SUSE SLES11 Security Update : tiff (SUSE-SU-2016:2527-1)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

This update for tiff fixes the following issues :

- CVE-2016-3622: Specially crafted TIFF images could
trigger a crash in tiff2rgba (bsc#974449)

- Various out-of-bound write vulnerabilities with
unspecified impact (MSVR 35093, MSVR 35094, MSVR 35095,
MSVR 35096, MSVR 35097, MSVR 35098)

- CVE-2016-5314: Specially crafted TIFF images could
trigger a crash that could result in DoS (bsc#984831)

- CVE-2016-5316: Specially crafted TIFF images could
trigger a crash in the rgb2ycbcr tool, leading to Doa
(bsc#984837)

- CVE-2016-5317: Specially crafted TIFF images could
trigger a crash through an out of bound write
(bsc#984842)

- CVE-2016-5320: Specially crafted TIFF images could
trigger a crash or potentially allow remote code
execution when using the rgb2ycbcr command (bsc#984808)

- CVE-2016-5875: Specially crafted TIFF images could
trigger could allow arbitrary code execution
(bsc#987351)

- CVE-2016-3623: Specially crafted TIFF images could
trigger a crash in rgb2ycbcr (bsc#974618)

- CVE-2016-3945: Specially crafted TIFF images could
trigger a crash or allow for arbitrary command execution
via tiff2rgba (bsc#974614)

- CVE-2016-3990: Specially crafted TIFF images could
trigger a crash or allow for arbitrary command execution
(bsc#975069)

- CVE-2016-3186: Specially crafted TIFF imaged could
trigger a crash in the gif2tiff command via a buffer
overflow (bsc#973340)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/973340
https://bugzilla.suse.com/974449
https://bugzilla.suse.com/974614
https://bugzilla.suse.com/974618
https://bugzilla.suse.com/975069
https://bugzilla.suse.com/984808
https://bugzilla.suse.com/984831
https://bugzilla.suse.com/984837
https://bugzilla.suse.com/984842
https://bugzilla.suse.com/987351
https://www.suse.com/security/cve/CVE-2016-3186.html
https://www.suse.com/security/cve/CVE-2016-3622.html
https://www.suse.com/security/cve/CVE-2016-3623.html
https://www.suse.com/security/cve/CVE-2016-3945.html
https://www.suse.com/security/cve/CVE-2016-3990.html
https://www.suse.com/security/cve/CVE-2016-5314.html
https://www.suse.com/security/cve/CVE-2016-5316.html
https://www.suse.com/security/cve/CVE-2016-5317.html
https://www.suse.com/security/cve/CVE-2016-5320.html
https://www.suse.com/security/cve/CVE-2016-5875.html
http://www.nessus.org/u?c24b6b3b

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
patch sdksp4-tiff-12785=1

SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
slessp4-tiff-12785=1

SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
dbgsp4-tiff-12785=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now