Vulnerabilities > CVE-2016-10268 - Integer Underflow (Wrap or Wraparound) vulnerability in Libtiff 4.0.7

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
libtiff
CWE-191
nessus

Summary

tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 78490" and libtiff/tif_unix.c:115:23.

Vulnerable Configurations

Part Description Count
Application
Libtiff
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1235.NASL
    descriptionAccording to the versions of the libtiff package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-03-19
    modified2020-03-13
    plugin id134524
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134524
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2020-1235)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134524);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3622",
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2016-9273",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9117",
        "CVE-2017-9147",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-10779",
        "CVE-2018-10963",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-7456",
        "CVE-2018-8905",
        "CVE-2019-14973",
        "CVE-2019-17546"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2020-1235)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff package installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The _TIFFFax3fillruns function in libtiff before 4.0.6
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted Tiff image.(CVE-2016-5323)
    
      - The cvtClump function in the rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (out-of-bounds write) by setting the
        '-v' option to -1.(CVE-2016-3624)
    
      - The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows
        remote attackers to cause a denial of service
        (divide-by-zero) by setting the (1) v or (2) h
        parameter to 0.(CVE-2016-3623)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes
        arbitrarily-sized JBIG into a buffer, ignoring the
        buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file.(CVE-2018-17101)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c,
        which can cause a denial of service (crash) or possibly
        have unspecified other impact via a crafted image
        file.(CVE-2018-17100)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs
        in the function LZWDecodeCompat in tif_lzw.c via a
        crafted TIFF file, as demonstrated by
        tiff2ps.(CVE-2018-8905)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)
    
      - tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)
    
      - Heap-based buffer overflow in the
        readContigStripsIntoBuffer function in tif_unix.c in
        LibTIFF 4.0.7 allows remote attackers to have
        unspecified impact via a crafted image.(CVE-2016-10092)
    
      - The TIFFReadDirEntryArray function in tif_read.c in
        LibTIFF 4.0.8 mishandles memory allocation for short
        files, which allows remote attackers to cause a denial
        of service (allocation failure and application crash)
        in the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)
    
      - In LibTIFF 4.0.8, there is a assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)
    
      - tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds
        read in readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)
    
      - tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
        buffer in readContigStripsIntoBuffer() because of a
        uint16 integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)
    
      - LibTIFF 4.0.7 has a signed integer overflow, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7602)
    
      - LibTIFF 4.0.7 has a 'shift exponent too large for
        64-bit type long' undefined behavior issue, which might
        allow remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7601)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type unsigned char' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7600)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type short' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7599)
    
      - tif_dirread.c in LibTIFF 4.0.7 might allow remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted
        image.(CVE-2017-7598)
    
      - tif_dirread.c in LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7597)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type float' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7596)
    
      - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
        4.0.7 allows remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7595)
    
      - The putagreytile function in tif_getimage.c in LibTIFF
        4.0.7 has a left-shift undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7592)
    
      - In LibTIFF 4.0.7, the program processes BMP images
        without verifying that biWidth and biHeight in the
        bitmap-information header match the actual input,
        leading to a heap-based buffer over-read in
        bmp2tiff.(CVE-2017-9117)
    
      - The TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)
    
      - The DumpModeDecode function in libtiff 4.0.6 and
        earlier allows attackers to cause a denial of service
        (invalid read and crash) via a crafted tiff
        image.(CVE-2016-5321)
    
      - The fpAcc function in tif_predict.c in the tiff2rgba
        tool in LibTIFF 4.0.6 and earlier allows remote
        attackers to cause a denial of service (divide-by-zero
        error) via a crafted TIFF image.(CVE-2016-3622)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726.(CVE-2018-10963)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)
    
      - In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c.
        A crafted TIFF document can lead to a memory leak
        resulting in a remote denial of service
        attack.(CVE-2017-9936)
    
      - In LibTIFF 4.0.7, a memory leak vulnerability was found
        in the function TIFFReadDirEntryLong8Array in
        tif_dirread.c, which allows attackers to cause a denial
        of service via a crafted file.(CVE-2017-9403)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)
    
      - An out-of-bounds heap read was discovered in libtiff. A
        crafted file could cause the application to crash or,
        potentially, disclose process memory.(CVE-2016-9273)
    
      - LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)
    
      - Stack-based buffer overflow in the _TIFFVGetField
        function in libtiff 4.0.6 and earlier allows remote
        attackers to crash the application via a crafted
        tiff.(CVE-2016-5318)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c.(CVE-2018-18661)
    
      - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
        heap-based buffer over-read, as demonstrated by
        bmp2tiff.(CVE-2018-10779)
    
      - The OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)
    
      - Buffer overflow in the readgifimage function in
        gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows
        remote attackers to cause a denial of service
        (segmentation fault) via a crafted gif
        file.(CVE-2016-5102)
    
      - tif_read.c in LibTIFF 4.0.7 does not ensure that
        tif_rawdata is properly initialized, which might allow
        remote attackers to obtain sensitive information from
        process memory via a crafted image.(CVE-2017-7593)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.)(CVE-2018-7456)
    
      - _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in
        LibTIFF through 4.0.10 mishandle Integer Overflow
        checks because they rely on compiler behavior that is
        undefined by the applicable C standards. This can, for
        example, lead to an application crash.(CVE-2019-14973)
    
      - tif_getimage.c in LibTIFF through 4.0.10, as used in
        GDAL through 3.0.1 and other products, has an integer
        overflow that potentially causes a heap-based buffer
        overflow via a crafted RGBA image, related to a
        'Negative-size-param' condition.(CVE-2019-17546)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1235
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?470ca94b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h22"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-877.NASL
    descriptionlibtiff is vulnerable to multiple buffer overflows and integer overflows that can lead to application crashes (denial of service) or worse. CVE-2016-10266 Integer overflow that can lead to divide-by-zero in TIFFReadEncodedStrip (tif_read.c). CVE-2016-10267 Divide-by-zero error in OJPEGDecodeRaw (tif_ojpeg.c). CVE-2016-10268 Heap-based buffer overflow in TIFFReverseBits (tif_swab.c). CVE-2016-10269 Heap-based buffer overflow in _TIFFmemcpy (tif_unix.c). For Debian 7
    last seen2020-03-17
    modified2017-03-30
    plugin id99043
    published2017-03-30
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/99043
    titleDebian DLA-877-1 : tiff security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-877-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99043);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2016-10266", "CVE-2016-10267", "CVE-2016-10268", "CVE-2016-10269");
    
      script_name(english:"Debian DLA-877-1 : tiff security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "libtiff is vulnerable to multiple buffer overflows and integer
    overflows that can lead to application crashes (denial of service) or
    worse.
    
    CVE-2016-10266
    
    Integer overflow that can lead to divide-by-zero in
    TIFFReadEncodedStrip (tif_read.c).
    
    CVE-2016-10267
    
    Divide-by-zero error in OJPEGDecodeRaw (tif_ojpeg.c). CVE-2016-10268
    
    Heap-based buffer overflow in TIFFReverseBits (tif_swab.c).
    
    CVE-2016-10269
    
    Heap-based buffer overflow in _TIFFmemcpy (tif_unix.c).
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    4.0.2-6+deb7u11.
    
    We recommend that you upgrade your tiff packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2017/03/msg00035.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/tiff"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff-opengl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff5-alt-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff5-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiffxx5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"libtiff-doc", reference:"4.0.2-6+deb7u11")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiff-opengl", reference:"4.0.2-6+deb7u11")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiff-tools", reference:"4.0.2-6+deb7u11")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiff5", reference:"4.0.2-6+deb7u11")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiff5-alt-dev", reference:"4.0.2-6+deb7u11")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiff5-dev", reference:"4.0.2-6+deb7u11")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiffxx5", reference:"4.0.2-6+deb7u11")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1447.NASL
    descriptionAccording to the versions of the libtiff package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2017-17095) - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-04-30
    modified2020-04-16
    plugin id135609
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135609
    titleEulerOS Virtualization 3.0.2.2 : libtiff (EulerOS-SA-2020-1447)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135609);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/24");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3622",
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2016-9273",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-17095",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9117",
        "CVE-2017-9147",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-10779",
        "CVE-2018-10963",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-7456",
        "CVE-2018-8905",
        "CVE-2019-14973",
        "CVE-2019-17546"
      );
    
      script_name(english:"EulerOS Virtualization 3.0.2.2 : libtiff (EulerOS-SA-2020-1447)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff package installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerabilities :
    
      - tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows
        remote attackers to cause a denial of service
        (TIFFSetupStrips heap-based buffer overflow and
        application crash) or possibly have unspecified other
        impact via a crafted TIFF file.(CVE-2017-17095)
    
      - The _TIFFFax3fillruns function in libtiff before 4.0.6
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted Tiff image.The _TIFFFax3fillruns function in
        libtiff before 4.0.6 allows remote attackers to cause a
        denial of service (divide-by-zero error and application
        crash) via a crafted Tiff image.(CVE-2016-5323)
    
      - The cvtClump function in the rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (out-of-bounds write) by setting the
        '-v' option to -1.(CVE-2016-3624)
    
      - The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows
        remote attackers to cause a denial of service
        (divide-by-zero) by setting the (1) v or (2) h
        parameter to 0.(CVE-2016-3623)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes
        arbitrarily-sized JBIG into a buffer, ignoring the
        buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file.(CVE-2018-17101)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c,
        which can cause a denial of service (crash) or possibly
        have unspecified other impact via a crafted image
        file.(CVE-2018-17100)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs
        in the function LZWDecodeCompat in tif_lzw.c via a
        crafted TIFF file, as demonstrated by
        tiff2ps.(CVE-2018-8905)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)
    
      - tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)
    
      - Heap-based buffer overflow in the
        readContigStripsIntoBuffer function in tif_unix.c in
        LibTIFF 4.0.7 allows remote attackers to have
        unspecified impact via a crafted image.(CVE-2016-10092)
    
      - The TIFFReadDirEntryArray function in tif_read.c in
        LibTIFF 4.0.8 mishandles memory allocation for short
        files, which allows remote attackers to cause a denial
        of service (allocation failure and application crash)
        in the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)
    
      - In LibTIFF 4.0.8, there is a assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)
    
      - tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds
        read in readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)
    
      - tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
        buffer in readContigStripsIntoBuffer() because of a
        uint16 integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)
    
      - LibTIFF 4.0.7 has a signed integer overflow, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7602)
    
      - LibTIFF 4.0.7 has a 'shift exponent too large for
        64-bit type long' undefined behavior issue, which might
        allow remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7601)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type unsigned char' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7600)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type short' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7599)
    
      - tif_dirread.c in LibTIFF 4.0.7 might allow remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted
        image.(CVE-2017-7598)
    
      - tif_dirread.c in LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7597)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type float' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7596)
    
      - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
        4.0.7 allows remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7595)
    
      - The putagreytile function in tif_getimage.c in LibTIFF
        4.0.7 has a left-shift undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7592)
    
      - In LibTIFF 4.0.7, the program processes BMP images
        without verifying that biWidth and biHeight in the
        bitmap-information header match the actual input,
        leading to a heap-based buffer over-read in
        bmp2tiff.(CVE-2017-9117)
    
      - The TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)
    
      - The DumpModeDecode function in libtiff 4.0.6 and
        earlier allows attackers to cause a denial of service
        (invalid read and crash) via a crafted tiff
        image.(CVE-2016-5321)
    
      - The fpAcc function in tif_predict.c in the tiff2rgba
        tool in LibTIFF 4.0.6 and earlier allows remote
        attackers to cause a denial of service (divide-by-zero
        error) via a crafted TIFF image.(CVE-2016-3622)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726.(CVE-2018-10963)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)
    
      - In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c.
        A crafted TIFF document can lead to a memory leak
        resulting in a remote denial of service
        attack.(CVE-2017-9936)
    
      - In LibTIFF 4.0.7, a memory leak vulnerability was found
        in the function TIFFReadDirEntryLong8Array in
        tif_dirread.c, which allows attackers to cause a denial
        of service via a crafted file.(CVE-2017-9403)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)
    
      - tiffsplit in libtiff 4.0.6 allows remote attackers to
        cause a denial of service (out-of-bounds read) via a
        crafted file, related to changing td_nstrips in
        TIFF_STRIPCHOP mode.(CVE-2016-9273)
    
      - LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)
    
      - Stack-based buffer overflow in the _TIFFVGetField
        function in libtiff 4.0.6 and earlier allows remote
        attackers to crash the application via a crafted
        tiff.(CVE-2016-5318)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c.(CVE-2018-18661)
    
      - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
        heap-based buffer over-read, as demonstrated by
        bmp2tiff.(CVE-2018-10779)
    
      - The OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)
    
      - Buffer overflow in the readgifimage function in
        gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows
        remote attackers to cause a denial of service
        (segmentation fault) via a crafted gif
        file.(CVE-2016-5102)
    
      - tif_read.c in LibTIFF 4.0.7 does not ensure that
        tif_rawdata is properly initialized, which might allow
        remote attackers to obtain sensitive information from
        process memory via a crafted image.(CVE-2017-7593)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.)(CVE-2018-7456)
    
      - _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in
        LibTIFF through 4.0.10 mishandle Integer Overflow
        checks because they rely on compiler behavior that is
        undefined by the applicable C standards. This can, for
        example, lead to an application crash.(CVE-2019-14973)
    
      - tif_getimage.c in LibTIFF through 4.0.10, as used in
        GDAL through 3.0.1 and other products, has an integer
        overflow that potentially causes a heap-based buffer
        overflow via a crafted RGBA image, related to a
        'Negative-size-param' condition.(CVE-2019-17546)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1447
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?abf17028");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.2");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.2") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.2");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h22.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1044-1.NASL
    descriptionThis update for tiff fixes the following issues: Security issues fixed : - CVE-2016-10272: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to
    last seen2020-06-01
    modified2020-06-02
    plugin id99466
    published2017-04-19
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99466
    titleSUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2017:1044-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:1044-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99466);
      script_version("3.6");
      script_cvs_date("Date: 2019/09/11 11:22:15");
    
      script_cve_id("CVE-2016-10266", "CVE-2016-10267", "CVE-2016-10268", "CVE-2016-10269", "CVE-2016-10270", "CVE-2016-10271", "CVE-2016-10272");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2017:1044-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for tiff fixes the following issues: Security issues 
    fixed :
    
      - CVE-2016-10272: LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (heap-based buffer overflow)
        or possibly have unspecified other impact via a crafted
        TIFF image, related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9 (bsc#1031247).
    
      - CVE-2016-10271: tools/tiffcrop.c in LibTIFF 4.0.7 allows
        remote attackers to cause a denial of service
        (heap-based buffer over-read and buffer overflow) or
        possibly have unspecified other impact via a crafted
        TIFF image, related to 'READ of size 1' and
        libtiff/tif_fax3.c:413:13 (bsc#1031249).
    
      - CVE-2016-10270: LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (heap-based buffer over-read)
        or possibly have unspecified other impact via a crafted
        TIFF image, related to 'READ of size 8' and
        libtiff/tif_read.c:523:22 (bsc#1031250).
    
      - CVE-2016-10269: LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (heap-based buffer over-read)
        or possibly have unspecified other impact via a crafted
        TIFF image, related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2 (bsc#1031254).
    
      - CVE-2016-10268: tools/tiffcp.c in LibTIFF 4.0.7 allows
        remote attackers to cause a denial of service (integer
        underflow and heap-based buffer under-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23 (bsc#1031255).
    
      - CVE-2016-10267: LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (divide-by-zero error and
        application crash) via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8 (bsc#1031262).
    
      - CVE-2016-10266: LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (divide-by-zero error and
        application crash) via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22. (bsc#1031263).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031247"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031249"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031250"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031254"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031255"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031262"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031263"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10266/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10267/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10268/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10269/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10270/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10271/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10272/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20171044-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?fa57b34a"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
    patch SUSE-SLE-SDK-12-SP2-2017-610=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t
    patch SUSE-SLE-SDK-12-SP1-2017-610=1
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2017-610=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2017-610=1
    
    SUSE Linux Enterprise Server 12-SP1:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2017-610=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2017-610=1
    
    SUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP1-2017-610=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libtiff5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libtiff5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:tiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:tiff-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:tiff-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(1|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1/2", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(1|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP1/2", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", reference:"libtiff5-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"libtiff5-debuginfo-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"tiff-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"tiff-debuginfo-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"tiff-debugsource-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"libtiff5-32bit-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"libtiff5-debuginfo-32bit-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libtiff5-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libtiff5-debuginfo-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"tiff-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"tiff-debuginfo-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"tiff-debugsource-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libtiff5-32bit-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libtiff5-32bit-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libtiff5-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libtiff5-debuginfo-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"tiff-debuginfo-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"tiff-debugsource-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-32bit-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-debuginfo-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"tiff-debuginfo-4.0.7-43.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"tiff-debugsource-4.0.7-43.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tiff");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2466.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF format image files. Security Fix(es):There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.(CVE-2017-13727)The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.(CVE-2017-7592)An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100)tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.(CVE-2017-7593)The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.(CVE-2017-7594)The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.(CVE-2017-7595)LibTIFF 4.0.7 has an
    last seen2020-05-08
    modified2019-12-04
    plugin id131619
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131619
    titleEulerOS 2.0 SP2 : libtiff (EulerOS-SA-2019-2466)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131619);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3186",
        "CVE-2016-3622",
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2016-6223",
        "CVE-2016-9273",
        "CVE-2016-9532",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-16232",
        "CVE-2017-5563",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9117",
        "CVE-2017-9147",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-10963",
        "CVE-2018-12900",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-19210",
        "CVE-2018-8905",
        "CVE-2019-14973",
        "CVE-2019-17546",
        "CVE-2019-6128",
        "CVE-2019-7663"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : libtiff (EulerOS-SA-2019-2466)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - The libtiff package contains a library of functions for
        manipulating TIFF (Tagged Image File Format) image
        format files. TIFF is a widely used file format for
        bitmapped images. TIFF files usually end in the .tif
        extension and they are often quite large. The libtiff
        package should be installed if you need to manipulate
        TIFF format image files. Security Fix(es):There is a
        reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)The putagreytile function in
        tif_getimage.c in LibTIFF 4.0.7 has a left-shift
        undefined behavior issue, which might allow remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image.(CVE-2017-7592)An issue was discovered in
        LibTIFF 4.0.9. There is a int32 overflow in multiply_ms
        in tools/ppm2tiff.c, which can cause a denial of
        service (crash) or possibly have unspecified other
        impact via a crafted image
        file.(CVE-2018-17100)tif_read.c in LibTIFF 4.0.7 does
        not ensure that tif_rawdata is properly initialized,
        which might allow remote attackers to obtain sensitive
        information from process memory via a crafted
        image.(CVE-2017-7593)The
        OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)The JPEGSetupEncode function in
        tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (divide-by-zero error and
        application crash) via a crafted
        image.(CVE-2017-7595)LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7596)tif_dirread.c in LibTIFF 4.0.7 has
        an 'outside the range of representable values of type
        float' undefined behavior issue, which might allow
        remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7597)LibTIFF 4.0.7
        has an 'outside the range of representable values of
        type short' undefined behavior issue, which might allow
        remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7599)LibTIFF 4.0.7
        has an 'outside the range of representable values of
        type unsigned char' undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7600)tif_dirread.c in LibTIFF 4.0.7
        might allow remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7598)LibTIFF 4.0.7 has a
        'shift exponent too large for 64-bit type long'
        undefined behavior issue, which might allow remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image.(CVE-2017-7601)LibTIFF 4.0.7 has a signed
        integer overflow, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7602)LibTIFF version 4.0.7 is
        vulnerable to a heap-based buffer over-read in
        tif_lzw.c resulting in DoS or code execution via a
        crafted bmp image to tools/bmp2tiff.(CVE-2017-5563)In
        LibTIFF 4.0.7, the program processes BMP images without
        verifying that biWidth and biHeight in the
        bitmap-information header match the actual input,
        leading to a heap-based buffer over-read in
        bmp2tiff.(CVE-2017-9117)In LibTIFF 4.0.7, a memory leak
        vulnerability was found in the function
        TIFFReadDirEntryLong8Array in tif_dirread.c, which
        allows attackers to cause a denial of service via a
        crafted file.(CVE-2017-9403)In LibTIFF 4.0.8, there is
        a memory leak in tif_jbig.c. A crafted TIFF document
        can lead to a memory leak resulting in a remote denial
        of service attack.(CVE-2017-9936)In LibTIFF 4.0.9, a
        heap-based buffer overflow occurs in the function
        LZWDecodeCompat in tif_lzw.c via a crafted TIFF file,
        as demonstrated by tiff2ps.(CVE-2018-8905)Heap-based
        buffer overflow in the readContigStripsIntoBuffer
        function in tif_unix.c in LibTIFF 4.0.7 allows remote
        attackers to have unspecified impact via a crafted
        image.(CVE-2016-10092)LibTIFF 4.0.7 allows remote
        attackers to cause a denial of service (heap-based
        buffer overflow) or possibly have unspecified other
        impact via a crafted TIFF image, related to 'WRITE of
        size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)LibTIFF 4.0.7
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)LibTIFF 4.0.7
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)tools/tiffcp.
        c in LibTIFF 4.0.7 allows remote attackers to cause a
        denial of service (integer underflow and heap-based
        buffer under-read) or possibly have unspecified other
        impact via a crafted TIFF image, related to 'READ of
        size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)LibTIFF 4.0.7
        allows remote attackers to cause a denial of service
        (heap-based buffer over-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)LibTIFF 4.0.7
        allows remote attackers to cause a denial of service
        (heap-based buffer over-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)The
        TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)Buffer overflow in the
        readextension function in gif2tiff.c in LibTIFF 4.0.6
        allows remote attackers to cause a denial of service
        (application crash) via a crafted GIF
        file.(CVE-2016-3186)The fpAcc function in tif_predict.c
        in the tiff2rgba tool in LibTIFF 4.0.6 and earlier
        allows remote attackers to cause a denial of service
        (divide-by-zero error) via a crafted TIFF
        image.(CVE-2016-3622)tiffsplit in libtiff 4.0.6 allows
        remote attackers to cause a denial of service
        (out-of-bounds read) via a crafted file, related to
        changing td_nstrips in TIFF_STRIPCHOP
        mode.(CVE-2016-9273)tools/tiffcrop.c in libtiff 4.0.6
        reads an undefined buffer in
        readContigStripsIntoBuffer() because of a uint16
        integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)tools/tiffcrop.c in libtiff 4.0.6
        has an out-of-bounds read in
        readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)In LibTIFF 4.0.8, there is a
        assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)The
        TIFFReadDirEntryArray function in tif_read.c in LibTIFF
        4.0.8 mishandles memory allocation for short files,
        which allows remote attackers to cause a denial of
        service (allocation failure and application crash) in
        the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)There is a
        reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)tif_getimage.c in LibTIFF
        through 4.0.10, as used in GDAL through 3.0.1 and other
        products, has an integer overflow that potentially
        causes a heap-based buffer overflow via a crafted RGBA
        image, related to a 'Negative-size-param'
        condition.(CVE-2019-17546)_TIFFCheckMalloc and
        _TIFFCheckRealloc in tif_aux.c in LibTIFF through
        4.0.10 mishandle Integer Overflow checks because they
        rely on compiler behavior that is undefined by the
        applicable C standards. This can, for example, lead to
        an application crash.(CVE-2019-14973)Buffer overflow in
        the readgifimage function in gif2tiff.c in the gif2tiff
        tool in LibTIFF 4.0.6 allows remote attackers to cause
        a denial of service (segmentation fault) via a crafted
        gif file.(CVE-2016-5102)** DISPUTED ** LibTIFF 4.0.8
        has multiple memory leak vulnerabilities, which allow
        attackers to cause a denial of service (memory
        consumption), as demonstrated by tif_open.c, tif_lzw.c,
        and tif_aux.c. NOTE: Third parties were unable to
        reproduce the issue.(CVE-2017-16232)An issue was
        discovered in LibTIFF 4.0.9. There is a NULL pointer
        dereference in the function LZWDecode in the file
        tif_lzw.c.(CVE-2018-18661)The rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (divide-by-zero) by setting the (1) v
        or (2) h parameter to 0.(CVE-2016-3623)The cvtClump
        function in the rgb2ycbcr tool in LibTIFF 4.0.6 and
        earlier allows remote attackers to cause a denial of
        service (out-of-bounds write) by setting the '-v'
        option to -1.(CVE-2016-3624)Stack-based buffer overflow
        in the _TIFFVGetField function in libtiff 4.0.6 and
        earlier allows remote attackers to crash the
        application via a crafted tiff.(CVE-2016-5318)LibTIFF
        4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)The _TIFFFax3fillruns
        function in libtiff before 4.0.6 allows remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted Tiff
        image.(CVE-2016-5323)The DumpModeDecode function in
        libtiff 4.0.6 and earlier allows attackers to cause a
        denial of service (invalid read and crash) via a
        crafted tiff image.(CVE-2016-5321)The TIFFReadRawStrip1
        and TIFFReadRawTile1 functions in tif_read.c in libtiff
        before 4.0.7 allows remote attackers to cause a denial
        of service (crash) or possibly obtain sensitive
        information via a negative index in a file-content
        buffer.(CVE-2016-6223)Integer overflow in the
        writeBufferToSeparateStrips function in tiffcrop.c in
        LibTIFF before 4.0.7 allows remote attackers to cause a
        denial of service (out-of-bounds read) via a crafted
        tif file.(CVE-2016-9532)The TIFFWriteDirectorySec()
        function in tif_dirwrite.c in LibTIFF through 4.0.9
        allows remote attackers to cause a denial of service
        (assertion failure and application crash) via a crafted
        file, a different vulnerability than
        CVE-2017-13726.(CVE-2018-10963)Heap-based buffer
        overflow in the cpSeparateBufToContigBuf function in
        tiffcp.c in LibTIFF 4.0.9 allows remote attackers to
        cause a denial of service (crash) or possibly have
        unspecified other impact via a crafted TIFF
        file.(CVE-2018-12900)An issue was discovered in LibTIFF
        4.0.9. There are two out-of-bounds writes in cpTags in
        tools/tiff2bw.c and tools/pal2rgb.c, which can cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted image
        file.(CVE-2018-17101)LibTIFF 4.0.9 (with JBIG enabled)
        decodes arbitrarily-sized JBIG into a buffer, ignoring
        the buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)In LibTIFF 4.0.9,
        there is a NULL pointer dereference in the
        TIFFWriteDirectorySec function in tif_dirwrite.c that
        will lead to a denial of service attack, as
        demonstrated by tiffset.(CVE-2018-19210)The TIFFFdOpen
        function in tif_unix.c in LibTIFF 4.0.10 has a memory
        leak, as demonstrated by pal2rgb.(CVE-2019-6128)An
        Invalid Address dereference was discovered in
        TIFFWriteDirectoryTagTransferfunction in
        libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the
        cpSeparateBufToContigBuf function in tiffcp.c. Remote
        attackers could leverage this vulnerability to cause a
        denial-of-service via a crafted tiff file. This is
        different from CVE-2018-12900.(CVE-2019-7663)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2466
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1fc9e3a2");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/04");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h18",
            "libtiff-devel-4.0.3-27.h18"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201709-27.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201709-27 (libTIFF: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibTIFF. Please review the referenced CVE identifiers for details. Impact : A remote attacker, by enticing the user to process a specially crafted TIFF file, could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id103486
    published2017-09-27
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103486
    titleGLSA-201709-27 : libTIFF: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201709-27.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103486);
      script_version("$Revision: 3.2 $");
      script_cvs_date("$Date: 2017/10/02 21:12:27 $");
    
      script_cve_id("CVE-2016-10267", "CVE-2016-10268", "CVE-2017-5225", "CVE-2017-5563", "CVE-2017-7592", "CVE-2017-7593", "CVE-2017-7594", "CVE-2017-7595", "CVE-2017-7596", "CVE-2017-7597", "CVE-2017-7598", "CVE-2017-7599", "CVE-2017-7600", "CVE-2017-7601", "CVE-2017-7602", "CVE-2017-9403");
      script_xref(name:"GLSA", value:"201709-27");
    
      script_name(english:"GLSA-201709-27 : libTIFF: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201709-27
    (libTIFF: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in LibTIFF. Please review
          the referenced CVE identifiers for details.
      
    Impact :
    
        A remote attacker, by enticing the user to process a specially crafted
          TIFF file, could possibly execute arbitrary code with the privileges of
          the process, cause a Denial of Service condition, obtain sensitive
          information, or have other unspecified impacts.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201709-27"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All LibTIFF users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=media-libs/tiff-4.0.8'
        Packages which depend on this library may need to be recompiled. Tools
          such as revdep-rebuild may assist in identifying some of these packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:tiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/09/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"media-libs/tiff", unaffected:make_list("ge 4.0.8"), vulnerable:make_list("lt 4.0.8"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libTIFF");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3602-1.NASL
    descriptionIt was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id108513
    published2018-03-21
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108513
    titleUbuntu 14.04 LTS / 16.04 LTS : tiff vulnerabilities (USN-3602-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3602-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108513);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2016-10266", "CVE-2016-10267", "CVE-2016-10268", "CVE-2016-10269", "CVE-2016-10371", "CVE-2017-10688", "CVE-2017-11335", "CVE-2017-12944", "CVE-2017-13726", "CVE-2017-13727", "CVE-2017-18013", "CVE-2017-7592", "CVE-2017-7593", "CVE-2017-7594", "CVE-2017-7595", "CVE-2017-7596", "CVE-2017-7597", "CVE-2017-7598", "CVE-2017-7599", "CVE-2017-7600", "CVE-2017-7601", "CVE-2017-7602", "CVE-2017-9403", "CVE-2017-9404", "CVE-2017-9815", "CVE-2017-9936", "CVE-2018-5784");
      script_xref(name:"USN", value:"3602-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS : tiff vulnerabilities (USN-3602-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that LibTIFF incorrectly handled certain malformed
    images. If a user or automated system were tricked into opening a
    specially crafted image, a remote attacker could crash the
    application, leading to a denial of service, or possibly execute
    arbitrary code with user privileges.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3602-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libtiff-tools and / or libtiff5 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtiff-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtiff5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"libtiff-tools", pkgver:"4.0.3-7ubuntu0.8")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"libtiff5", pkgver:"4.0.3-7ubuntu0.8")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libtiff-tools", pkgver:"4.0.6-1ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libtiff5", pkgver:"4.0.6-1ubuntu0.3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff-tools / libtiff5");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1179-1.NASL
    descriptionThis update for tiff fixes the following issues : - CVE-2016-9453: The t2p_readwrite_pdf_image_tile function allowed remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one (bsc#1011107). - CVE-2016-5652: An exploitable heap-based buffer overflow existed in the handling of TIFF images in the TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means (bsc#1007280). - CVE-2017-11335: There is a heap-based buffer overflow in tools/tiff2pdf.c via a PlanarConfig=Contig image, which caused a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack (bsc#1048937). - CVE-2016-9536: tools/tiff2pdf.c had an out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka
    last seen2020-06-01
    modified2020-06-02
    plugin id109674
    published2018-05-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109674
    titleSUSE SLES11 Security Update : tiff (SUSE-SU-2018:1179-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:1179-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109674);
      script_version("1.5");
      script_cvs_date("Date: 2019/09/10 13:51:47");
    
      script_cve_id("CVE-2015-7554", "CVE-2016-10095", "CVE-2016-10268", "CVE-2016-3945", "CVE-2016-5318", "CVE-2016-5652", "CVE-2016-9453", "CVE-2016-9536", "CVE-2017-11335", "CVE-2017-17973", "CVE-2017-9935");
    
      script_name(english:"SUSE SLES11 Security Update : tiff (SUSE-SU-2018:1179-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for tiff fixes the following issues :
    
      - CVE-2016-9453: The t2p_readwrite_pdf_image_tile function
        allowed remote attackers to cause a denial of service
        (out-of-bounds write and crash) or possibly execute
        arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES
        of length one (bsc#1011107).
    
      - CVE-2016-5652: An exploitable heap-based buffer overflow
        existed in the handling of TIFF images in the TIFF2PDF
        tool. A crafted TIFF document can lead to a heap-based
        buffer overflow resulting in remote code execution.
        Vulnerability can be triggered via a saved TIFF file
        delivered by other means (bsc#1007280).
    
      - CVE-2017-11335: There is a heap-based buffer overflow in
        tools/tiff2pdf.c via a PlanarConfig=Contig image, which
        caused a more than one hundred bytes out-of-bounds write
        (related to the ZIPDecode function in tif_zip.c). A
        crafted input may lead to a remote denial of service
        attack or an arbitrary code execution attack
        (bsc#1048937).
    
      - CVE-2016-9536: tools/tiff2pdf.c had an out-of-bounds
        write vulnerabilities in heap allocated buffers in
        t2p_process_jpeg_strip(). Reported as MSVR 35098, aka
        't2p_process_jpeg_strip heap-buffer-overflow.'
        (bsc#1011845)
    
      - CVE-2017-9935: In LibTIFF, there was a heap-based buffer
        overflow in the t2p_write_pdf function in
        tools/tiff2pdf.c. This heap overflow could lead to
        different damages. For example, a crafted TIFF document
        can lead to an out-of-bounds read in TIFFCleanup, an
        invalid free in TIFFClose or t2p_free, memory corruption
        in t2p_readwrite_pdf_image, or a double free in
        t2p_free. Given these possibilities, it probably could
        cause arbitrary code execution (bsc#1046077).
    
      - CVE-2017-17973: There is a heap-based use-after-free in
        the t2p_writeproc function in tiff2pdf.c. (bsc#1074318)
    
      - CVE-2015-7554: The _TIFFVGetField function in tif_dir.c
        allowed attackers to cause a denial of service (invalid
        memory write and crash) or possibly have unspecified
        other impact via crafted field data in an extension tag
        in a TIFF image (bsc#960341).
    
      - CVE-2016-5318: Stack-based buffer overflow in the
        _TIFFVGetField function allowed remote attackers to
        crash the application via a crafted tiff (bsc#983436).
    
      - CVE-2016-10095: Stack-based buffer overflow in the
        _TIFFVGetField function in tif_dir.c allowed remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file (bsc#1017690,).
    
      - CVE-2016-10268: tools/tiffcp.c allowed remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23 (bsc#1031255)
    
      - An overlapping of memcpy parameters was fixed which
        could lead to content corruption (bsc#1017691).
    
      - Fixed an invalid memory read which could lead to a crash
        (bsc#1017692).
    
      - Fixed a NULL pointer dereference in TIFFReadRawData
        (tiffinfo.c) that could crash the decoder (bsc#1017688).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1007280"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1011107"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1011845"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017688"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017690"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017691"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017692"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031255"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1046077"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1048937"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1074318"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=960341"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=983436"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2015-7554/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10095/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10268/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-3945/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-5318/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-5652/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9453/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9536/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-11335/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-17973/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9935/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20181179-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1e4baba2"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
    patch sdksp4-tiff-13594=1
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-tiff-13594=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-tiff-13594=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libtiff3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:tiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"libtiff3-32bit-3.8.2-141.169.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"libtiff3-32bit-3.8.2-141.169.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"libtiff3-3.8.2-141.169.3.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"tiff-3.8.2-141.169.3.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tiff");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2209.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-05-08
    modified2019-11-08
    plugin id130671
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130671
    titleEulerOS 2.0 SP5 : libtiff (EulerOS-SA-2019-2209)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130671);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3622",
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2016-9273",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9117",
        "CVE-2017-9147",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-10779",
        "CVE-2018-10963",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-7456",
        "CVE-2018-8905",
        "CVE-2019-14973"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : libtiff (EulerOS-SA-2019-2209)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - The _TIFFFax3fillruns function in libtiff before 4.0.6
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted Tiff image.The _TIFFFax3fillruns function in
        libtiff before 4.0.6 allows remote attackers to cause a
        denial of service (divide-by-zero error and application
        crash) via a crafted Tiff image.(CVE-2016-5323)
    
      - The cvtClump function in the rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (out-of-bounds write) by setting the
        '-v' option to -1.(CVE-2016-3624)
    
      - The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows
        remote attackers to cause a denial of service
        (divide-by-zero) by setting the (1) v or (2) h
        parameter to 0.(CVE-2016-3623)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c,
        which can cause a denial of service (crash) or possibly
        have unspecified other impact via a crafted image
        file.(CVE-2018-17100)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file.(CVE-2018-17101)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes
        arbitrarily-sized JBIG into a buffer, ignoring the
        buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs
        in the function LZWDecodeCompat in tif_lzw.c via a
        crafted TIFF file, as demonstrated by
        tiff2ps.(CVE-2018-8905)
    
      - tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)
    
      - Heap-based buffer overflow in the
        readContigStripsIntoBuffer function in tif_unix.c in
        LibTIFF 4.0.7 allows remote attackers to have
        unspecified impact via a crafted image.(CVE-2016-10092)
    
      - In LibTIFF 4.0.8, there is a assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)
    
      - The TIFFReadDirEntryArray function in tif_read.c in
        LibTIFF 4.0.8 mishandles memory allocation for short
        files, which allows remote attackers to cause a denial
        of service (allocation failure and application crash)
        in the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)
    
      - tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
        buffer in readContigStripsIntoBuffer() because of a
        uint16 integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)
    
      - tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds
        read in readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)
    
      - The putagreytile function in tif_getimage.c in LibTIFF
        4.0.7 has a left-shift undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7592)
    
      - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
        4.0.7 allows remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7595)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type float' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7596)
    
      - tif_dirread.c in LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7597)
    
      - tif_dirread.c in LibTIFF 4.0.7 might allow remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted
        image.(CVE-2017-7598)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type short' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7599)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type unsigned char' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7600)
    
      - LibTIFF 4.0.7 has a 'shift exponent too large for
        64-bit type long' undefined behavior issue, which might
        allow remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7601)
    
      - LibTIFF 4.0.7 has a signed integer overflow, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7602)
    
      - In LibTIFF 4.0.7, the program processes BMP images
        without verifying that biWidth and biHeight in the
        bitmap-information header match the actual input,
        leading to a heap-based buffer over-read in
        bmp2tiff.(CVE-2017-9117)
    
      - The TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)
    
      - The fpAcc function in tif_predict.c in the tiff2rgba
        tool in LibTIFF 4.0.6 and earlier allows remote
        attackers to cause a denial of service (divide-by-zero
        error) via a crafted TIFF image.(CVE-2016-3622)
    
      - The DumpModeDecode function in libtiff 4.0.6 and
        earlier allows attackers to cause a denial of service
        (invalid read and crash) via a crafted tiff
        image.(CVE-2016-5321)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726.(CVE-2018-10963)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)
    
      - In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c.
        A crafted TIFF document can lead to a memory leak
        resulting in a remote denial of service
        attack.(CVE-2017-9936)
    
      - In LibTIFF 4.0.7, a memory leak vulnerability was found
        in the function TIFFReadDirEntryLong8Array in
        tif_dirread.c, which allows attackers to cause a denial
        of service via a crafted file.(CVE-2017-9403)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)
    
      - tiffsplit in libtiff 4.0.6 allows remote attackers to
        cause a denial of service (out-of-bounds read) via a
        crafted file, related to changing td_nstrips in
        TIFF_STRIPCHOP mode.(CVE-2016-9273)
    
      - LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)
    
      - Stack-based buffer overflow in the _TIFFVGetField
        function in libtiff 4.0.6 and earlier allows remote
        attackers to crash the application via a crafted
        tiff.(CVE-2016-5318)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c.(CVE-2018-18661)
    
      - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
        heap-based buffer over-read, as demonstrated by
        bmp2tiff.(CVE-2018-10779)
    
      - The OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)
    
      - Buffer overflow in the readgifimage function in
        gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows
        remote attackers to cause a denial of service
        (segmentation fault) via a crafted gif
        file.(CVE-2016-5102)
    
      - tif_read.c in LibTIFF 4.0.7 does not ensure that
        tif_rawdata is properly initialized, which might allow
        remote attackers to obtain sensitive information from
        process memory via a crafted image.(CVE-2017-7593)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.)(CVE-2018-7456)
    
      - _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in
        LibTIFF through 4.0.10 mishandle Integer Overflow
        checks because they rely on compiler behavior that is
        undefined by the applicable C standards. This can, for
        example, lead to an application crash.(CVE-2019-14973)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2209
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1833399b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h22.eulerosv2r7",
            "libtiff-devel-4.0.3-27.h22.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-05B9048FBC.NASL
    descriptionSecurity fix for : - **CVE-2016-10266** - **CVE-2016-10267** - **CVE-2016-10268** - **CVE-2016-10269** - **CVE-2016-10270** - **CVE-2016-10271** - **CVE-2016-10272** Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-17
    plugin id101563
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101563
    titleFedora 26 : libtiff (2017-05b9048fbc)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-05b9048fbc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101563);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-10266", "CVE-2016-10267", "CVE-2016-10268", "CVE-2016-10269", "CVE-2016-10270", "CVE-2016-10271", "CVE-2016-10272");
      script_xref(name:"FEDORA", value:"2017-05b9048fbc");
    
      script_name(english:"Fedora 26 : libtiff (2017-05b9048fbc)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for :
    
      - **CVE-2016-10266**
    
      - **CVE-2016-10267**
    
      - **CVE-2016-10268**
    
      - **CVE-2016-10269**
    
      - **CVE-2016-10270**
    
      - **CVE-2016-10271**
    
      - **CVE-2016-10272**
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-05b9048fbc"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libtiff package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libtiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/17");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC26", reference:"libtiff-4.0.7-4.fc26")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-AB3ACDDD21.NASL
    descriptionSecurity fix for : - **CVE-2016-10266** - **CVE-2016-10267** - **CVE-2016-10268** - **CVE-2016-10269** - **CVE-2016-10270** - **CVE-2016-10271** - **CVE-2016-10272** Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-04-11
    plugin id99273
    published2017-04-11
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99273
    titleFedora 25 : libtiff (2017-ab3acddd21)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-ab3acddd21.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99273);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-10266", "CVE-2016-10267", "CVE-2016-10268", "CVE-2016-10269", "CVE-2016-10270", "CVE-2016-10271", "CVE-2016-10272");
      script_xref(name:"FEDORA", value:"2017-ab3acddd21");
    
      script_name(english:"Fedora 25 : libtiff (2017-ab3acddd21)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for :
    
      - **CVE-2016-10266**
    
      - **CVE-2016-10267**
    
      - **CVE-2016-10268**
    
      - **CVE-2016-10269**
    
      - **CVE-2016-10270**
    
      - **CVE-2016-10271**
    
      - **CVE-2016-10272**
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ab3acddd21"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libtiff package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libtiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"libtiff-4.0.7-4.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2265.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.(CVE-2017-13727) - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.(CVE-2017-7592) - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.(CVE-2017-7593) - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.(CVE-2017-7594) - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.(CVE-2017-7595) - LibTIFF 4.0.7 has an
    last seen2020-05-08
    modified2019-11-08
    plugin id130727
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130727
    titleEulerOS 2.0 SP3 : libtiff (EulerOS-SA-2019-2265)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130727);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3186",
        "CVE-2016-3622",
        "CVE-2016-9273",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-7456",
        "CVE-2018-8905"
      );
    
      script_name(english:"EulerOS 2.0 SP3 : libtiff (EulerOS-SA-2019-2265)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)
    
      - The putagreytile function in tif_getimage.c in LibTIFF
        4.0.7 has a left-shift undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7592)
    
      - tif_read.c in LibTIFF 4.0.7 does not ensure that
        tif_rawdata is properly initialized, which might allow
        remote attackers to obtain sensitive information from
        process memory via a crafted image.(CVE-2017-7593)
    
      - The OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)
    
      - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
        4.0.7 allows remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7595)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type float' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7596)
    
      - tif_dirread.c in LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7597)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type short' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7599)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type unsigned char' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7600)
    
      - tif_dirread.c in LibTIFF 4.0.7 might allow remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted
        image.(CVE-2017-7598)
    
      - LibTIFF 4.0.7 has a 'shift exponent too large for
        64-bit type long' undefined behavior issue, which might
        allow remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7601)
    
      - LibTIFF 4.0.7 has a signed integer overflow, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7602)
    
      - In LibTIFF 4.0.7, a memory leak vulnerability was found
        in the function TIFFReadDirEntryLong8Array in
        tif_dirread.c, which allows attackers to cause a denial
        of service via a crafted file.(CVE-2017-9403)
    
      - In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c.
        A crafted TIFF document can lead to a memory leak
        resulting in a remote denial of service
        attack.(CVE-2017-9936)
    
      - Heap-based buffer overflow in the
        readContigStripsIntoBuffer function in tif_unix.c in
        LibTIFF 4.0.7 allows remote attackers to have
        unspecified impact via a crafted image.(CVE-2016-10092)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)
    
      - tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)
    
      - The TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)
    
      - The fpAcc function in tif_predict.c in the tiff2rgba
        tool in LibTIFF 4.0.6 and earlier allows remote
        attackers to cause a denial of service (divide-by-zero
        error) via a crafted TIFF image.(CVE-2016-3622)
    
      - tiffsplit in libtiff 4.0.6 allows remote attackers to
        cause a denial of service (out-of-bounds read) via a
        crafted file, related to changing td_nstrips in
        TIFF_STRIPCHOP mode.(CVE-2016-9273)
    
      - The TIFFReadDirEntryArray function in tif_read.c in
        LibTIFF 4.0.8 mishandles memory allocation for short
        files, which allows remote attackers to cause a denial
        of service (allocation failure and application crash)
        in the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)
    
      - tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
        buffer in readContigStripsIntoBuffer() because of a
        uint16 integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)
    
      - tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds
        read in readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)
    
      - In LibTIFF 4.0.8, there is a assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)
    
      - Buffer overflow in the readextension function in
        gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to
        cause a denial of service (application crash) via a
        crafted GIF file.(CVE-2016-3186)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.)(CVE-2018-7456)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs
        in the function LZWDecodeCompat in tif_lzw.c via a
        crafted TIFF file, as demonstrated by
        tiff2ps.(CVE-2018-8905)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2265
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4354c43e");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h14",
            "libtiff-devel-4.0.3-27.h14"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-515.NASL
    descriptionThis update for tiff fixes the following issues : Security issues fixed : - CVE-2016-10272: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to
    last seen2020-06-05
    modified2017-04-27
    plugin id99704
    published2017-04-27
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/99704
    titleopenSUSE Security Update : tiff (openSUSE-2017-515)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-515.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99704);
      script_version("3.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-10266", "CVE-2016-10267", "CVE-2016-10268", "CVE-2016-10269", "CVE-2016-10270", "CVE-2016-10271", "CVE-2016-10272");
    
      script_name(english:"openSUSE Security Update : tiff (openSUSE-2017-515)");
      script_summary(english:"Check for the openSUSE-2017-515 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for tiff fixes the following issues :
    
    Security issues fixed :
    
      - CVE-2016-10272: LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (heap-based buffer overflow)
        or possibly have unspecified other impact via a crafted
        TIFF image, related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9 (bsc#1031247).
    
      - CVE-2016-10271: tools/tiffcrop.c in LibTIFF 4.0.7 allows
        remote attackers to cause a denial of service
        (heap-based buffer over-read and buffer overflow) or
        possibly have unspecified other impact via a crafted
        TIFF image, related to 'READ of size 1' and
        libtiff/tif_fax3.c:413:13 (bsc#1031249).
    
      - CVE-2016-10270: LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (heap-based buffer over-read)
        or possibly have unspecified other impact via a crafted
        TIFF image, related to 'READ of size 8' and
        libtiff/tif_read.c:523:22 (bsc#1031250).
    
      - CVE-2016-10269: LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (heap-based buffer over-read)
        or possibly have unspecified other impact via a crafted
        TIFF image, related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2 (bsc#1031254).
    
      - CVE-2016-10268: tools/tiffcp.c in LibTIFF 4.0.7 allows
        remote attackers to cause a denial of service (integer
        underflow and heap-based buffer under-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23 (bsc#1031255).
    
      - CVE-2016-10267: LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (divide-by-zero error and
        application crash) via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8 (bsc#1031262).
    
      - CVE-2016-10266: LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (divide-by-zero error and
        application crash) via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22. (bsc#1031263).
    
    This update was imported from the SUSE:SLE-12:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1031247"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1031249"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1031250"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1031254"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1031255"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1031262"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1031263"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected tiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.1|SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1 / 42.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.1", reference:"libtiff-devel-4.0.7-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"libtiff5-4.0.7-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"libtiff5-debuginfo-4.0.7-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"tiff-4.0.7-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"tiff-debuginfo-4.0.7-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"tiff-debugsource-4.0.7-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libtiff-devel-32bit-4.0.7-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libtiff5-32bit-4.0.7-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.7-18.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libtiff-devel-4.0.7-17.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libtiff5-4.0.7-17.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libtiff5-debuginfo-4.0.7-17.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"tiff-4.0.7-17.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"tiff-debuginfo-4.0.7-17.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"tiff-debugsource-4.0.7-17.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libtiff-devel-32bit-4.0.7-17.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libtiff5-32bit-4.0.7-17.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.7-17.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff-devel-32bit / libtiff-devel / libtiff5-32bit / libtiff5 / etc");
    }