SUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2022:0480-1)

high Nessus Plugin ID 158138

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:0480-1 advisory.

- CVE-2017-17095: Fixed DoS in tools/pal2rgb.c in pal2rgb (bsc#1071031).
- CVE-2019-17546: Fixed integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image (bsc#1154365).
- CVE-2020-19131: Fixed buffer overflow in tiffcrop that may cause DoS via the invertImage() function (bsc#1190312).
- CVE-2020-35521: Fixed memory allocation failure in tif_read.c (bsc#1182808).
- CVE-2020-35522: Fixed memory allocation failure in tif_pixarlog.c (bsc#1182809).
- CVE-2020-35523: Fixed integer overflow in tif_getimage.c (bsc#1182811).
- CVE-2020-35524: Fixed heap-based buffer overflow in TIFF2PDF tool (bsc#1182812).
- CVE-2022-22844: Fixed out-of-bounds read in _TIFFmemcpy in tif_unix.c (bsc#1194539).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected libtiff-devel, libtiff5, libtiff5-32bit and / or tiff packages.

See Also

https://bugzilla.suse.com/1071031

https://bugzilla.suse.com/1154365

https://bugzilla.suse.com/1182808

https://bugzilla.suse.com/1182809

https://bugzilla.suse.com/1182811

https://bugzilla.suse.com/1182812

https://bugzilla.suse.com/1190312

https://bugzilla.suse.com/1194539

https://www.suse.com/security/cve/CVE-2017-17095

https://www.suse.com/security/cve/CVE-2019-17546

https://www.suse.com/security/cve/CVE-2020-19131

https://www.suse.com/security/cve/CVE-2020-35521

https://www.suse.com/security/cve/CVE-2020-35522

https://www.suse.com/security/cve/CVE-2020-35523

https://www.suse.com/security/cve/CVE-2020-35524

https://www.suse.com/security/cve/CVE-2022-22844

http://www.nessus.org/u?35c534af

Plugin Details

Severity: High

ID: 158138

File Name: suse_SU-2022-0480-1.nasl

Version: 1.8

Type: Local

Agent: unix

Published: 2/18/2022

Updated: 6/26/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-35524

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2019-17546

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:libtiff-devel, p-cpe:/a:novell:suse_linux:tiff, p-cpe:/a:novell:suse_linux:libtiff5, p-cpe:/a:novell:suse_linux:libtiff5-32bit, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/17/2022

Vulnerability Publication Date: 12/2/2017

Reference Information

CVE: CVE-2017-17095, CVE-2019-17546, CVE-2020-19131, CVE-2020-35521, CVE-2020-35522, CVE-2020-35523, CVE-2020-35524, CVE-2022-22844

SuSE: SUSE-SU-2022:0480-1