ArchLinux: 201611-26: libtiff: multiple issues
Summary
- CVE-2010-2596 (denial of service)
The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2,
as used in tiff2ps, allows remote attackers to cause a denial of
service (assertion failure and application exit) via a crafted TIFF
image, related to "downsampled OJPEG input."
- CVE-2014-8127 (information disclosure)
LibTIFF provides support for the Tag Image File Format (TIFF), a widely
used format for storing image data. It is composed of a library for
working with TIFF files along with a small collection of tools for
doing simple manipulations of TIFF images.
Multiple out-of-bounds reads can be triggered with malformed TIFF
images in the following LibTIFF tools: thumbnail, tiff2bw, tiff2rgba,
tiff2ps, tiffdither, tiffmedian, tiffset
- CVE-2014-8130 (denial of service)
A floating point exception due to a division by zero in the tiffdither
tool can be triggered with a malformed TIFF file leading to denial of
service.
- CVE-2015-7313 (denial of service)
A denial of service flaw was found in the way libtiff parsed certain
tiff files. An attacker could use this flaw to create a specially
crafted TIFF file that would cause an application using libtiff to
exhaust all available memory on the system.
- CVE-2015-8665 (denial of service)
tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a
denial of service (out-of-bounds read) via the SamplesPerPixel tag in a
TIFF image.
- CVE-2015-8668 (arbitrary code execution)
Heap-based buffer overflow in the PackBitsPreEncode function in
tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote
attackers to execute arbitrary code or cause a denial of service via a
large width field in a BMP image.
- CVE-2015-8683 (denial of service)
An out-bounds-read flaw was found in the way libtiff processed CIE Lab
image format files. A attacker could create a specially-crafted CIE Lab
image format files which could cause libtiff to crash.
- CVE-2016-3186 (denial of service)
A buffer overflow vulnerability was reported in libtiff library, in the
readextension function in the gif2tiff component. A maliciously crafted
GIF file could cause the application to crash resulting in denial of
service.
- CVE-2016-3619 (denial of service)
An out-of-bounds read vulnerability has been discovered in the
DumpModeEncode function when handling maliciously crafted BMP files,
while doing operation _TIFFmemcpy. An attacker could exploit this issue
to cause a denial of service.
- CVE-2016-3620 (denial of service)
An out-of-bounds read vulnerability has been discovered in ZIPEncode
function in tif_zip.c. Running bmp2tiff on a specially crafted BMP file
results in an application crash.
- CVE-2016-3621 (denial of service)
The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF
4.0.6 and earlier, when the "-c lzw" option is used, allows remote
attackers to cause a denial of service (buffer over-read) via a crafted
BMP image.
- CVE-2016-3622 (denial of service)
Division by zero vulnerability was found in fpAcc function in
tif_predict.c in tiff2rgba, allowing attacker to cause a denial of
service via a crafted TIFF image.
- CVE-2016-3623 (denial of service)
Division by zero vulnerability was found in cvtRaster function in
rgb2ycybr.c, allowing attacker to cause a denial of service via a
crafted TIFF image.
- CVE-2016-3624 (arbitrary code execution)
An out-of-bounds write vulnerability was found in cvtClump function in
rgb2ycybr.c, allowing attacker to cause a denial of service or possibly
execute arbitrary code via a crafted TIFF image.
- CVE-2016-3625 (denial of service)
An out-of-bounds read vulnerability was found in tif_read.c in tiff2bw,
allowing attacker to cause a denial of service via a crafted TIFF
image.
- CVE-2016-3631 (denial of service)
The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in
LibTIFF 4.0.6 and earlier allow remote attackers to cause a denial of
service (out-of-bounds read) via vectors related to the bytecounts[]
array variable.
- CVE-2016-3632 (arbitrary code execution)
An out-of-bounds write vulnerability was found in _TIFFVGetField
function in tif_dirinfo.c, allowing attacker to cause a denial of
service or code execution via a crafted TIFF image.
- CVE-2016-3633 (denial of service)
An out-of-bounds read vulnerability was found in the _setrow function
in the libtiff library. Using a thumbnail command on a maliciously
crafted image could cause the application to crash.
- CVE-2016-3634 (denial of service)
A vulnerability was found in the libtiff library. Using the tagCompare
function with the thumbnail command on a maliciously crafted tiff file
could cause an out-of-bounds read leading to application crash.
- CVE-2016-3658 (denial of service)
An out-of-bounds read vulnerability was found in the
TIFFWriteDirectoryTagLongLong8Array function in the libtiff library.
Using a tiffset command on a maliciously crafted image could result in
a denial-of-service.
- CVE-2016-3945 (arbitrary code execution)
When libtiff's tiff2rgba handles a maliciously-crafted tiff file(width8388640, height=31) an illegal write happens. This vulnerability exists
in the function cvt_by_strip (and cvt_by_tile ) due to an improper
buffer allocation. An attacker may control the write address and/or
value to result in denial-of-service or arbitrary code execution.
- CVE-2016-3990 (arbitrary code execution)
An out-of-bounds write flaw was found in libtiff v4.0.6 when using
tiffcp command to handle malicious tiff file. The vulnerability exists
in the function horizontalDifference8(). An attacker could control the
head data of next heap which contains pre_size field and size filed to
result in denial of service or arbitrary code execution.
- CVE-2016-3991 (arbitrary code execution)
An out-of-bounds write caused by a heap overflow when using tiffcrop
tool. The vulnerability is located in the loadImage() function of
tiffcrop.c. loadImage() will read the numbers of tiles by calling
TIFFNumberOfTiles(). However, if the numbers of tiles is 0, loadImage()
will still read tile data by calling readContigTilesIntoBuffer() from
the image, regardless of the numbers. In that case, loadImage() will
allocate 3 bytes of heap to store a tile data, and a heap overflow
occurs if a tile data is beyond 3 bytes. This will cause denial of
service or arbitrary code execution upon freeing the buffer.
- CVE-2016-5102 (denial of service)
A vulnerability was found in libtiff. A maliciously crafted file could
cause the application to crash via buffer overflow in gif2tiff tool.
- CVE-2016-5314 (arbitrary code execution)
A vulnerability was found in libtiff. A maliciously crafted TIFF file
could cause the application to crash when using rgb2ycbcr command via
an out-of-bounds write in the PixarLogDecode() function.
- CVE-2016-5315 (denial of service)
An out-of-bounds read vulnerability was found in in the setByteArray()
function inlibtiff. A maliciously crafted TIFF file could cause the
application to crash when using rgb2ycbcr.
- CVE-2016-5316 (denial of service)
An out-of-bounds read vulnerability was found in the PixarLogCleanup()
function in libtiff. A maliciously crafted TIFF file could cause the
application to crash when using rgb2ycbcr.
- CVE-2016-5317 (arbitrary code execution)
An out-of-bounds write vulnerability was found in the PixarLogDecode()
function in libtiff. A maliciously crafted TIFF file could cause the
application to crash or possibly execute arbitrary code when generating
a thumbnail for it.
- CVE-2016-5318 (arbitrary code execution)
A stack-based buffer overflow vulnerability was reported in thumbnail's
_TIFFVGetField() function. Memory corruption can be triggered when
handling maliciously crafted tiff file causing application to crash or
possibly execute arbitrary code.
- CVE-2016-5319 (arbitrary code execution)
Heap-based buffer overflow vulnerability was found in tif_packbits.c in
PackBitsEncode function. Memory corruption can be triggered when
bmp2tiff is handling maliciously crafted bmp file causing application
to crash or possibly execute arbitrary code.
- CVE-2016-5320 (arbitrary code execution)
An out-of-bounds write vulnerability was found in the PixarLogDecode()
function in libtiff. A maliciously crafted TIFF file could cause the
application to crash or even execute arbitrary code on a vulnerable
machine when using the rgb2ycbcr command.
- CVE-2016-5321 (denial of service)
An out-of-bounds read vulnerability was found in the DumpModeDecode()
function in libtiff. A maliciously crafted TIFF file could cause the
application to crash when using tiffcrop command.
- CVE-2016-5322 (denial of service)
An out-of-bounds read vulnerability was found in the
extractContigSamplesBytes() function in libtiff. A maliciously crafted
TIFF file could cause the application to crash when using the tiffcrop
command.
- CVE-2016-5323 (denial of service)
When using the tiffcrop command and a crafted TIFF image, the function
_TIFFFax3fill() runs without checking the value of the divisor and
causes a divide by zero flaw. Attackers can exploit this issue to cause
a denial of service.
- CVE-2016-5652 (arbitrary code execution)
An exploitable heap based buffer overflow exists in the handling of
TIFF images in LibTIFF’s TIFF2PDF tool. A crafted TIFF document can
lead to a heap based buffer overflow via JPEG Compression Tables
resulting in remote code execution. This vulnerability can be triggered
via a saved TIFF file delivered by other means.
- CVE-2016-5875 (arbitrary code execution)
There is a heap-based buffer overflow on libtiff/tif_pixarlog.c. The
vulnerability allows an attacker to control the size of the allocated
heap-buffer while independently controlling the data to be written to
the buffer with no restrictions on the size of the written data.
- CVE-2016-6223 (information disclosure)
An out-of-bounds read vulnerability on memory-mapped files in
TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond
tmsize_t max value was found. The vulnerability allows an attacker to
specify a negative index into the file-content buffer and copy data
from that position until the end of the buffer. This will allow an
attacker to crash the process by accessing unmapped memory and
(depending on how LibTIFF is used) might also allow an attacker to leak
sensitive information.
- CVE-2016-9273 (denial of service)
A heap buffer overflow has been discovered resulting in a read outside
of the array boundaries leading to an application crash.
- CVE-2016-9297 (denial of service)
A buffer read overflow has been discovered in libtiff. The function
TIFFFetchNormalTag() in libtiff/tif_dirread.c did not make sure that
values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are null terminated leading to potential read outside the buffer
in _TIFFPrintField().
- CVE-2016-9448 (denial of service)
A null pointer dereference vulnerability in TIFFFetchNormalTag() occurs
when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays leading to denial of service.
- CVE-2016-9453 (arbitrary code execution)
An out-of-bounds write vulnerability has been discovered caused by a
memcpy call without proper bounds checks. A malicious tiff file handled
by tiff2pdf will cause an illegal write to a potentially attacker
controlled target address.
- CVE-2016-9532 (arbitrary code execution)
Multiple uint32 overflows have been discovered that are leading to a
heap buffer overflow in writeBufferToSeparateStrips(). A maliciously
crafted TIFF file could cause the application to crash or even execute
arbitrary code on a vulnerable machine.
- CVE-2016-9533 (arbitrary code execution)
tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094, aka "PixarLog
horizontalDifference heap-buffer-overflow."
- CVE-2016-9534 (arbitrary code execution)
tif_write.c in libtiff 4.0.6 has an issue in the error code path of
TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members.
Reported as MSVR 35095, aka "TIFFFlushData1 heap-buffer-overflow."
- CVE-2016-9535 (arbitrary code execution)
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that
can lead to assertion failures in debug mode, or buffer overflows in
release mode, when dealing with unusual tile size like YCbCr with
subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
- CVE-2016-9536 (arbitrary code execution)
It was found that tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds
write vulnerabilities in heap allocated buffers in
t2p_process_jpeg_strip().
- CVE-2016-9537 (arbitrary code execution)
It was found that tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds
write vulnerabilities in heap allocated buffers.
- CVE-2016-9538 (denial of service)
It was found that tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
buffer in readContigStripsIntoBuffer() because of a uint16 integer
overflow.
- CVE-2016-9539 (information disclosure)
It was found that tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer() leading to possible
information disclosure.
- CVE-2016-9540 (arbitrary code execution)
It was found that tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds
heap write on tiled images with odd tile width versus image width. This
has also been reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow."
Resolution
Upgrade to 4.0.7-1.
# pacman -Syu "libtiff>=4.0.7-1"
The problems have been fixed upstream in version 4.0.7.
References
https://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.txt https://www.conostix.com/pub/adv/CVE-2014-8130-LibTIFF-Division_By_Zero.txt https://seclists.org/oss-sec/2015/q3/601 https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 https://www.openwall.com/lists/oss-security/2015/12/24/4 https://seclists.org/bugtraq/2015/Dec/138 https://www.openwall.com/lists/oss-security/2015/12/25/1 https://www.openwall.com/lists/oss-security/2016/03/30/2 https://www.openwall.com/lists/oss-security/2016/04/07/1 https://seclists.org/oss-sec/2016/q2/21 https://seclists.org/oss-sec/2016/q2/22 https://seclists.org/oss-sec/2016/q2/23 https://seclists.org/oss-sec/2016/q2/27 https://seclists.org/oss-sec/2016/q2/28 https://seclists.org/oss-sec/2016/q2/29 https://seclists.org/oss-sec/2016/q2/24 https://seclists.org/oss-sec/2016/q2/33 https://www.openwall.com/lists/oss-security/2016/04/08/11 https://www.openwall.com/lists/oss-security/2016/04/08/13 https://www.openwall.com/lists/oss-security/2016/04/08/12 https://seclists.org/oss-sec/2016/q2/30 https://seclists.org/oss-sec/2016/q2/57 https://www.openwall.com/lists/oss-security/2016/06/15/1 https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2 https://www.openwall.com/lists/oss-security/2016/06/15/2 https://www.openwall.com/lists/oss-security/2016/06/15/3 https://www.openwall.com/lists/oss-security/2016/06/15/5 https://seclists.org/oss-sec/2016/q2/486 https://www.openwall.com/lists/oss-security/2016/06/15/9 https://www.openwall.com/lists/oss-security/2016/06/15/7 https://www.openwall.com/lists/oss-security/2016/06/15/8 https://seclists.org/oss-sec/2016/q2/548 https://talosintelligence.com/vulnerability_reports/TALOS-2016-0187/ https://github.com/vadz/libtiff/commit/b5d6803f0898e931cf772d3d0755704ab8488e63 https://www.openwall.com/lists/oss-security/2016/06/29/6 https://github.com/vadz/libtiff/commit/0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496 https://www.openwall.com/lists/oss-security/2016/07/13/3 https://www.openwall.com/lists/oss-security/2016/11/09/20 https://github.com/vadz/libtiff/commit/d651abc097d91fac57f33b5f9447d0a9183f58e7 https://github.com/vadz/libtiff/commit/30c9234c7fd0dd5e8b1e83ad44370c875a0270ed https://github.com/vadz/libtiff/commit/89406285f318ffad27af4b200204394b2ee6ba5e https://seclists.org/oss-sec/2016/q4/464 https://www.openwall.com/lists/oss-security/2016/09/29/ https://www.openwall.com/lists/oss-security/2016/11/11/14 https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 https://access.redhat.com/security/cve/CVE-2010-2596 https://access.redhat.com/security/cve/CVE-2014-8127 https://access.redhat.com/security/cve/CVE-2014-8130 https://access.redhat.com/security/cve/CVE-2015-7313 https://access.redhat.com/security/cve/CVE-2015-8665 https://access.redhat.com/security/cve/CVE-2015-8668 https://access.redhat.com/security/cve/CVE-2015-8683 https://access.redhat.com/security/cve/CVE-2016-3186 https://access.redhat.com/security/cve/CVE-2016-3619 https://access.redhat.com/security/cve/CVE-2016-3620 https://access.redhat.com/security/cve/CVE-2016-3621 https://access.redhat.com/security/cve/CVE-2016-3622 https://access.redhat.com/security/cve/CVE-2016-3623 https://access.redhat.com/security/cve/CVE-2016-3624 https://access.redhat.com/security/cve/CVE-2016-3625 https://access.redhat.com/security/cve/CVE-2016-3631 https://access.redhat.com/security/cve/CVE-2016-3632 https://access.redhat.com/security/cve/CVE-2016-3633 https://access.redhat.com/security/cve/CVE-2016-3634 https://access.redhat.com/security/cve/CVE-2016-3658 https://access.redhat.com/security/cve/CVE-2016-3945 https://access.redhat.com/security/cve/CVE-2016-3990 https://access.redhat.com/security/cve/CVE-2016-3991 https://access.redhat.com/security/cve/CVE-2016-5102 https://access.redhat.com/security/cve/CVE-2016-5314 https://access.redhat.com/security/cve/CVE-2016-5315 https://access.redhat.com/security/cve/CVE-2016-5316 https://access.redhat.com/security/cve/CVE-2016-5317 https://access.redhat.com/security/cve/CVE-2016-5318 https://access.redhat.com/security/cve/CVE-2016-5319 https://access.redhat.com/security/cve/CVE-2016-5320 https://access.redhat.com/security/cve/CVE-2016-5321 https://access.redhat.com/security/cve/CVE-2016-5322 https://access.redhat.com/security/cve/CVE-2016-5323 https://access.redhat.com/security/cve/CVE-2016-5652 https://access.redhat.com/security/cve/CVE-2016-5875 https://access.redhat.com/security/cve/CVE-2016-6223 https://access.redhat.com/security/cve/CVE-2016-9273 https://access.redhat.com/security/cve/CVE-2016-9297 https://access.redhat.com/security/cve/CVE-2016-9448 https://access.redhat.com/security/cve/CVE-2016-9453 https://access.redhat.com/security/cve/CVE-2016-9532 https://access.redhat.com/security/cve/CVE-2016-9533 https://access.redhat.com/security/cve/CVE-2016-9534 https://access.redhat.com/security/cve/CVE-2016-9535 https://access.redhat.com/security/cve/CVE-2016-9536 https://access.redhat.com/security/cve/CVE-2016-9537 https://access.redhat.com/security/cve/CVE-2016-9538 https://access.redhat.com/security/cve/CVE-2016-9539 https://access.redhat.com/security/cve/CVE-2016-9540
Workaround
None.