Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 429
Alerts This Week
Warning Icon 1 429

openSUSE: 2016:3036-1 Critical: JPEG Security Vulnerabilities Addressed

opensuse
Calendar Grey December 7, 2016
Dist Opensuse Esm H88
A critical enhancement for openSUSE's tiff package addresses several vulnerabilities and boosts overall performance.
An update that fixes 14 vulnerabilities is now available.

Description

Tiff was updated to version 4.0.7. This update fixes the following issues:

* libtiff/tif_aux.c

+ Fix crash in TIFFVGetFieldDefaulted() when requesting Predictor tag

and that the zip/lzw codec is not configured.

()

* libtiff/tif_compress.c

+ Make TIFFNoDecode() return 0 to indicate an error and make upper

level read routines treat it accordingly.

()

* libtiff/tif_dir.c

+ Discard values of SMinSampleValue and SMaxSampleValue when they have

been read and the value of SamplesPerPixel is changed afterwards

(like when reading a OJPEG compressed image with a missing

SamplesPerPixel tag, and whose photometric is RGB or YCbCr, forcing

SamplesPerPixel being 3). Otherwise when rewriting the directory

(for example with tiffset, we will expect 3 values whereas the array

had been allocated with just

one), thus causing a out of bound read access....

Read the Full Advisory

Patch

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE 13.2:

zypper in -t patch openSUSE-2016-1425=1

To bring your system up-to-date, use "zypper patch".

Package List

- openSUSE 13.2 (i586 x86_64):

libtiff-devel-4.0.7-10.35.1

libtiff5-4.0.7-10.35.1

libtiff5-debuginfo-4.0.7-10.35.1

tiff-4.0.7-10.35.1

tiff-debuginfo-4.0.7-10.35.1

tiff-debugsource-4.0.7-10.35.1

- openSUSE 13.2 (x86_64):

libtiff-devel-32bit-4.0.7-10.35.1

libtiff5-32bit-4.0.7-10.35.1

libtiff5-debuginfo-32bit-4.0.7-10.35.1

References

https://www.suse.com/security/cve/CVE-2014-8127.html

https://www.suse.com/security/cve/CVE-2015-7554.html

https://www.suse.com/security/cve/CVE-2015-8665.html

https://www.suse.com/security/cve/CVE-2015-8683.html

https://www.suse.com/security/cve/CVE-2016-3622.html

https://www.suse.com/security/cve/CVE-2016-3658.html

https://www.suse.com/security/cve/CVE-2016-5321.html

https://www.suse.com/security/cve/CVE-2016-5323.html

https://www.suse.com/security/cve/CVE-2016-5652.html

https://www.suse.com/security/cve/CVE-2016-5875.html

https://www.suse.com/security/cve/CVE-2016-9273.html

https://www.suse.com/security/cve/CVE-2016-9297.html

https://www.suse.com/security/cve/CVE-2016-9448.html

https://www.suse.com/security/cve/CVE-2016-9453.html

https://bugzilla.suse.com/1007280

https://bugzilla.suse.com/1010161

https://bugzilla.suse.com/1010163

https://bugzilla.suse.com/1011103

https://bugzilla.suse.com/1011107

https://bugzilla.suse.com/914890

https://bugzilla.suse.com/974449

https://bugzilla.suse.com/974840

https://bug...

Read the Full Advisory

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2016:3035-1
Rating: important
Affected Products: openSUSE 13.2

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.