Advisories ยป MGASA-2017-0199

Updated libtiff packages fix security vulnerability

Publication date: 01 Jul 2017
Type: security
Affected Mageia releases : 5
CVE: CVE-2014-8128 , CVE-2016-3658 , CVE-2016-9535 , CVE-2016-10092 , CVE-2016-10093 , CVE-2016-10094 , CVE-2016-10095 , CVE-2016-10266 , CVE-2016-10267 , CVE-2016-10268 , CVE-2016-10269 , CVE-2016-10270 , CVE-2016-10271 , CVE-2016-10272 , CVE-2017-5225 , CVE-2017-7592 , CVE-2017-7593 , CVE-2017-7594 , CVE-2017-7595 , CVE-2017-7596 , CVE-2017-7597 , CVE-2017-7598 , CVE-2017-7599 , CVE-2017-7600 , CVE-2017-7601 , CVE-2017-7602

Description

Heap-based buffer overflow in the readContigStripsIntoBuffer function in
tif_unix.c in LibTIFF 4.0.7 allows remote attackers to have unspecified
impact via a crafted image. (CVE-2016-10092)

Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7 allows remote
attackers to have unspecified impact via a crafted image, which triggers a
heap-based buffer overflow.  (CVE-2016-10093)

Off-by-one error in the t2p_readwrite_pdf_image_tile function in
tools/tiff2pdf.c in LibTIFF 4.0.7 allows remote attackers to have
unspecified impact via a crafted image. (CVE-2016-10094)

Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in
LibTIFF 4.0.7 allows remote attackers to cause a denial of service (crash)
via a crafted TIFF file. (CVE-2016-10095)

LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the
tools/tiffcp resulting in DoS or code execution via a crafted
BitsPerSample value. (CVE-2017-5225)

LibTIFF 4.0.7 allows remote attackers to cause a denial of service
(divide-by-zero error and application crash) via a crafted TIFF image,
related to libtiff/tif_read.c:351:22. (CVE-2016-10266)

LibTIFF 4.0.7 allows remote attackers to cause a denial of service
(divide-by-zero error and application crash) via a crafted TIFF image,
related to libtiff/tif_ojpeg.c:816:8. (CVE-2016-10267)

tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial
of service (integer underflow and heap-based buffer under-read) or
possibly have unspecified other impact via a crafted TIFF image, related
to "READ of size 78490" and libtiff/tif_unix.c:115:23. (CVE-2016-10268)

LibTIFF 4.0.7 allows remote attackers to cause a denial of service
(heap-based buffer over-read) or possibly have unspecified other impact
via a crafted TIFF image, related to "READ of size 512" and
libtiff/tif_unix.c:340:2. (CVE-2016-10269)

LibTIFF 4.0.7 allows remote attackers to cause a denial of service
(heap-based buffer over-read) or possibly have unspecified other impact
via a crafted TIFF image, related to "READ of size 8" and
libtiff/tif_read.c:523:22. (CVE-2016-10270)

tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a
denial of service (heap-based buffer over-read and buffer overflow) or
possibly have unspecified other impact via a crafted TIFF image, related
to "READ of size 1" and libtiff/tif_fax3.c:413:13. (CVE-2016-10271)

LibTIFF 4.0.7 allows remote attackers to cause a denial of service
(heap-based buffer overflow) or possibly have unspecified other impact via
a crafted TIFF image, related to "WRITE of size 2048" and
libtiff/tif_next.c:64:9. (CVE-2016-10272)

The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a
left-shift undefined behavior issue, which might allow remote attackers to
cause a denial of service (application crash) or possibly have unspecified
other impact via a crafted image. (CVE-2017-7592)

tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly
initialized, which might allow remote attackers to obtain sensitive
information from process memory via a crafted image. (CVE-2017-7593)

The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF
4.0.7 allows remote attackers to cause a denial of service (memory leak)
via a crafted image. (CVE-2017-7594)

The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote
attackers to cause a denial of service (divide-by-zero error and
application crash) via a crafted image. (CVE-2017-7595)

LibTIFF 4.0.7 has an "outside the range of representable values of type
float" undefined behavior issue, which might allow remote attackers to
cause a denial of service (application crash) or possibly have unspecified
other impact via a crafted image. (CVE-2017-7596)

tif_dirread.c in LibTIFF 4.0.7 has an "outside the range of representable
values of type float" undefined behavior issue, which might allow remote
attackers to cause a denial of service (application crash) or possibly
have unspecified other impact via a crafted image. (CVE-2017-7597)

tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a
denial of service (divide-by-zero error and application crash) via a
crafted image. (CVE-2017-7598)

LibTIFF 4.0.7 has an "outside the range of representable values of type
short" undefined behavior issue, which might allow remote attackers to
cause a denial of service (application crash) or possibly have unspecified
other impact via a crafted image. (CVE-2017-7599)

LibTIFF 4.0.7 has an "outside the range of representable values of type
unsigned char" undefined behavior issue, which might allow remote
attackers to cause a denial of service (application crash) or possibly
have unspecified other impact via a crafted image. (CVE-2017-7600)

LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long"
undefined behavior issue, which might allow remote attackers to cause a
denial of service (application crash) or possibly have unspecified other
impact via a crafted image. (CVE-2017-7601)

LibTIFF 4.0.7 has a signed integer overflow, which might allow remote
attackers to cause a denial of service (application crash) or possibly
have unspecified other impact via a crafted image. (CVE-2017-7602)

The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the
tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause
a denial of service (out-of-bounds read) via vectors involving the ma
variable. (CVE-2016-3658)

tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can
lead to assertion failures in debug mode, or buffer overflows in release
mode, when dealing with unusual tile size like YCbCr with subsampling.
Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
(CVE-2016-9535)

libtiff: out-of-bounds write in multiple tools. (CVE-2014-8128)
                

References

SRPMS

5/core