Advisories ยป MGASA-2016-0349

The updated packages fix libtiff security vulnerabilities

Publication date: 20 Oct 2016
Modification date: 20 Oct 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-7554 , CVE-2015-8668 , CVE-2016-3186 , CVE-2016-3622 , CVE-2016-3623 , CVE-2016-3632 , CVE-2016-3945 , CVE-2016-3990 , CVE-2016-3991 , CVE-2016-5314 , CVE-2016-5315 , CVE-2016-5316 , CVE-2016-5317 , CVE-2016-5320 , CVE-2016-5321 , CVE-2016-5322 , CVE-2016-5323 , CVE-2016-5875 , CVE-2016-6223

Description

The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows 
attackers to cause a denial of service (invalid memory write and 
crash) or possibly have unspecified other impact via crafted field
data in an extension tag in a TIFF image. (CVE-2015-7554)

Heap-based buffer overflow in the PackBitsPreEncode function in 
tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote
attackers to execute arbitrary code or cause a denial of service via a
large width field in a BMP image. (CVE-2015-8668)

Buffer overflow in the readextension function in gif2tiff.c in LibTIFF
4.0.6 allows remote attackers to cause a denial of service (application
crash) via a crafted GIF file. (CVE-2016-3186) (the program gif2tiff has
been obsoleted)

The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6
and earlier allows remote attackers to cause a denial of service 
(divide-by-zero error) via a crafted TIFF image. (CVE-2016-3622)

The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers 
to cause a denial of service (divide-by-zero) by setting the (1) v or (2)
h parameter to 0. (CVE-2016-3623)

The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier 
allows remote attackers to cause a denial of service (out-of-bounds write)
or execute arbitrary code via a crafted TIFF image. (CVE-2016-3632)

Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile 
functions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode
is enabled,allow remote attackers to cause a denial of service (crash) or 
execute arbitrary code via a crafted TIFF image, which triggers an 
out-of-bounds write. (CVE-2016-3945)

Heap-based buffer overflow in the horizontalDifference8 function in 
tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers 
to cause a denial of service (crash) or execute arbitrary code via 
a crafted TIFF image to tiffcp. (CVE-2016-3990)

Heap-based buffer overflow in the loadImage function in the tiffcrop tool 
in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of 
service (out-of-bounds write) or execute arbitrary code via a crafted TIFF
image with zero tiles. (CVE-2016-3991)

PixarLogDecode() out-of-bound writes (CVE-2016-5314)

tif_dir.c: setByteArray() Read access violation (CVE-2016-5315)

tif_pixarlog.c: PixarLogCleanup() Segmentation fault (CVE-2016-5316)

crash occurs when generating a thumbnail for a crafted TIFF image 
(CVE-2016-5317)

rgb2ycbcr: command excution (CVE-2016-5320)

DumpModeDecode(): Ddos (CVE-2016-5321)

tiffcrop: extractContigSamplesBytes: out-of-bounds read (CVE-2016-5322)

tiffcrop _TIFFFax3fillruns(): divide by zero (CVE-2016-5323)

tiff: heap-based buffer overflow when using the PixarLog compression format (CVE-2016-5875)

tiff: information leak in libtiff/tif_read.c (CVE-2016-6223)

References

SRPMS

5/core