2018-bd18c784de)	Nessus	Fedora Local Security Checks	medium
120487	Fedora 28 : libtiff (2018-67a6bf4ac1)	Nessus	Fedora Local Security Checks	medium
120170	SUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2018:3925-1)	Nessus	SuSE Local Security Checks	medium
119555	SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:3911-2)	Nessus	SuSE Local Security Checks	medium
119298	openSUSE Security Update : tiff (openSUSE-2018-1480)	Nessus	SuSE Local Security Checks	medium
119297	openSUSE Security Update : tiff (openSUSE-2018-1479)	Nessus	SuSE Local Security Checks	medium
119214	SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:3911-1)	Nessus	SuSE Local Security Checks	medium
119143	SUSE SLES11 Security Update : tiff (SUSE-SU-2018:3879-1)	Nessus	SuSE Local Security Checks	high
119126	Fedora 27 : libtiff (2018-399bce9f8f)	Nessus	Fedora Local Security Checks	medium
118903	Slackware 14.2 / current : libtiff (SSA:2018-316-01)	Nessus	Slackware Local Security Checks	medium

CVE-2018-18661

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins