{
  "schema_version": "1.7.0",
  "id": "MGASA-2016-0349",
  "published": "2016-10-20T22:35:16Z",
  "modified": "2016-10-20T22:26:51Z",
  "summary": "The updated packages fix libtiff security vulnerabilities",
  "details": "The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows \nattackers to cause a denial of service (invalid memory write and \ncrash) or possibly have unspecified other impact via crafted field\ndata in an extension tag in a TIFF image. (CVE-2015-7554)\n\nHeap-based buffer overflow in the PackBitsPreEncode function in \ntif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote\nattackers to execute arbitrary code or cause a denial of service via a\nlarge width field in a BMP image. (CVE-2015-8668)\n\nBuffer overflow in the readextension function in gif2tiff.c in LibTIFF\n4.0.6 allows remote attackers to cause a denial of service (application\ncrash) via a crafted GIF file. (CVE-2016-3186) (the program gif2tiff has\nbeen obsoleted)\n\nThe fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6\nand earlier allows remote attackers to cause a denial of service \n(divide-by-zero error) via a crafted TIFF image. (CVE-2016-3622)\n\nThe rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers \nto cause a denial of service (divide-by-zero) by setting the (1) v or (2)\nh parameter to 0. (CVE-2016-3623)\n\nThe _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier \nallows remote attackers to cause a denial of service (out-of-bounds write)\nor execute arbitrary code via a crafted TIFF image. (CVE-2016-3632)\n\nMultiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile \nfunctions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode\nis enabled,allow remote attackers to cause a denial of service (crash) or \nexecute arbitrary code via a crafted TIFF image, which triggers an \nout-of-bounds write. (CVE-2016-3945)\n\nHeap-based buffer overflow in the horizontalDifference8 function in \ntif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers \nto cause a denial of service (crash) or execute arbitrary code via \na crafted TIFF image to tiffcp. (CVE-2016-3990)\n\nHeap-based buffer overflow in the loadImage function in the tiffcrop tool \nin LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of \nservice (out-of-bounds write) or execute arbitrary code via a crafted TIFF\nimage with zero tiles. (CVE-2016-3991)\n\nPixarLogDecode() out-of-bound writes (CVE-2016-5314)\n\ntif_dir.c: setByteArray() Read access violation (CVE-2016-5315)\n\ntif_pixarlog.c: PixarLogCleanup() Segmentation fault (CVE-2016-5316)\n\ncrash occurs when generating a thumbnail for a crafted TIFF image \n(CVE-2016-5317)\n\nrgb2ycbcr: command excution (CVE-2016-5320)\n\nDumpModeDecode(): Ddos (CVE-2016-5321)\n\ntiffcrop: extractContigSamplesBytes: out-of-bounds read (CVE-2016-5322)\n\ntiffcrop _TIFFFax3fillruns(): divide by zero (CVE-2016-5323)\n\ntiff: heap-based buffer overflow when using the PixarLog compression format (CVE-2016-5875)\n\ntiff: information leak in libtiff/tif_read.c (CVE-2016-6223)\n",
  "upstream": [
    "CVE-2015-7554",
    "CVE-2015-8668",
    "CVE-2016-3186",
    "CVE-2016-3622",
    "CVE-2016-3623",
    "CVE-2016-3632",
    "CVE-2016-3945",
    "CVE-2016-3990",
    "CVE-2016-3991",
    "CVE-2016-5314",
    "CVE-2016-5315",
    "CVE-2016-5316",
    "CVE-2016-5317",
    "CVE-2016-5320",
    "CVE-2016-5321",
    "CVE-2016-5322",
    "CVE-2016-5323",
    "CVE-2016-5875",
    "CVE-2016-6223"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2016-0349.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=17480"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2015/12/26/7"
    },
    {
      "type": "WEB",
      "url": "https://lists.opensuse.org/opensuse-updates/2016-04/msg00064.html"
    },
    {
      "type": "WEB",
      "url": "http://openwall.com/lists/oss-security/2016/07/14/4"
    },
    {
      "type": "WEB",
      "url": "http://lwn.net/Vulnerabilities/695692/"
    },
    {
      "type": "WEB",
      "url": "https://lists.opensuse.org/opensuse-updates/2016-07/msg00087.html"
    },
    {
      "type": "WEB",
      "url": "https://rhn.redhat.com/errata/RHSA-2016-1546.html"
    },
    {
      "type": "WEB",
      "url": "http://lwn.net/Vulnerabilities/696207/"
    },
    {
      "type": "WEB",
      "url": "http://lwn.net/Vulnerabilities/698795/"
    },
    {
      "type": "WEB",
      "url": "http://lwn.net/Vulnerabilities/699684/"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:5",
        "name": "libtiff",
        "purl": "pkg:rpm/mageia/libtiff?arch=source&distro=mageia-5"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.6-1.4.mga5"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}