Vulnerabilities > CVE-2017-17973 - Use After Free vulnerability in Libtiff 4.0.8
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0013_LIBTIFF.NASL description An update of the libtiff package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121910 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121910 title Photon OS 2.0: Libtiff PHSA-2018-2.0-0013 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2018-2.0-0013. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(121910); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2019/02/07"); script_cve_id("CVE-2017-9937", "CVE-2017-17973", "CVE-2017-18013"); script_name(english:"Photon OS 2.0: Libtiff PHSA-2018-2.0-0013"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the libtiff package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-13.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-17790"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/01/23"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:libtiff"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-2.0", reference:"libtiff-4.0.9-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"libtiff-4.0.9-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"libtiff-4.0.9-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"libtiff-debuginfo-4.0.9-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"libtiff-debuginfo-4.0.9-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"libtiff-debuginfo-4.0.9-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"libtiff-devel-4.0.9-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"libtiff-devel-4.0.9-1.ph2")) flag++; if (rpm_check(release:"PhotonOS-2.0", reference:"libtiff-devel-4.0.9-1.ph2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-443.NASL description This update for tiff fixes the following issues : - CVE-2017-9935: There was a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077) - CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318) - CVE-2018-5784: There is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries (bsc#1081690) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-05-11 plugin id 109716 published 2018-05-11 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109716 title openSUSE Security Update : tiff (openSUSE-2018-443) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-443. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(109716); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-17973", "CVE-2017-9935", "CVE-2018-5784"); script_name(english:"openSUSE Security Update : tiff (openSUSE-2018-443)"); script_summary(english:"Check for the openSUSE-2018-443 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for tiff fixes the following issues : - CVE-2017-9935: There was a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077) - CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318) - CVE-2018-5784: There is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries (bsc#1081690) This update was imported from the SUSE:SLE-12:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1046077" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1074318" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1081690" ); script_set_attribute(attribute:"solution", value:"Update the affected tiff packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff-devel-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"libtiff-devel-4.0.9-28.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libtiff5-4.0.9-28.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libtiff5-debuginfo-4.0.9-28.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"tiff-4.0.9-28.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"tiff-debuginfo-4.0.9-28.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"tiff-debugsource-4.0.9-28.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libtiff-devel-32bit-4.0.9-28.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libtiff5-32bit-4.0.9-28.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.9-28.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff-devel-32bit / libtiff-devel / libtiff5-32bit / libtiff5 / etc"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1180-1.NASL description This update for tiff fixes the following issues : - CVE-2017-9935: There was a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077) - CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318) - CVE-2018-5784: There is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries (bsc#1081690) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 109675 published 2018-05-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109675 title SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:1180-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1179-1.NASL description This update for tiff fixes the following issues : - CVE-2016-9453: The t2p_readwrite_pdf_image_tile function allowed remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one (bsc#1011107). - CVE-2016-5652: An exploitable heap-based buffer overflow existed in the handling of TIFF images in the TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means (bsc#1007280). - CVE-2017-11335: There is a heap-based buffer overflow in tools/tiff2pdf.c via a PlanarConfig=Contig image, which caused a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack (bsc#1048937). - CVE-2016-9536: tools/tiff2pdf.c had an out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka last seen 2020-06-01 modified 2020-06-02 plugin id 109674 published 2018-05-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109674 title SUSE SLES11 Security Update : tiff (SUSE-SU-2018:1179-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0013.NASL description An update of {'libtiff', 'openjdk8', 'ruby'} packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111283 published 2018-07-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111283 title Photon OS 2.0 : libtiff / openjdk8 / ruby (PhotonOS-PHSA-2018-2.0-0013) (deprecated)
References
- http://bugzilla.maptools.org/show_bug.cgi?id=2769
- http://bugzilla.maptools.org/show_bug.cgi?id=2769
- http://www.securityfocus.com/bid/102331
- http://www.securityfocus.com/bid/102331
- https://bugzilla.novell.com/show_bug.cgi?id=1074318
- https://bugzilla.novell.com/show_bug.cgi?id=1074318
- https://bugzilla.redhat.com/show_bug.cgi?id=1530912
- https://bugzilla.redhat.com/show_bug.cgi?id=1530912