Vulnerabilities > CVE-2016-3622 - Divide By Zero vulnerability in Libtiff 4.0.6

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
libtiff
CWE-369
nessus

Summary

The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image.

Vulnerable Configurations

Part Description Count
Application
Libtiff
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-3301-1.NASL
    descriptionThe tiff library and tools were updated to version 4.0.7 fixing various bug and security issues. - CVE-2014-8127: out-of-bounds read with malformed TIFF image in multiple tools [bnc#914890] - CVE-2016-9297: tif_dirread.c read outside buffer in _TIFFPrintField() [bnc#1010161] - CVE-2016-3658: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c [bnc#974840] - CVE-2016-9273: heap overflow [bnc#1010163] - CVE-2016-3622: divide By Zero in the tiff2rgba tool [bnc#974449] - CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow [bnc#1007280] - CVE-2016-9453: out-of-bounds Write memcpy and less bound check in tiff2pdf [bnc#1011107] - CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat [bnc#987351] - CVE-2016-9448: regression introduced by fixing CVE-2016-9297 [bnc#1011103] - CVE-2016-5321: out-of-bounds read in tiffcrop / DumpModeDecode() function [bnc#984813] - CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (null ptr dereference?) [bnc#984815] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id96263
    published2017-01-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96263
    titleSUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2016:3301-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2016:3301-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96263);
      script_version("3.10");
      script_cvs_date("Date: 2019/09/11 11:22:14");
    
      script_cve_id("CVE-2014-8127", "CVE-2016-3622", "CVE-2016-3658", "CVE-2016-5321", "CVE-2016-5323", "CVE-2016-5652", "CVE-2016-5875", "CVE-2016-9273", "CVE-2016-9297", "CVE-2016-9448", "CVE-2016-9453");
      script_bugtraq_id(72323);
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2016:3301-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The tiff library and tools were updated to version 4.0.7 fixing
    various bug and security issues.
    
      - CVE-2014-8127: out-of-bounds read with malformed TIFF
        image in multiple tools [bnc#914890]
    
      - CVE-2016-9297: tif_dirread.c read outside buffer in
        _TIFFPrintField() [bnc#1010161]
    
      - CVE-2016-3658: Illegal read in
        TIFFWriteDirectoryTagLongLong8Array function in tiffset
        / tif_dirwrite.c [bnc#974840]
    
      - CVE-2016-9273: heap overflow [bnc#1010163]
    
      - CVE-2016-3622: divide By Zero in the tiff2rgba tool
        [bnc#974449]
    
      - CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap
        Buffer Overflow [bnc#1007280]
    
      - CVE-2016-9453: out-of-bounds Write memcpy and less bound
        check in tiff2pdf [bnc#1011107]
    
      - CVE-2016-5875: heap-based buffer overflow when using the
        PixarLog compressionformat [bnc#987351]
    
      - CVE-2016-9448: regression introduced by fixing
        CVE-2016-9297 [bnc#1011103]
    
      - CVE-2016-5321: out-of-bounds read in tiffcrop /
        DumpModeDecode() function [bnc#984813]
    
      - CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns()
        function (null ptr dereference?) [bnc#984815]
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1007280"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010161"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1010163"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1011103"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1011107"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=914890"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=974449"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=974840"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=984813"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=984815"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=987351"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2014-8127/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-3622/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-3658/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-5321/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-5323/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-5652/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-5875/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9273/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9297/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9448/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9453/"
      );
      # https://www.suse.com/support/update/announcement/2016/suse-su-20163301-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?472e6418"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
    patch SUSE-SLE-SDK-12-SP2-2016-1937=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP1:zypper in -t
    patch SUSE-SLE-SDK-12-SP1-2016-1937=1
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2016-1937=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2016-1937=1
    
    SUSE Linux Enterprise Server 12-SP1:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2016-1937=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2016-1937=1
    
    SUSE Linux Enterprise Desktop 12-SP1:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP1-2016-1937=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libtiff5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libtiff5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:tiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:tiff-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:tiff-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/12/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(1|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1/2", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(1|2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP1/2", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", reference:"libtiff5-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"libtiff5-debuginfo-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"tiff-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"tiff-debuginfo-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"tiff-debugsource-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"libtiff5-32bit-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"libtiff5-debuginfo-32bit-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libtiff5-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libtiff5-debuginfo-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"tiff-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"tiff-debuginfo-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"tiff-debugsource-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libtiff5-32bit-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libtiff5-32bit-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libtiff5-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"libtiff5-debuginfo-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"tiff-debuginfo-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"1", cpu:"x86_64", reference:"tiff-debugsource-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-32bit-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-debuginfo-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"tiff-debuginfo-4.0.7-35.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"tiff-debugsource-4.0.7-35.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tiff");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1235.NASL
    descriptionAccording to the versions of the libtiff package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-03-19
    modified2020-03-13
    plugin id134524
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134524
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2020-1235)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134524);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3622",
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2016-9273",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9117",
        "CVE-2017-9147",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-10779",
        "CVE-2018-10963",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-7456",
        "CVE-2018-8905",
        "CVE-2019-14973",
        "CVE-2019-17546"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2020-1235)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff package installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The _TIFFFax3fillruns function in libtiff before 4.0.6
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted Tiff image.(CVE-2016-5323)
    
      - The cvtClump function in the rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (out-of-bounds write) by setting the
        '-v' option to -1.(CVE-2016-3624)
    
      - The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows
        remote attackers to cause a denial of service
        (divide-by-zero) by setting the (1) v or (2) h
        parameter to 0.(CVE-2016-3623)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes
        arbitrarily-sized JBIG into a buffer, ignoring the
        buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file.(CVE-2018-17101)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c,
        which can cause a denial of service (crash) or possibly
        have unspecified other impact via a crafted image
        file.(CVE-2018-17100)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs
        in the function LZWDecodeCompat in tif_lzw.c via a
        crafted TIFF file, as demonstrated by
        tiff2ps.(CVE-2018-8905)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)
    
      - tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)
    
      - Heap-based buffer overflow in the
        readContigStripsIntoBuffer function in tif_unix.c in
        LibTIFF 4.0.7 allows remote attackers to have
        unspecified impact via a crafted image.(CVE-2016-10092)
    
      - The TIFFReadDirEntryArray function in tif_read.c in
        LibTIFF 4.0.8 mishandles memory allocation for short
        files, which allows remote attackers to cause a denial
        of service (allocation failure and application crash)
        in the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)
    
      - In LibTIFF 4.0.8, there is a assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)
    
      - tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds
        read in readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)
    
      - tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
        buffer in readContigStripsIntoBuffer() because of a
        uint16 integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)
    
      - LibTIFF 4.0.7 has a signed integer overflow, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7602)
    
      - LibTIFF 4.0.7 has a 'shift exponent too large for
        64-bit type long' undefined behavior issue, which might
        allow remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7601)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type unsigned char' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7600)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type short' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7599)
    
      - tif_dirread.c in LibTIFF 4.0.7 might allow remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted
        image.(CVE-2017-7598)
    
      - tif_dirread.c in LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7597)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type float' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7596)
    
      - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
        4.0.7 allows remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7595)
    
      - The putagreytile function in tif_getimage.c in LibTIFF
        4.0.7 has a left-shift undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7592)
    
      - In LibTIFF 4.0.7, the program processes BMP images
        without verifying that biWidth and biHeight in the
        bitmap-information header match the actual input,
        leading to a heap-based buffer over-read in
        bmp2tiff.(CVE-2017-9117)
    
      - The TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)
    
      - The DumpModeDecode function in libtiff 4.0.6 and
        earlier allows attackers to cause a denial of service
        (invalid read and crash) via a crafted tiff
        image.(CVE-2016-5321)
    
      - The fpAcc function in tif_predict.c in the tiff2rgba
        tool in LibTIFF 4.0.6 and earlier allows remote
        attackers to cause a denial of service (divide-by-zero
        error) via a crafted TIFF image.(CVE-2016-3622)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726.(CVE-2018-10963)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)
    
      - In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c.
        A crafted TIFF document can lead to a memory leak
        resulting in a remote denial of service
        attack.(CVE-2017-9936)
    
      - In LibTIFF 4.0.7, a memory leak vulnerability was found
        in the function TIFFReadDirEntryLong8Array in
        tif_dirread.c, which allows attackers to cause a denial
        of service via a crafted file.(CVE-2017-9403)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)
    
      - An out-of-bounds heap read was discovered in libtiff. A
        crafted file could cause the application to crash or,
        potentially, disclose process memory.(CVE-2016-9273)
    
      - LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)
    
      - Stack-based buffer overflow in the _TIFFVGetField
        function in libtiff 4.0.6 and earlier allows remote
        attackers to crash the application via a crafted
        tiff.(CVE-2016-5318)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c.(CVE-2018-18661)
    
      - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
        heap-based buffer over-read, as demonstrated by
        bmp2tiff.(CVE-2018-10779)
    
      - The OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)
    
      - Buffer overflow in the readgifimage function in
        gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows
        remote attackers to cause a denial of service
        (segmentation fault) via a crafted gif
        file.(CVE-2016-5102)
    
      - tif_read.c in LibTIFF 4.0.7 does not ensure that
        tif_rawdata is properly initialized, which might allow
        remote attackers to obtain sensitive information from
        process memory via a crafted image.(CVE-2017-7593)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.)(CVE-2018-7456)
    
      - _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in
        LibTIFF through 4.0.10 mishandle Integer Overflow
        checks because they rely on compiler behavior that is
        undefined by the applicable C standards. This can, for
        example, lead to an application crash.(CVE-2019-14973)
    
      - tif_getimage.c in LibTIFF through 4.0.10, as used in
        GDAL through 3.0.1 and other products, has an integer
        overflow that potentially causes a heap-based buffer
        overflow via a crafted RGBA image, related to a
        'Negative-size-param' condition.(CVE-2019-17546)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1235
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?470ca94b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h22"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1425.NASL
    descriptionTiff was updated to version 4.0.7. This update fixes the following issues : - libtiff/tif_aux.c + Fix crash in TIFFVGetFieldDefaulted() when requesting Predictor tag and that the zip/lzw codec is not configured. (http://bugzilla.maptools.org/show_bug.cgi?id=2591) - libtiff/tif_compress.c + Make TIFFNoDecode() return 0 to indicate an error and make upper level read routines treat it accordingly. (http://bugzilla.maptools.org/show_bug.cgi?id=2517) - libtiff/tif_dir.c + Discard values of SMinSampleValue and SMaxSampleValue when they have been read and the value of SamplesPerPixel is changed afterwards (like when reading a OJPEG compressed image with a missing SamplesPerPixel tag, and whose photometric is RGB or YCbCr, forcing SamplesPerPixel being 3). Otherwise when rewriting the directory (for example with tiffset, we will expect 3 values whereas the array had been allocated with just one), thus causing a out of bound read access. (CVE-2014-8127, boo#914890, duplicate: CVE-2016-3658, boo#974840) - libtiff/tif_dirread.c + In TIFFFetchNormalTag(), do not dereference NULL pointer when values of tags with TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII access are 0-byte arrays. (CVE-2016-9448, boo#1011103) + In TIFFFetchNormalTag(), make sure that values of tags with TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII access are null terminated, to avoid potential read outside buffer in _TIFFPrintField(). (CVE-2016-9297, boo#1010161) + Prevent reading ColorMap or TransferFunction if BitsPerPixel > 24, so as to avoid huge memory allocation and file read attempts + Reject images with OJPEG compression that have no TileOffsets/StripOffsets tag, when OJPEG compression is disabled. Prevent NULL pointer dereference in TIFFReadRawStrip1() and other functions that expect td_stripbytecount to be non NULL. (http://bugzilla.maptools.org/show_bug.cgi?id=2585) + When compiled with DEFER_STRILE_LOAD, fix regression, when reading a one-strip file without a StripByteCounts tag. + Workaround false positive warning of Clang Static Analyzer about NULL pointer dereference in TIFFCheckDirOffset(). - libtiff/tif_dirwrite.c + Avoid NULL pointer dereference on td_stripoffset when writing directory, if FIELD_STRIPOFFSETS was artificially set for a hack case in OJPEG case. Fixes (CVE-2014-8127, boo#914890, duplicate: CVE-2016-3658, boo#974840) + Fix truncation to 32 bit of file offsets in TIFFLinkDirectory() and TIFFWriteDirectorySec() when aligning directory offsets on an even offset (affects BigTIFF). - libtiff/tif_dumpmode.c + DumpModeEncode() should return 0 in case of failure so that the above mentionned functions detect the error. - libtiff/tif_fax3.c + remove dead assignment in Fax3PutEOLgdal(). - libtiff/tif_fax3.h + make Param member of TIFFFaxTabEnt structure a uint16 to reduce size of the binary. - libtiff/tif_getimage.c + Fix out-of-bound reads in TIFFRGBAImage interface in case of unsupported values of SamplesPerPixel/ExtraSamples for LogLUV/CIELab. Add explicit call to TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 and CVE-2015-8683. + TIFFRGBAImageOK: Reject attempts to read floating point images. - libtiff/tif_luv.c + Fix potential out-of-bound writes in decode functions in non debug builds by replacing assert()s by regular if checks (http://bugzilla.maptools.org/show_bug.cgi?id=2522). Fix potential out-of-bound reads in case of short input data. + Validate that for COMPRESSION_SGILOG and PHOTOMETRIC_LOGL, there is only one sample per pixel. Avoid potential invalid memory write on corrupted/unexpected images when using the TIFFRGBAImageBegin() interface - libtiff/tif_next.c + Fix potential out-of-bound write in NeXTDecode() (http://bugzilla.maptools.org/show_bug.cgi?id=2508) - libtiff/tif_pixarlog.c + Avoid zlib error messages to pass a NULL string to %s formatter, which is undefined behaviour in sprintf(). + Fix out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094. + Fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images (CVE-2016-5875, boo#987351) - libtiff/tif_predict.c + PredictorSetup: Enforce bits-per-sample requirements of floating point predictor (3). (CVE-2016-3622, boo#974449) - libtiff/tif_predict.h, libtiff/tif_predict.c + Replace assertions by runtime checks to avoid assertions in debug mode, or buffer overflows in release mode. Can happen when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105. - libtiff/tif_read.c + Fix out-of-bounds read on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond tmsize_t max value + Make TIFFReadEncodedStrip() and TIFFReadEncodedTile() directly use user provided buffer when no compression (and other conditions) to save a memcpy(). - libtiff/tif_strip.c + Make TIFFNumberOfStrips() return the td->td_nstrips value when it is non-zero, instead of recomputing it. This is needed in TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read outsize of array in tiffsplit (or other utilities using TIFFNumberOfStrips()). (CVE-2016-9273, boo#1010163) - libtiff/tif_write.c + Fix issue in error code path of TIFFFlushData1() that didn
    last seen2020-06-05
    modified2016-12-08
    plugin id95649
    published2016-12-08
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/95649
    titleopenSUSE Security Update : tiff (openSUSE-2016-1425)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-53.NASL
    descriptionThe tiff library and tools were updated to version 4.0.7 fixing various bug and security issues. - CVE-2014-8127: out-of-bounds read with malformed TIFF image in multiple tools [bnc#914890] - CVE-2016-9297: tif_dirread.c read outside buffer in _TIFFPrintField() [bnc#1010161] - CVE-2016-3658: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c [bnc#974840] - CVE-2016-9273: heap overflow [bnc#1010163] - CVE-2016-3622: divide By Zero in the tiff2rgba tool [bnc#974449] - CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow [bnc#1007280] - CVE-2016-9453: out-of-bounds Write memcpy and less bound check in tiff2pdf [bnc#1011107] - CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat [bnc#987351] - CVE-2016-9448: regression introduced by fixing CVE-2016-9297 [bnc#1011103] - CVE-2016-5321: out-of-bounds read in tiffcrop / DumpModeDecode() function [bnc#984813] - CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (null ptr dereference?) [bnc#984815] This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2017-01-10
    plugin id96378
    published2017-01-10
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96378
    titleopenSUSE Security Update : tiff (openSUSE-2017-53)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1447.NASL
    descriptionAccording to the versions of the libtiff package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2017-17095) - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-04-30
    modified2020-04-16
    plugin id135609
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135609
    titleEulerOS Virtualization 3.0.2.2 : libtiff (EulerOS-SA-2020-1447)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2527-1.NASL
    descriptionThis update for tiff fixes the following issues : - CVE-2016-3622: Specially crafted TIFF images could trigger a crash in tiff2rgba (bsc#974449) - Various out-of-bound write vulnerabilities with unspecified impact (MSVR 35093, MSVR 35094, MSVR 35095, MSVR 35096, MSVR 35097, MSVR 35098) - CVE-2016-5314: Specially crafted TIFF images could trigger a crash that could result in DoS (bsc#984831) - CVE-2016-5316: Specially crafted TIFF images could trigger a crash in the rgb2ycbcr tool, leading to Doa (bsc#984837) - CVE-2016-5317: Specially crafted TIFF images could trigger a crash through an out of bound write (bsc#984842) - CVE-2016-5320: Specially crafted TIFF images could trigger a crash or potentially allow remote code execution when using the rgb2ycbcr command (bsc#984808) - CVE-2016-5875: Specially crafted TIFF images could trigger could allow arbitrary code execution (bsc#987351) - CVE-2016-3623: Specially crafted TIFF images could trigger a crash in rgb2ycbcr (bsc#974618) - CVE-2016-3945: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via tiff2rgba (bsc#974614) - CVE-2016-3990: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution (bsc#975069) - CVE-2016-3186: Specially crafted TIFF imaged could trigger a crash in the gif2tiff command via a buffer overflow (bsc#973340) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id94067
    published2016-10-14
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94067
    titleSUSE SLES11 Security Update : tiff (SUSE-SU-2016:2527-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3212-1.NASL
    descriptionIt was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97434
    published2017-02-28
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97434
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 : tiff vulnerabilities (USN-3212-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2466.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF format image files. Security Fix(es):There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.(CVE-2017-13727)The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.(CVE-2017-7592)An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100)tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.(CVE-2017-7593)The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.(CVE-2017-7594)The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.(CVE-2017-7595)LibTIFF 4.0.7 has an
    last seen2020-05-08
    modified2019-12-04
    plugin id131619
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131619
    titleEulerOS 2.0 SP2 : libtiff (EulerOS-SA-2019-2466)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1187.NASL
    descriptionThis update for tiff fixes the following security issues : - CVE-2016-3622: Specially crafted TIFF images could trigger a crash in tiff2rgba (bsc#974449) - Various out-of-bound write vulnerabilities with unspecified impact (MSVR 35093, MSVR 35094, MSVR 35095, MSVR 35096, MSVR 35097, MSVR 35098) - CVE-2016-3623: Specially crafted TIFF images could trigger a crash in rgb2ycbcr (bsc#974618) - CVE-2016-3945: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via tiff2rgba (bsc#974614) - CVE-2016-3990: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution (bsc#975069) - CVE-2016-3991: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via the tiffcrop tool (bsc#975070) This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2016-10-14
    plugin id94062
    published2016-10-14
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94062
    titleopenSUSE Security Update : tiff (openSUSE-2016-1187)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1196.NASL
    descriptionThis update for tiff fixes the following security issue : - CVE 2016-3622
    last seen2020-06-05
    modified2016-10-17
    plugin id94092
    published2016-10-17
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94092
    titleopenSUSE Security Update : tiff (openSUSE-2016-1196)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2209.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-05-08
    modified2019-11-08
    plugin id130671
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130671
    titleEulerOS 2.0 SP5 : libtiff (EulerOS-SA-2019-2209)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-795.NASL
    descriptionNumerous security vulnerabilities have been found through fuzzing on various tiff-related binaries. Crafted TIFF images allows remote attacks to cause denial of service or, in certain cases arbitrary code execution through divide-by-zero, out of bunds write, integer and heap overflow. CVE-2016-3622 The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted TIFF image. CVE-2016-3623 The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0. (Fixed along with CVE-2016-3624.) CVE-2016-3624 The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-03-17
    modified2017-01-24
    plugin id96704
    published2017-01-24
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96704
    titleDebian DLA-795-1 : tiff security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2508-1.NASL
    descriptionThis update for tiff fixes the following security issues : - CVE-2016-3622: Specially crafted TIFF images could trigger a crash in tiff2rgba (bsc#974449) - Various out-of-bound write vulnerabilities with unspecified impact (MSVR 35093, MSVR 35094, MSVR 35095, MSVR 35096, MSVR 35097, MSVR 35098) - CVE-2016-3623: Specially crafted TIFF images could trigger a crash in rgb2ycbcr (bsc#974618) - CVE-2016-3945: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via tiff2rgba (bsc#974614) - CVE-2016-3990: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution (bsc#975069) - CVE-2016-3991: Specially crafted TIFF images could trigger a crash or allow for arbitrary command execution via the tiffcrop tool (bsc#975070) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id94039
    published2016-10-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94039
    titleSUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2016:2508-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1186.NASL
    descriptionThis update for tiff fixes the following security issues : - CVE-2016-3622: A specially crafted TIFF image could trigger a crash in tiff2rgba (boo#974449) - Various out-of-bound write vulnerabilities with unspecified impact (MSVR 35093, MSVR 35094, MSVR 35095, MSVR 35096, MSVR 35097, MSVR 35098)
    last seen2020-06-05
    modified2016-10-14
    plugin id94061
    published2016-10-14
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94061
    titleopenSUSE Security Update : tiff (openSUSE-2016-1186)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2265.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.(CVE-2017-13727) - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.(CVE-2017-7592) - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.(CVE-2017-7593) - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.(CVE-2017-7594) - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.(CVE-2017-7595) - LibTIFF 4.0.7 has an
    last seen2020-05-08
    modified2019-11-08
    plugin id130727
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130727
    titleEulerOS 2.0 SP3 : libtiff (EulerOS-SA-2019-2265)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-098-01.NASL
    descriptionNew libtiff packages are available for Slackware 14.2 and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99249
    published2017-04-10
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/99249
    titleSlackware 14.2 / current : libtiff (SSA:2017-098-01)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-16.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-16 (libTIFF: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libTIFF. Please review the CVE identifier and bug reports referenced for details. Impact : A remote attacker could entice a user to process a specially crafted image file, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96373
    published2017-01-10
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96373
    titleGLSA-201701-16 : libTIFF: Multiple vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3762.NASL
    descriptionMultiple vulnerabilities have been discovered in the libtiff library and the included tools tiff2rgba, rgb2ycbcr, tiffcp, tiffcrop, tiff2pdf and tiffsplit, which may result in denial of service, memory disclosure or the execution of arbitrary code. There were additional vulnerabilities in the tools bmp2tiff, gif2tiff, thumbnail and ras2tiff, but since these were addressed by the libtiff developers by removing the tools altogether, no patches are available and those tools were also removed from the tiff package in Debian stable. The change had already been made in Debian stretch before and no applications included in Debian are known to rely on these scripts. If you use those tools in custom setups, consider using a different conversion/thumbnailing tool.
    last seen2020-06-01
    modified2020-06-02
    plugin id96495
    published2017-01-16
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96495
    titleDebian DSA-3762-1 : tiff - security update