Discover Mobile Security News

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201701-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: libTIFF: Multiple vulnerabilities
     Date: January 09, 2017
     Bugs: #484542, #534108, #538318, #561880, #572876, #585274,
           #585508, #599746
       ID: 201701-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
=======
Multiple vulnerabilities have been found in libTIFF, the worst of which
may allow execution of arbitrary code.

Background
=========
The TIFF library contains encoding and decoding routines for the Tag
Image File Format. It is called by numerous programs, including GNOME
and KDE applications, to interpret TIFF images.

Affected packages
================
    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  media-libs/tiff              < 4.0.7                    >= 4.0.7

Description
==========
Multiple vulnerabilities have been discovered in libTIFF. Please review
the CVE identifier and bug reports referenced for details.

Impact
=====
A remote attacker could entice a user to process a specially crafted
image file, possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.

Workaround
=========
There is no known workaround at this time.

Resolution
=========
All libTIFF users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=media-libs/tiff-4.0.7"

References
=========
[  1 ] CVE-2013-4243
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4243
[  2 ] CVE-2014-8127
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8127
[  3 ] CVE-2014-8128
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8128
[  4 ] CVE-2014-8129
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8129
[  5 ] CVE-2014-8130
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8130
[  6 ] CVE-2014-9330
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9330
[  7 ] CVE-2014-9655
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9655
[  8 ] CVE-2015-1547
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1547
[  9 ] CVE-2015-7313
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7313
[ 10 ] CVE-2015-7554
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7554
[ 11 ] CVE-2015-8665
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8665
[ 12 ] CVE-2015-8668
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8668
[ 13 ] CVE-2015-8683
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8683
[ 14 ] CVE-2015-8781
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8781
[ 15 ] CVE-2015-8782
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8782
[ 16 ] CVE-2015-8783
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8783
[ 17 ] CVE-2015-8784
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8784
[ 18 ] CVE-2016-3186
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3186
[ 19 ] CVE-2016-3619
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3619
[ 20 ] CVE-2016-3620
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3620
[ 21 ] CVE-2016-3621
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3621
[ 22 ] CVE-2016-3622
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3622
[ 23 ] CVE-2016-3623
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3623
[ 24 ] CVE-2016-3624
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3624
[ 25 ] CVE-2016-3625
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3625
[ 26 ] CVE-2016-3631
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3631
[ 27 ] CVE-2016-3632
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3632
[ 28 ] CVE-2016-3633
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3633
[ 29 ] CVE-2016-3634
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3634
[ 30 ] CVE-2016-3658
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3658
[ 31 ] CVE-2016-3945
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3945
[ 32 ] CVE-2016-3990
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3990
[ 33 ] CVE-2016-3991
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3991
[ 34 ] CVE-2016-5102
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5102
[ 35 ] CVE-2016-5314
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5314
[ 36 ] CVE-2016-5315
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5315
[ 37 ] CVE-2016-5316
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5316
[ 38 ] CVE-2016-5317
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5317
[ 39 ] CVE-2016-5318
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5318
[ 40 ] CVE-2016-5319
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5319
[ 41 ] CVE-2016-5320
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5320
[ 42 ] CVE-2016-5321
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5321
[ 43 ] CVE-2016-5322
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5322
[ 44 ] CVE-2016-5323
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5323
[ 45 ] CVE-2016-5652
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5652
[ 46 ] CVE-2016-5875
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5875
[ 47 ] CVE-2016-6223
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6223
[ 48 ] CVE-2016-8331
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8331
[ 49 ] CVE-2016-9273
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9273
[ 50 ] CVE-2016-9297
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9297
[ 51 ] CVE-2016-9318
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9318
[ 52 ] CVE-2016-9448
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9448
[ 53 ] CVE-2016-9453
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9453
[ 54 ] CVE-2016-9532
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9532

Availability
===========
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201701-16

Concerns?
========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
======
Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5/

Gentoo: GLSA-201701-16: libTIFF: Multiple vulnerabilities

Multiple vulnerabilities have been found in libTIFF, the worst of which may allow execution of arbitrary code.

Summary

Multiple vulnerabilities have been discovered in libTIFF. Please review the CVE identifier and bug reports referenced for details.

Resolution

All libTIFF users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/tiff-4.0.7"

References

[ 1 ] CVE-2013-4243 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4243 [ 2 ] CVE-2014-8127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8127 [ 3 ] CVE-2014-8128 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8128 [ 4 ] CVE-2014-8129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8129 [ 5 ] CVE-2014-8130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8130 [ 6 ] CVE-2014-9330 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9330 [ 7 ] CVE-2014-9655 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9655 [ 8 ] CVE-2015-1547 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1547 [ 9 ] CVE-2015-7313 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7313 [ 10 ] CVE-2015-7554 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7554 [ 11 ] CVE-2015-8665 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8665 [ 12 ] CVE-2015-8668 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8668 [ 13 ] CVE-2015-8683 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8683 [ 14 ] CVE-2015-8781 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8781 [ 15 ] CVE-2015-8782 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8782 [ 16 ] CVE-2015-8783 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8783 [ 17 ] CVE-2015-8784 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8784 [ 18 ] CVE-2016-3186 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3186 [ 19 ] CVE-2016-3619 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3619 [ 20 ] CVE-2016-3620 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3620 [ 21 ] CVE-2016-3621 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3621 [ 22 ] CVE-2016-3622 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3622 [ 23 ] CVE-2016-3623 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3623 [ 24 ] CVE-2016-3624 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3624 [ 25 ] CVE-2016-3625 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3625 [ 26 ] CVE-2016-3631 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3631 [ 27 ] CVE-2016-3632 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3632 [ 28 ] CVE-2016-3633 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3633 [ 29 ] CVE-2016-3634 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3634 [ 30 ] CVE-2016-3658 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3658 [ 31 ] CVE-2016-3945 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3945 [ 32 ] CVE-2016-3990 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3990 [ 33 ] CVE-2016-3991 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3991 [ 34 ] CVE-2016-5102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5102 [ 35 ] CVE-2016-5314 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5314 [ 36 ] CVE-2016-5315 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5315 [ 37 ] CVE-2016-5316 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5316 [ 38 ] CVE-2016-5317 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5317 [ 39 ] CVE-2016-5318 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5318 [ 40 ] CVE-2016-5319 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5319 [ 41 ] CVE-2016-5320 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5320 [ 42 ] CVE-2016-5321 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5321 [ 43 ] CVE-2016-5322 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5322 [ 44 ] CVE-2016-5323 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5323 [ 45 ] CVE-2016-5652 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5652 [ 46 ] CVE-2016-5875 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5875 [ 47 ] CVE-2016-6223 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6223 [ 48 ] CVE-2016-8331 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8331 [ 49 ] CVE-2016-9273 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9273 [ 50 ] CVE-2016-9297 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9297 [ 51 ] CVE-2016-9318 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9318 [ 52 ] CVE-2016-9448 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9448 [ 53 ] CVE-2016-9453 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9453 [ 54 ] CVE-2016-9532 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9532

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201701-16

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity
Severity: Normal
Title: libTIFF: Multiple vulnerabilities
Date: January 09, 2017
Bugs: #484542, #534108, #538318, #561880, #572876, #585274,
ID: 201701-16

Synopsis

Multiple vulnerabilities have been found in libTIFF, the worst of which may allow execution of arbitrary code.

Background

The TIFF library contains encoding and decoding routines for the Tag Image File Format. It is called by numerous programs, including GNOME and KDE applications, to interpret TIFF images.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 media-libs/tiff < 4.0.7 >= 4.0.7

Impact

===== A remote attacker could entice a user to process a specially crafted image file, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Related News