http://bugzilla.maptools.org/show_bug.cgi?id=2820

openSUSE-SU-2019:1161

105932

[debian-lts-announce] 20190218 [SECURITY] [DLA 1680-1] tiff security update

USN-3906-1

Fix for **CVE-2018-19210**.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - In LibTIFF 4.0.9, there is a NULL pointer dereference     in the TIFFWriteDirectorySec function in tif_dirwrite.c     that will lead to a denial of service attack, as     demonstrated by tiffset.(CVE-2018-19210)

  - The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10     has a memory leak, as demonstrated by     pal2rgb.(CVE-2019-6128)

  - An Invalid Address dereference was discovered in     TIFFWriteDirectoryTagTransferfunction in     libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the     cpSeparateBufToContigBuf function in tiffcp.c. Remote     attackers could leverage this vulnerability to cause a     denial-of-service via a crafted tiff file. This is     different from CVE-2018-12900.(CVE-2019-7663)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Heap-based buffer overflow in the readgifimage function     in the gif2tiff tool in libtiff 4.0.3 and earlier     allows remote attackers to cause a denial of service     (crash) and possibly execute arbitrary code via a     crafted height and width values in a GIF     image.(CVE-2013-4243)

  - Integer overflow in tools/bmp2tiff.c in LibTIFF before     4.0.4 allows remote attackers to cause a denial of     service (heap-based buffer over-read), or possibly     obtain sensitive information from process memory, via     crafted width and length values in RLE4 or RLE8 data in     a BMP file.(CVE-2015-8870)

  - LibTIFF 4.0.3 allows remote attackers to cause a denial     of service (out-of-bounds read and crash) via a crafted     TIFF image to the (1) checkInkNamesString function in     tif_dir.c in the thumbnail tool, (2) compresscontig     function in tiff2bw.c in the tiff2bw tool, (3)     putcontig8bitCIELab function in tif_getimage.c in the     tiff2rgba tool, LZWPreDecode function in tif_lzw.c in     the (4) tiff2ps or (5) tiffdither tool, (6) NeXTDecode     function in tif_next.c in the tiffmedian tool, or (7)     TIFFWriteDirectoryTagLongLong8Array function in     tif_dirwrite.c in the tiffset tool.(CVE-2014-8127)

  - Use-after-free vulnerability in the     t2p_readwrite_pdf_image function in tools/tiff2pdf.c in     libtiff 4.0.3 allows remote attackers to cause a denial     of service (crash) or possibly execute arbitrary code     via a crafted TIFF image.(CVE-2013-4232)

  - Integer overflow in the writeBufferToSeparateStrips     function in tiffcrop.c in LibTIFF before 4.0.7 allows     remote attackers to cause a denial of service     (out-of-bounds read) via a crafted tif     file.(CVE-2016-9532)

  - Multiple integer overflows in the (1) cvt_by_strip and     (2) cvt_by_tile functions in the tiff2rgba tool in     LibTIFF 4.0.6 and earlier, when -b mode is enabled,     allow remote attackers to cause a denial of service     (crash) or execute arbitrary code via a crafted TIFF     image, which triggers an out-of-bounds     write.(CVE-2016-3945)

  - The (1) putcontig8bitYCbCr21tile function in     tif_getimage.c or (2) NeXTDecode function in tif_next.c     in LibTIFF allows remote attackers to cause a denial of     service (uninitialized memory access) via a crafted     TIFF image, as demonstrated by libtiff-cvs-1.tif and     libtiff-cvs-2.tif.(CVE-2014-9655)

  - A flaw was discovered in the bmp2tiff utility. By     tricking a user into processing a specially crafted     file, a remote attacker could exploit this flaw to     cause a crash or memory corruption and, possibly,     execute arbitrary code with the privileges of the user     running the libtiff tool.(CVE-2014-9330)

  - The TIFFReadRawStrip1 and TIFFReadRawTile1 functions in     tif_read.c in libtiff before 4.0.7 allows remote     attackers to cause a denial of service (crash) or     possibly obtain sensitive information via a negative     index in a file-content buffer.(CVE-2016-6223)

  - The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3     does not reject a zero size, which allows remote     attackers to cause a denial of service (divide-by-zero     error and application crash) via a crafted TIFF image     that is mishandled by the TIFFWriteScanline function in     tif_write.c, as demonstrated by     tiffdither.(CVE-2014-8130)

  - Heap-based buffer overflow in the     t2p_process_jpeg_strip function in tiff2pdf in libtiff     4.0.3 and earlier allows remote attackers to cause a     denial of service (crash) and possibly execute     arbitrary code via a crafted TIFF image     file.(CVE-2013-1960)

  - Stack-based buffer overflow in the t2p_write_pdf_page     function in tiff2pdf in libtiff before 4.0.3 allows     remote attackers to cause a denial of service     (application crash) via a crafted image length and     resolution in a TIFF image file.(CVE-2013-1961)

  - Heap-based buffer overflow in the loadImage function in     the tiffcrop tool in LibTIFF 4.0.6 and earlier allows     remote attackers to cause a denial of service     (out-of-bounds write) or execute arbitrary code via a     crafted TIFF image with zero tiles.(CVE-2016-3991)

  - Heap-based buffer overflow in the horizontalDifference8     function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier     allows remote attackers to cause a denial of service     (crash) or execute arbitrary code via a crafted TIFF     image to tiffcp.(CVE-2016-3990)

  - LibTIFF 4.0.3 allows remote attackers to cause a denial     of service (out-of-bounds write) or possibly have     unspecified other impact via a crafted TIFF image, as     demonstrated by failure of tif_next.c to verify that     the BitsPerSample value is 2, and the     t2p_sample_lab_signed_to_unsigned function in     tiff2pdf.c.(CVE-2014-8129)

  - The LZW decompressor in the gif2tiff tool in libtiff     4.0.3 and earlier allows context-dependent attackers to     cause a denial of service (out-of-bounds write and     crash) or possibly execute arbitrary code via a crafted     GIF image.(CVE-2013-4244)

  - The _TIFFVGetField function in tif_dirinfo.c in LibTIFF     4.0.6 and earlier allows remote attackers to cause a     denial of service (out-of-bounds write) or execute     arbitrary code via a crafted TIFF image.(CVE-2016-3632)

  - The NeXTDecode function in tif_next.c in LibTIFF allows     remote attackers to cause a denial of service     (uninitialized memory access) via a crafted TIFF image,     as demonstrated by libtiff5.tif.(CVE-2015-1547)

  - In LibTIFF 4.0.9, there is a NULL pointer dereference     in the TIFFWriteDirectorySec function in tif_dirwrite.c     that will lead to a denial of service attack, as     demonstrated by tiffset.(CVE-2018-19210)

  - The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10     has a memory leak, as demonstrated by     pal2rgb.(CVE-2019-6128)

  - An Invalid Address dereference was discovered in     TIFFWriteDirectoryTagTransferfunction in     libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the     cpSeparateBufToContigBuf function in tiffcp.c. Remote     attackers could leverage this vulnerability to cause a     denial-of-service via a crafted tiff file. This is     different from CVE-2018-12900.(CVE-2019-7663)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In LibTIFF 4.0.9, there is a NULL pointer dereference     in the TIFFWriteDirectorySec function in tif_dirwrite.c     that will lead to a denial of service attack, as     demonstrated by tiffset.(CVE-2018-19210)

  - The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10     has a memory leak, as demonstrated by     pal2rg(CVE-2019-6128)

  - An Invalid Address dereference was discovered in     TIFFWriteDirectoryTagTransferfunction in     libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the     cpSeparateBufToContigBuf function in tiffcp.c. Remote     attackers could leverage this vulnerability to cause a     denial-of-service via a crafted tiff     file.(CVE-2019-7663)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

Security issues fixed :

  - CVE-2018-19210: Fixed a NULL pointer dereference in     TIFFWriteDirectorySec function (bsc#1115717). 

  - CVE-2018-17000: Fixed a NULL pointer dereference in the
    _TIFFmemcmp function (bsc#1108606).

  - CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen     function in tif_unix.c (bsc#1121626).

  - CVE-2019-7663: Fixed an invalid address dereference in     the TIFFWriteDirectoryTagTransfer function in     libtiff/tif_dirwrite.c (bsc#1125113)

This update was imported from the SUSE:SLE-15:Update update project.

This update for tiff fixes the following issues :

Security issues fixed :

CVE-2018-19210: Fixed a NULL pointer dereference in TIFFWriteDirectorySec function (bsc#1115717).

CVE-2018-17000: Fixed a NULL pointer dereference in the _TIFFmemcmp function (bsc#1108606).

CVE-2019-6128: Fixed a memory leak in the TIFFFdOpen function in tif_unix.c (bsc#1121626).

CVE-2019-7663: Fixed an invalid address dereference in the TIFFWriteDirectoryTagTransfer function in libtiff/tif_dirwrite.c (bsc#1125113)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

Security issues fixed :

  - CVE-2018-19210: Fixed NULL pointer dereference in the     TIFFWriteDirectorySec function (bsc#1115717).

  - CVE-2017-12944: Fixed denial of service issue in the     TIFFReadDirEntryArray function (bsc#1054594).

  - CVE-2016-10094: Fixed heap-based buffer overflow in the
    _tiffWriteProc function (bsc#1017693).

  - CVE-2016-10093: Fixed heap-based buffer overflow in the
    _TIFFmemcpy function (bsc#1017693).

  - CVE-2016-10092: Fixed heap-based buffer overflow in the     TIFFReverseBits function (bsc#1017693).

  - CVE-2016-6223: Fixed out-of-bounds read on memory-mapped     files in TIFFReadRawStrip1() and TIFFReadRawTile1()     (bsc#990460).

This update was imported from the SUSE:SLE-15:Update update project.

It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Brief introduction 

CVE-2018-17000

A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) allows an attacker to cause a denial of service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.

CVE-2018-19210

There is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset.

CVE-2019-7663

An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file.

We believe this is the same as CVE-2018-17000 (above).

For Debian 8 'Jessie', these problems have been fixed in version 4.0.3-12.3+deb8u8.

We recommend that you upgrade your tiff packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the libtiff package has been released.

This update for tiff fixes the following issues :

Security issues fixed :

CVE-2018-19210: Fixed NULL pointer dereference in the TIFFWriteDirectorySec function (bsc#1115717).

CVE-2017-12944: Fixed denial of service issue in the TIFFReadDirEntryArray function (bsc#1054594).

CVE-2016-10094: Fixed heap-based buffer overflow in the _tiffWriteProc function (bsc#1017693).

CVE-2016-10093: Fixed heap-based buffer overflow in the _TIFFmemcpy function (bsc#1017693).

CVE-2016-10092: Fixed heap-based buffer overflow in the TIFFReverseBits function (bsc#1017693).

CVE-2016-6223: Fixed out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() (bsc#990460).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tiff fixes the following issues :

Security issues fixed :

  - CVE-2018-19210: Fixed NULL pointer dereference in the     TIFFWriteDirectorySec function (bsc#1115717).

  - CVE-2017-12944: Fixed denial of service issue in the     TIFFReadDirEntryArray function (bsc#1054594).

  - CVE-2016-10094: Fixed heap-based buffer overflow in the
    _tiffWriteProc function (bsc#1017693).

  - CVE-2016-10093: Fixed heap-based buffer overflow in the
    _TIFFmemcpy function (bsc#1017693).

  - CVE-2016-10092: Fixed heap-based buffer overflow in the     TIFFReverseBits function (bsc#1017693).

  - CVE-2016-6223: Fixed out-of-bounds read on memory-mapped     files in TIFFReadRawStrip1() and TIFFReadRawTile1()     (bsc#990460).

This update was imported from the SUSE:SLE-12:Update update project.

ID	Name	Product	Family	Severity
126362	Fedora 30 : libtiff (2019-fa3e40f00a)	Nessus	Fedora Local Security Checks	medium
126358	Fedora 29 : libtiff (2019-70d89f8806)	Nessus	Fedora Local Security Checks	medium
125581	EulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2019-1629)	Nessus	Huawei Local Security Checks	medium
124940	EulerOS Virtualization 3.0.1.0 : libtiff (EulerOS-SA-2019-1437)	Nessus	Huawei Local Security Checks	high
124440	EulerOS 2.0 SP5 : libtiff (EulerOS-SA-2019-1313)	Nessus	Huawei Local Security Checks	medium
123816	openSUSE Security Update : tiff (openSUSE-2019-1161)	Nessus	SuSE Local Security Checks	medium
123497	SUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2019:0786-1)	Nessus	SuSE Local Security Checks	medium
123404	openSUSE Security Update : tiff (openSUSE-2019-987)	Nessus	SuSE Local Security Checks	medium
122811	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : tiff vulnerabilities (USN-3906-1)	Nessus	Ubuntu Local Security Checks	medium
122265	Debian DLA-1680-1 : tiff security update	Nessus	Debian Local Security Checks	medium
122024	Photon OS 2.0: Libtiff PHSA-2019-2.0-0118	Nessus	PhotonOS Local Security Checks	medium
120181	SUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2018:4008-1)	Nessus	SuSE Local Security Checks	medium
119866	openSUSE Security Update : tiff (openSUSE-2018-1598)	Nessus	SuSE Local Security Checks	medium
119807	SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:4191-1)	Nessus	SuSE Local Security Checks	medium
119550	openSUSE Security Update : tiff (openSUSE-2018-1522)	Nessus	SuSE Local Security Checks	medium

CVE-2018-19210

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins