SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2016:3301-1)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The tiff library and tools were updated to version 4.0.7 fixing
various bug and security issues.

- CVE-2014-8127: out-of-bounds read with malformed TIFF
image in multiple tools [bnc#914890]

- CVE-2016-9297: tif_dirread.c read outside buffer in
_TIFFPrintField() [bnc#1010161]

- CVE-2016-3658: Illegal read in
TIFFWriteDirectoryTagLongLong8Array function in tiffset
/ tif_dirwrite.c [bnc#974840]

- CVE-2016-9273: heap overflow [bnc#1010163]

- CVE-2016-3622: divide By Zero in the tiff2rgba tool
[bnc#974449]

- CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap
Buffer Overflow [bnc#1007280]

- CVE-2016-9453: out-of-bounds Write memcpy and less bound
check in tiff2pdf [bnc#1011107]

- CVE-2016-5875: heap-based buffer overflow when using the
PixarLog compressionformat [bnc#987351]

- CVE-2016-9448: regression introduced by fixing
CVE-2016-9297 [bnc#1011103]

- CVE-2016-5321: out-of-bounds read in tiffcrop /
DumpModeDecode() function [bnc#984813]

- CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns()
function (null ptr dereference?) [bnc#984815]

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/1007280
https://bugzilla.suse.com/1010161
https://bugzilla.suse.com/1010163
https://bugzilla.suse.com/1011103
https://bugzilla.suse.com/1011107
https://bugzilla.suse.com/914890
https://bugzilla.suse.com/974449
https://bugzilla.suse.com/974840
https://bugzilla.suse.com/984813
https://bugzilla.suse.com/984815
https://bugzilla.suse.com/987351
https://www.suse.com/security/cve/CVE-2014-8127.html
https://www.suse.com/security/cve/CVE-2016-3622.html
https://www.suse.com/security/cve/CVE-2016-3658.html
https://www.suse.com/security/cve/CVE-2016-5321.html
https://www.suse.com/security/cve/CVE-2016-5323.html
https://www.suse.com/security/cve/CVE-2016-5652.html
https://www.suse.com/security/cve/CVE-2016-5875.html
https://www.suse.com/security/cve/CVE-2016-9273.html
https://www.suse.com/security/cve/CVE-2016-9297.html
https://www.suse.com/security/cve/CVE-2016-9448.html
https://www.suse.com/security/cve/CVE-2016-9453.html
http://www.nessus.org/u?f6291fb9

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
patch SUSE-SLE-SDK-12-SP2-2016-1937=1

SUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t
patch SUSE-SLE-SDK-12-SP1-2016-1937=1

SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
patch SUSE-SLE-RPI-12-SP2-2016-1937=1

SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
SUSE-SLE-SERVER-12-SP2-2016-1937=1

SUSE Linux Enterprise Server 12-SP1:zypper in -t patch
SUSE-SLE-SERVER-12-SP1-2016-1937=1

SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
SUSE-SLE-DESKTOP-12-SP2-2016-1937=1

SUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch
SUSE-SLE-DESKTOP-12-SP1-2016-1937=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now