Vulnerabilities > CVE-2016-10095 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Libtiff 4.0.7

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
libtiff
CWE-119
nessus

Summary

Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7 and 4.0.8 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file.

Vulnerable Configurations

Part Description Count
Application
Libtiff
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-31.NASL
    descriptionThis update for tiff to version 4.0.9 fixes the following issues : Security issues fixed : - CVE-2014-8128: Fix out-of-bounds read with malformed TIFF image in multiple tools (bsc#969783). - CVE-2015-7554: Fix invalid write in tiffsplit / _TIFFVGetField (bsc#960341). - CVE-2016-10095: Fix stack-based buffer overflow in _TIFFVGetField (tif_dir.c) (bsc#1017690). - CVE-2016-5318: Fix stackoverflow in thumbnail (bsc#983436). - CVE-2017-16232: Fix memory-based DoS in tiff2bw (bsc#1069213). This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2018-01-16
    plugin id106060
    published2018-01-16
    reporterThis script is Copyright (C) 2018-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106060
    titleopenSUSE Security Update : tiff (openSUSE-2018-31)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2018-31.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106060);
      script_version("3.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2014-8128", "CVE-2015-7554", "CVE-2016-10095", "CVE-2016-5318", "CVE-2017-16232");
    
      script_name(english:"openSUSE Security Update : tiff (openSUSE-2018-31)");
      script_summary(english:"Check for the openSUSE-2018-31 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for tiff to version 4.0.9 fixes the following issues :
    
    Security issues fixed :
    
      - CVE-2014-8128: Fix out-of-bounds read with malformed
        TIFF image in multiple tools (bsc#969783).
    
      - CVE-2015-7554: Fix invalid write in tiffsplit /
        _TIFFVGetField (bsc#960341).
    
      - CVE-2016-10095: Fix stack-based buffer overflow in
        _TIFFVGetField (tif_dir.c) (bsc#1017690).
    
      - CVE-2016-5318: Fix stackoverflow in thumbnail
        (bsc#983436).
    
      - CVE-2017-16232: Fix memory-based DoS in tiff2bw
        (bsc#1069213).
    
    This update was imported from the SUSE:SLE-12:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1017690"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1069213"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=960341"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=969783"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=983436"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected tiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/16");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.2", reference:"libtiff-devel-4.0.9-17.9.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libtiff5-4.0.9-17.9.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libtiff5-debuginfo-4.0.9-17.9.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"tiff-4.0.9-17.9.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"tiff-debuginfo-4.0.9-17.9.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"tiff-debugsource-4.0.9-17.9.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libtiff-devel-32bit-4.0.9-17.9.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libtiff5-32bit-4.0.9-17.9.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.9-17.9.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libtiff-devel-4.0.9-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libtiff5-4.0.9-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libtiff5-debuginfo-4.0.9-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"tiff-4.0.9-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"tiff-debuginfo-4.0.9-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"tiff-debugsource-4.0.9-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libtiff-devel-32bit-4.0.9-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libtiff5-32bit-4.0.9-24.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.9-24.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff-devel-32bit / libtiff-devel / libtiff5-32bit / libtiff5 / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1835-1.NASL
    descriptionThis update for tiff fixes the following security issues : - CVE-2017-5225: Prevent heap buffer overflow in the tools/tiffcp that could have caused DoS or code execution via a crafted BitsPerSample value (bsc#1019611) - CVE-2018-7456: Prevent a NULL pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825) - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332) - CVE-2016-10266: Prevent remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22 (bsc#1031263) - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408) - CVE-2016-9540: Prevent out-of-bounds write on tiled images with odd tile width versus image width (bsc#1011839). - CVE-2016-9535: tif_predict.h and tif_predict.c had assertions that could have lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling (bsc#1011846). - CVE-2016-9535: tif_predict.h and tif_predict.c had assertions that could have lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling (bsc#1011846). - Removed assert in readSeparateTilesIntoBuffer() function (bsc#1017689). - CVE-2016-10095: Prevent stack-based buffer overflow in the _TIFFVGetField function that allowed remote attackers to cause a denial of service (crash) via a crafted TIFF file (bsc#1017690). - CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF
    last seen2020-06-01
    modified2020-06-02
    plugin id110803
    published2018-06-29
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110803
    titleSUSE SLES11 Security Update : tiff (SUSE-SU-2018:1835-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3903.NASL
    descriptionMultiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id101241
    published2017-07-06
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101241
    titleDebian DSA-3903-1 : tiff - security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0073-1.NASL
    descriptionThis update for tiff to version 4.0.9 fixes the following issues: Security issues fixed : - CVE-2014-8128: Fix out-of-bounds read with malformed TIFF image in multiple tools (bsc#969783). - CVE-2015-7554: Fix invalid write in tiffsplit / _TIFFVGetField (bsc#960341). - CVE-2016-10095: Fix stack-based buffer overflow in _TIFFVGetField (tif_dir.c) (bsc#1017690). - CVE-2016-5318: Fix stackoverflow in thumbnail (bsc#983436). - CVE-2017-16232: Fix memory-based DoS in tiff2bw (bsc#1069213). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106043
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106043
    titleSUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:0073-1)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-324-01.NASL
    descriptionNew libtiff packages are available for Slackware 14.2 and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104702
    published2017-11-21
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104702
    titleSlackware 14.2 / current : libtiff (SSA:2017-324-01)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-984.NASL
    descriptiontiff was affected by multiple memory leaks (CVE-2017-9403, CVE-2017-9404) that could result in denial of service. Furthermore, while the current version in Debian was already patched for _TIFFVGetField issues (CVE-2016-10095, CVE-2017-9147), we replaced our Debian-specific patches by the upstream provided patches to stay closer to upstream. For Debian 7
    last seen2020-03-17
    modified2017-06-14
    plugin id100772
    published2017-06-14
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100772
    titleDebian DLA-984-1 : tiff security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1179-1.NASL
    descriptionThis update for tiff fixes the following issues : - CVE-2016-9453: The t2p_readwrite_pdf_image_tile function allowed remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one (bsc#1011107). - CVE-2016-5652: An exploitable heap-based buffer overflow existed in the handling of TIFF images in the TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means (bsc#1007280). - CVE-2017-11335: There is a heap-based buffer overflow in tools/tiff2pdf.c via a PlanarConfig=Contig image, which caused a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack (bsc#1048937). - CVE-2016-9536: tools/tiff2pdf.c had an out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka
    last seen2020-06-01
    modified2020-06-02
    plugin id109674
    published2018-05-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109674
    titleSUSE SLES11 Security Update : tiff (SUSE-SU-2018:1179-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-983.NASL
    descriptiontiff3 was affected by multiple memory leaks (CVE-2017-9403, CVE-2017-9404) that could result in denial of service. Furthermore, while the current version in Debian was already patched for _TIFFVGetField issues (CVE-2016-10095, CVE-2017-9147), we replaced our Debian-specific patches by the upstream provided patches to stay closer to upstream. For Debian 7
    last seen2020-03-17
    modified2017-06-14
    plugin id100771
    published2017-06-14
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100771
    titleDebian DLA-983-1 : tiff3 security update