Alpine: libtiffxx, multiple tiff packages: security update to 4.0.7-r2 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400878

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application
crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. (CVE-2016-10266)

- LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application
crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. (CVE-2016-10267)

- tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow
and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image,
related to "READ of size 78490" and libtiff/tif_unix.c:115:23. (CVE-2016-10268)

- LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta,
4.0.5, 4.0.6 and 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read)
or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and
libtiff/tif_unix.c:340:2. (CVE-2016-10269)

- LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or
possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and
libtiff/tif_read.c:523:22. (CVE-2016-10270)

See Also

https://git.alpinelinux.org/aports/commit/?id=5b598aecd1e0174b9debbf49c0eea825b7a50c98

https://git.alpinelinux.org/aports/commit/?id=fa18ed2287bf127951d71bdf233db44b1e923739

Plugin Details

Severity: High

ID: 400878

Version: Revision 1.22

Type: Local

Published: 8/16/2023

Updated: 1/17/2024

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-10270

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/3/2017

Vulnerability Publication Date: 1/1/2017

Reference Information

CVE: CVE-2016-10266, CVE-2016-10267, CVE-2016-10268, CVE-2016-10269, CVE-2016-10270

BID: 97115, 97117, 97200, 97201, 97202