Vulnerabilities > CVE-2017-9403 - Missing Release of Resource after Effective Lifetime vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
libtiff
debian
canonical
CWE-772
nessus

Summary

In LibTIFF 4.0.7, a memory leak vulnerability was found in the function TIFFReadDirEntryLong8Array in tif_dirread.c, which allows attackers to cause a denial of service via a crafted file.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • HTTP DoS
    An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1235.NASL
    descriptionAccording to the versions of the libtiff package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-03-19
    modified2020-03-13
    plugin id134524
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134524
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2020-1235)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134524);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3622",
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2016-9273",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9117",
        "CVE-2017-9147",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-10779",
        "CVE-2018-10963",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-7456",
        "CVE-2018-8905",
        "CVE-2019-14973",
        "CVE-2019-17546"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2020-1235)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff package installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The _TIFFFax3fillruns function in libtiff before 4.0.6
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted Tiff image.(CVE-2016-5323)
    
      - The cvtClump function in the rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (out-of-bounds write) by setting the
        '-v' option to -1.(CVE-2016-3624)
    
      - The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows
        remote attackers to cause a denial of service
        (divide-by-zero) by setting the (1) v or (2) h
        parameter to 0.(CVE-2016-3623)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes
        arbitrarily-sized JBIG into a buffer, ignoring the
        buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file.(CVE-2018-17101)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c,
        which can cause a denial of service (crash) or possibly
        have unspecified other impact via a crafted image
        file.(CVE-2018-17100)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs
        in the function LZWDecodeCompat in tif_lzw.c via a
        crafted TIFF file, as demonstrated by
        tiff2ps.(CVE-2018-8905)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)
    
      - tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)
    
      - Heap-based buffer overflow in the
        readContigStripsIntoBuffer function in tif_unix.c in
        LibTIFF 4.0.7 allows remote attackers to have
        unspecified impact via a crafted image.(CVE-2016-10092)
    
      - The TIFFReadDirEntryArray function in tif_read.c in
        LibTIFF 4.0.8 mishandles memory allocation for short
        files, which allows remote attackers to cause a denial
        of service (allocation failure and application crash)
        in the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)
    
      - In LibTIFF 4.0.8, there is a assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)
    
      - tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds
        read in readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)
    
      - tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
        buffer in readContigStripsIntoBuffer() because of a
        uint16 integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)
    
      - LibTIFF 4.0.7 has a signed integer overflow, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7602)
    
      - LibTIFF 4.0.7 has a 'shift exponent too large for
        64-bit type long' undefined behavior issue, which might
        allow remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7601)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type unsigned char' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7600)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type short' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7599)
    
      - tif_dirread.c in LibTIFF 4.0.7 might allow remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted
        image.(CVE-2017-7598)
    
      - tif_dirread.c in LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7597)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type float' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7596)
    
      - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
        4.0.7 allows remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7595)
    
      - The putagreytile function in tif_getimage.c in LibTIFF
        4.0.7 has a left-shift undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7592)
    
      - In LibTIFF 4.0.7, the program processes BMP images
        without verifying that biWidth and biHeight in the
        bitmap-information header match the actual input,
        leading to a heap-based buffer over-read in
        bmp2tiff.(CVE-2017-9117)
    
      - The TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)
    
      - The DumpModeDecode function in libtiff 4.0.6 and
        earlier allows attackers to cause a denial of service
        (invalid read and crash) via a crafted tiff
        image.(CVE-2016-5321)
    
      - The fpAcc function in tif_predict.c in the tiff2rgba
        tool in LibTIFF 4.0.6 and earlier allows remote
        attackers to cause a denial of service (divide-by-zero
        error) via a crafted TIFF image.(CVE-2016-3622)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726.(CVE-2018-10963)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)
    
      - In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c.
        A crafted TIFF document can lead to a memory leak
        resulting in a remote denial of service
        attack.(CVE-2017-9936)
    
      - In LibTIFF 4.0.7, a memory leak vulnerability was found
        in the function TIFFReadDirEntryLong8Array in
        tif_dirread.c, which allows attackers to cause a denial
        of service via a crafted file.(CVE-2017-9403)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)
    
      - An out-of-bounds heap read was discovered in libtiff. A
        crafted file could cause the application to crash or,
        potentially, disclose process memory.(CVE-2016-9273)
    
      - LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)
    
      - Stack-based buffer overflow in the _TIFFVGetField
        function in libtiff 4.0.6 and earlier allows remote
        attackers to crash the application via a crafted
        tiff.(CVE-2016-5318)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c.(CVE-2018-18661)
    
      - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
        heap-based buffer over-read, as demonstrated by
        bmp2tiff.(CVE-2018-10779)
    
      - The OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)
    
      - Buffer overflow in the readgifimage function in
        gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows
        remote attackers to cause a denial of service
        (segmentation fault) via a crafted gif
        file.(CVE-2016-5102)
    
      - tif_read.c in LibTIFF 4.0.7 does not ensure that
        tif_rawdata is properly initialized, which might allow
        remote attackers to obtain sensitive information from
        process memory via a crafted image.(CVE-2017-7593)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.)(CVE-2018-7456)
    
      - _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in
        LibTIFF through 4.0.10 mishandle Integer Overflow
        checks because they rely on compiler behavior that is
        undefined by the applicable C standards. This can, for
        example, lead to an application crash.(CVE-2019-14973)
    
      - tif_getimage.c in LibTIFF through 4.0.10, as used in
        GDAL through 3.0.1 and other products, has an integer
        overflow that potentially causes a heap-based buffer
        overflow via a crafted RGBA image, related to a
        'Negative-size-param' condition.(CVE-2019-17546)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1235
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?470ca94b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h22"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-03C5F27205.NASL
    descriptionSecurity fixes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-17
    plugin id101561
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101561
    titleFedora 26 : mingw-libtiff (2017-03c5f27205)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-03c5f27205.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101561);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-9403");
      script_xref(name:"FEDORA", value:"2017-03c5f27205");
    
      script_name(english:"Fedora 26 : mingw-libtiff (2017-03c5f27205)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fixes.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-03c5f27205"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected mingw-libtiff package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mingw-libtiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/17");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC26", reference:"mingw-libtiff-4.0.8-1.fc26")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mingw-libtiff");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1118.NASL
    descriptionThis update for tiff to version 4.0.8 fixes a several bugs and security issues : These security issues were fixed : - CVE-2017-7595: The JPEGSetupEncode function allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033127). - CVE-2016-10371: The TIFFWriteDirectoryTagCheckedRational function allowed remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file (bsc#1038438). - CVE-2017-7598: Error in tif_dirread.c allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033118). - CVE-2017-7596: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033126). - CVE-2017-7597: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033120). - CVE-2017-7599: Undefined behavior because of shorts outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033113). - CVE-2017-7600: Undefined behavior because of chars outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033112). - CVE-2017-7601: Because of a shift exponent too large for 64-bit type long undefined behavior was caused, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033111). - CVE-2017-7602: Prevent signed integer overflow, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033109). - CVE-2017-7592: The putagreytile function had a left-shift undefined behavior issue, which might allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033131). - CVE-2017-7593: Ensure that tif_rawdata is properly initialized, to prevent remote attackers to obtain sensitive information from process memory via a crafted image (bsc#1033129). - CVE-2017-7594: The OJPEGReadHeaderInfoSecTablesDcTable function allowed remote attackers to cause a denial of service (memory leak) via a crafted image (bsc#1033128). - CVE-2017-9403: Prevent memory leak in function TIFFReadDirEntryLong8Array, which allowed attackers to cause a denial of service via a crafted file (bsc#1042805). - CVE-2017-9404: Fixed memory leak vulnerability in function OJPEGReadHeaderInfoSecTablesQTable, which allowed attackers to cause a denial of service via a crafted file (bsc#1042804). These various other issues were fixed : - Fix uint32 overflow in TIFFReadEncodedStrip() that caused an integer division by zero. Reported by Agostino Sarubbo. - fix heap-based buffer overflow on generation of PixarLog / LUV compressed files, with ColorMap, TransferFunction attached and nasty plays with bitspersample. The fix for LUV has not been tested, but suffers from the same kind of issue of PixarLog. - modify ChopUpSingleUncompressedStrip() to instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on the total size of data. Which is faulty is the total size of data is not sufficient to fill the whole image, and thus results in reading outside of the StripByCounts/StripOffsets arrays when using TIFFReadScanline() - make OJPEGDecode() early exit in case of failure in OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues. - fix misleading indentation as warned by GCC. - revert change done on 2016-01-09 that made Param member of TIFFFaxTabEnt structure a uint16 to reduce size of the binary. It happens that the Hylafax software uses the tables that follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable, TIFFFaxBlackTable), although they are not in a public libtiff header. - add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants of the functions without ext, with an extra argument to control the stop_on_error behaviour. - fix potential memory leaks in error code path of TIFFRGBAImageBegin(). - increase libjpeg max memory usable to 10 MB instead of libjpeg 1MB default. This helps when creating files with
    last seen2020-06-05
    modified2017-10-04
    plugin id103658
    published2017-10-04
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103658
    titleopenSUSE Security Update : tiff (openSUSE-2017-1118)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-1118.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103658);
      script_version("3.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-10371", "CVE-2017-7592", "CVE-2017-7593", "CVE-2017-7594", "CVE-2017-7595", "CVE-2017-7596", "CVE-2017-7597", "CVE-2017-7598", "CVE-2017-7599", "CVE-2017-7600", "CVE-2017-7601", "CVE-2017-7602", "CVE-2017-9403", "CVE-2017-9404");
    
      script_name(english:"openSUSE Security Update : tiff (openSUSE-2017-1118)");
      script_summary(english:"Check for the openSUSE-2017-1118 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for tiff to version 4.0.8 fixes a several bugs and
    security issues :
    
    These security issues were fixed :
    
      - CVE-2017-7595: The JPEGSetupEncode function allowed
        remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted image (bsc#1033127).
    
      - CVE-2016-10371: The TIFFWriteDirectoryTagCheckedRational
        function allowed remote attackers to cause a denial of
        service (assertion failure and application exit) via a
        crafted TIFF file (bsc#1038438).
    
      - CVE-2017-7598: Error in tif_dirread.c allowed remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted image
        (bsc#1033118).
    
      - CVE-2017-7596: Undefined behavior because of floats
        outside their expected value range, which allowed remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image (bsc#1033126).
    
      - CVE-2017-7597: Undefined behavior because of floats
        outside their expected value range, which allowed remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image (bsc#1033120).
    
      - CVE-2017-7599: Undefined behavior because of shorts
        outside their expected value range, which allowed remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image (bsc#1033113).
    
      - CVE-2017-7600: Undefined behavior because of chars
        outside their expected value range, which allowed remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image (bsc#1033112).
    
      - CVE-2017-7601: Because of a shift exponent too large for
        64-bit type long undefined behavior was caused, which
        allowed remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image (bsc#1033111).
    
      - CVE-2017-7602: Prevent signed integer overflow, which
        allowed remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image (bsc#1033109).
    
      - CVE-2017-7592: The putagreytile function had a
        left-shift undefined behavior issue, which might allowed
        remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image (bsc#1033131).
    
      - CVE-2017-7593: Ensure that tif_rawdata is properly
        initialized, to prevent remote attackers to obtain
        sensitive information from process memory via a crafted
        image (bsc#1033129).
    
      - CVE-2017-7594: The OJPEGReadHeaderInfoSecTablesDcTable
        function allowed remote attackers to cause a denial of
        service (memory leak) via a crafted image (bsc#1033128).
    
      - CVE-2017-9403: Prevent memory leak in function
        TIFFReadDirEntryLong8Array, which allowed attackers to
        cause a denial of service via a crafted file
        (bsc#1042805).
    
      - CVE-2017-9404: Fixed memory leak vulnerability in
        function OJPEGReadHeaderInfoSecTablesQTable, which
        allowed attackers to cause a denial of service via a
        crafted file (bsc#1042804).
    
    These various other issues were fixed :
    
      - Fix uint32 overflow in TIFFReadEncodedStrip() that
        caused an integer division by zero. Reported by Agostino
        Sarubbo.
    
      - fix heap-based buffer overflow on generation of PixarLog
        / LUV compressed files, with ColorMap, TransferFunction
        attached and nasty plays with bitspersample. The fix for
        LUV has not been tested, but suffers from the same kind
        of issue of PixarLog.
    
      - modify ChopUpSingleUncompressedStrip() to instanciate
        compute ntrips as TIFFhowmany_32(td->td_imagelength,
        rowsperstrip), instead of a logic based on the total
        size of data. Which is faulty is the total size of data
        is not sufficient to fill the whole image, and thus
        results in reading outside of the
        StripByCounts/StripOffsets arrays when using
        TIFFReadScanline()
    
      - make OJPEGDecode() early exit in case of failure in
        OJPEGPreDecode(). This will avoid a divide by zero, and
        potential other issues.
    
      - fix misleading indentation as warned by GCC.
    
      - revert change done on 2016-01-09 that made Param member
        of TIFFFaxTabEnt structure a uint16 to reduce size of
        the binary. It happens that the Hylafax software uses
        the tables that follow this typedef (TIFFFaxMainTable,
        TIFFFaxWhiteTable, TIFFFaxBlackTable), although they are
        not in a public libtiff header.
    
      - add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt()
        variants of the functions without ext, with an extra
        argument to control the stop_on_error behaviour.
    
      - fix potential memory leaks in error code path of
        TIFFRGBAImageBegin().
    
      - increase libjpeg max memory usable to 10 MB instead of
        libjpeg 1MB default. This helps when creating files with
        'big' tile, without using libjpeg temporary files.
    
      - add _TIFFcalloc()
    
      - return 0 in Encode functions instead of -1 when
        TIFFFlushData1() fails.
    
      - only run JPEGFixupTagsSubsampling() if the
        YCbCrSubsampling tag is not explicitly present. This
        helps a bit to reduce the I/O amount when the tag is
        present (especially on cloud hosted files).
    
      - in LZWPostEncode(), increase, if necessary, the code
        bit-width after flushing the remaining code and before
        emitting the EOI code.
    
      - fix memory leak in error code path of
        PixarLogSetupDecode().
    
      - fix potential memory leak in
        OJPEGReadHeaderInfoSecTablesQTable,
        OJPEGReadHeaderInfoSecTablesDcTable and
        OJPEGReadHeaderInfoSecTablesAcTable
    
      - avoid crash in Fax3Close() on empty file.
    
      - TIFFFillStrip(): add limitation to the number of bytes
        read in case td_stripbytecount[strip] is bigger than
        reasonable, so as to avoid excessive memory allocation.
    
      - fix memory leak when the underlying codec (ZIP,
        PixarLog) succeeds its setupdecode() method, but
        PredictorSetup fails.
    
      - TIFFFillStrip() and TIFFFillTile(): avoid excessive
        memory allocation in case of shorten files. Only
        effective on 64 bit builds and non-mapped cases.
    
      - TIFFFillStripPartial() / TIFFSeek(), avoid potential
        integer overflows with read_ahead in
        CHUNKY_STRIP_READ_SUPPORT mode.
    
      - avoid excessive memory allocation in case of shorten
        files. Only effective on 64 bit builds.
    
      - update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT mode with
        tif_rawdataloaded when calling TIFFStartStrip() or
        TIFFFillStripPartial(). 
    
      - avoid potential int32 overflow in TIFFYCbCrToRGBInit()
        Fixes
    
      - avoid potential int32 overflows in multiply_ms() and
        add_ms().
    
      - fix out-of-buffer read in PackBitsDecode() Fixes
    
      - LogL16InitState(): avoid excessive memory allocation
        when RowsPerStrip tag is missing.
    
      - update dec_bitsleft at beginning of LZWDecode(), and
        update tif_rawcc at end of LZWDecode(). This is needed
        to properly work with the latest chnges in tif_read.c in
        CHUNKY_STRIP_READ_SUPPORT mode.
    
      - PixarLogDecode(): resync tif_rawcp with next_in and
        tif_rawcc with avail_in at beginning and end of
        function, similarly to what is done in LZWDecode().
        Likely needed so that it works properly with latest
        chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode.
    
      - initYCbCrConversion(): add basic validation of luma and
        refBlackWhite coefficients (just check they are not NaN
        for now), to avoid potential float to int overflows.
    
      - _TIFFVSetField(): fix outside range cast of double to
        float.
    
      - initYCbCrConversion(): check luma[1] is not zero to
        avoid division by zero
    
      - _TIFFVSetField(): fix outside range cast of double to
        float.
    
      - initYCbCrConversion(): check luma[1] is not zero to
        avoid division by zero.
    
      - initYCbCrConversion(): stricter validation for
        refBlackWhite coefficients values.
    
      - avoid uint32 underflow in cpDecodedStrips that can cause
        various issues, such as buffer overflows in the library.
    
      - fix readContigStripsIntoBuffer() in -i (ignore) mode so
        that the output buffer is correctly incremented to avoid
        write outside bounds.
    
      - add 3 extra bytes at end of strip buffer in
        readSeparateStripsIntoBuffer() to avoid read outside of
        heap allocated buffer.
    
      - fix integer division by zero when BitsPerSample is
        missing.
    
      - fix NULL pointer dereference in -r mode when the image
        has no StripByteCount tag.
    
      - avoid potential division by zero is BitsPerSamples tag
        is missing.
    
      - when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
        limit the return number of inks to SamplesPerPixel, so
        that code that parses ink names doesn't go past the end
        of the buffer.
    
      - avoid potential division by zero is BitsPerSamples tag
        is missing.
    
      - fix uint32 underflow/overflow that can cause heap-based
        buffer overflow.
    
      - replace assert( (bps % 8) == 0 ) by a non assert check.
    
      - fix 2 heap-based buffer overflows (in PSDataBW and
        PSDataColorContig).
    
      - prevent heap-based buffer overflow in -j mode on a
        paletted image.
    
      - fix wrong usage of memcpy() that can trigger unspecified
        behaviour.
    
      - avoid potential invalid memory read in t2p_writeproc.
    
      - avoid potential heap-based overflow in
        t2p_readwrite_pdf_image_tile().
    
      - remove extraneous TIFFClose() in error code path, that
        caused double free.
    
      - error out cleanly in cpContig2SeparateByRow and
        cpSeparate2ContigByRow if BitsPerSample != 8 to avoid
        heap based overflow.
    
      - avoid integer division by zero.
    
      - call TIFFClose() in error code paths.
    
      - emit appropriate message if the input file is empty.
    
      - close TIFF handle in error code path.
    
    This update was imported from the SUSE:SLE-12:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1033109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1033111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1033112"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1033113"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1033118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1033120"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1033126"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1033127"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1033128"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1033129"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1033131"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1038438"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1042804"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1042805"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected tiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff-devel-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libtiff5-debuginfo-32bit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tiff-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/10/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.2", reference:"libtiff-devel-4.0.8-17.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libtiff5-4.0.8-17.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libtiff5-debuginfo-4.0.8-17.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"tiff-4.0.8-17.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"tiff-debuginfo-4.0.8-17.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"tiff-debugsource-4.0.8-17.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libtiff-devel-32bit-4.0.8-17.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libtiff5-32bit-4.0.8-17.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.8-17.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libtiff-devel-4.0.8-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libtiff5-4.0.8-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"libtiff5-debuginfo-4.0.8-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"tiff-4.0.8-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"tiff-debuginfo-4.0.8-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"tiff-debugsource-4.0.8-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libtiff-devel-32bit-4.0.8-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libtiff5-32bit-4.0.8-21.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.8-21.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff-devel-32bit / libtiff-devel / libtiff5-32bit / libtiff5 / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1447.NASL
    descriptionAccording to the versions of the libtiff package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2017-17095) - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-04-30
    modified2020-04-16
    plugin id135609
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135609
    titleEulerOS Virtualization 3.0.2.2 : libtiff (EulerOS-SA-2020-1447)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135609);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/24");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3622",
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2016-9273",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-17095",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9117",
        "CVE-2017-9147",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-10779",
        "CVE-2018-10963",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-7456",
        "CVE-2018-8905",
        "CVE-2019-14973",
        "CVE-2019-17546"
      );
    
      script_name(english:"EulerOS Virtualization 3.0.2.2 : libtiff (EulerOS-SA-2020-1447)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff package installed, the
    EulerOS Virtualization installation on the remote host is affected by
    the following vulnerabilities :
    
      - tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows
        remote attackers to cause a denial of service
        (TIFFSetupStrips heap-based buffer overflow and
        application crash) or possibly have unspecified other
        impact via a crafted TIFF file.(CVE-2017-17095)
    
      - The _TIFFFax3fillruns function in libtiff before 4.0.6
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted Tiff image.The _TIFFFax3fillruns function in
        libtiff before 4.0.6 allows remote attackers to cause a
        denial of service (divide-by-zero error and application
        crash) via a crafted Tiff image.(CVE-2016-5323)
    
      - The cvtClump function in the rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (out-of-bounds write) by setting the
        '-v' option to -1.(CVE-2016-3624)
    
      - The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows
        remote attackers to cause a denial of service
        (divide-by-zero) by setting the (1) v or (2) h
        parameter to 0.(CVE-2016-3623)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes
        arbitrarily-sized JBIG into a buffer, ignoring the
        buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file.(CVE-2018-17101)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c,
        which can cause a denial of service (crash) or possibly
        have unspecified other impact via a crafted image
        file.(CVE-2018-17100)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs
        in the function LZWDecodeCompat in tif_lzw.c via a
        crafted TIFF file, as demonstrated by
        tiff2ps.(CVE-2018-8905)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)
    
      - tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)
    
      - Heap-based buffer overflow in the
        readContigStripsIntoBuffer function in tif_unix.c in
        LibTIFF 4.0.7 allows remote attackers to have
        unspecified impact via a crafted image.(CVE-2016-10092)
    
      - The TIFFReadDirEntryArray function in tif_read.c in
        LibTIFF 4.0.8 mishandles memory allocation for short
        files, which allows remote attackers to cause a denial
        of service (allocation failure and application crash)
        in the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)
    
      - In LibTIFF 4.0.8, there is a assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)
    
      - tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds
        read in readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)
    
      - tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
        buffer in readContigStripsIntoBuffer() because of a
        uint16 integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)
    
      - LibTIFF 4.0.7 has a signed integer overflow, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7602)
    
      - LibTIFF 4.0.7 has a 'shift exponent too large for
        64-bit type long' undefined behavior issue, which might
        allow remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7601)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type unsigned char' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7600)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type short' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7599)
    
      - tif_dirread.c in LibTIFF 4.0.7 might allow remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted
        image.(CVE-2017-7598)
    
      - tif_dirread.c in LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7597)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type float' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7596)
    
      - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
        4.0.7 allows remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7595)
    
      - The putagreytile function in tif_getimage.c in LibTIFF
        4.0.7 has a left-shift undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7592)
    
      - In LibTIFF 4.0.7, the program processes BMP images
        without verifying that biWidth and biHeight in the
        bitmap-information header match the actual input,
        leading to a heap-based buffer over-read in
        bmp2tiff.(CVE-2017-9117)
    
      - The TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)
    
      - The DumpModeDecode function in libtiff 4.0.6 and
        earlier allows attackers to cause a denial of service
        (invalid read and crash) via a crafted tiff
        image.(CVE-2016-5321)
    
      - The fpAcc function in tif_predict.c in the tiff2rgba
        tool in LibTIFF 4.0.6 and earlier allows remote
        attackers to cause a denial of service (divide-by-zero
        error) via a crafted TIFF image.(CVE-2016-3622)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726.(CVE-2018-10963)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)
    
      - In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c.
        A crafted TIFF document can lead to a memory leak
        resulting in a remote denial of service
        attack.(CVE-2017-9936)
    
      - In LibTIFF 4.0.7, a memory leak vulnerability was found
        in the function TIFFReadDirEntryLong8Array in
        tif_dirread.c, which allows attackers to cause a denial
        of service via a crafted file.(CVE-2017-9403)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)
    
      - tiffsplit in libtiff 4.0.6 allows remote attackers to
        cause a denial of service (out-of-bounds read) via a
        crafted file, related to changing td_nstrips in
        TIFF_STRIPCHOP mode.(CVE-2016-9273)
    
      - LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)
    
      - Stack-based buffer overflow in the _TIFFVGetField
        function in libtiff 4.0.6 and earlier allows remote
        attackers to crash the application via a crafted
        tiff.(CVE-2016-5318)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c.(CVE-2018-18661)
    
      - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
        heap-based buffer over-read, as demonstrated by
        bmp2tiff.(CVE-2018-10779)
    
      - The OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)
    
      - Buffer overflow in the readgifimage function in
        gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows
        remote attackers to cause a denial of service
        (segmentation fault) via a crafted gif
        file.(CVE-2016-5102)
    
      - tif_read.c in LibTIFF 4.0.7 does not ensure that
        tif_rawdata is properly initialized, which might allow
        remote attackers to obtain sensitive information from
        process memory via a crafted image.(CVE-2017-7593)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.)(CVE-2018-7456)
    
      - _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in
        LibTIFF through 4.0.10 mishandle Integer Overflow
        checks because they rely on compiler behavior that is
        undefined by the applicable C standards. This can, for
        example, lead to an application crash.(CVE-2019-14973)
    
      - tif_getimage.c in LibTIFF through 4.0.10, as used in
        GDAL through 3.0.1 and other products, has an integer
        overflow that potentially causes a heap-based buffer
        overflow via a crafted RGBA image, related to a
        'Negative-size-param' condition.(CVE-2019-17546)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1447
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?abf17028");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.2");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.2") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.2");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h22.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2466.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF format image files. Security Fix(es):There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.(CVE-2017-13727)The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.(CVE-2017-7592)An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100)tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.(CVE-2017-7593)The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.(CVE-2017-7594)The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.(CVE-2017-7595)LibTIFF 4.0.7 has an
    last seen2020-05-08
    modified2019-12-04
    plugin id131619
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131619
    titleEulerOS 2.0 SP2 : libtiff (EulerOS-SA-2019-2466)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131619);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3186",
        "CVE-2016-3622",
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2016-6223",
        "CVE-2016-9273",
        "CVE-2016-9532",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-16232",
        "CVE-2017-5563",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9117",
        "CVE-2017-9147",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-10963",
        "CVE-2018-12900",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-19210",
        "CVE-2018-8905",
        "CVE-2019-14973",
        "CVE-2019-17546",
        "CVE-2019-6128",
        "CVE-2019-7663"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : libtiff (EulerOS-SA-2019-2466)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - The libtiff package contains a library of functions for
        manipulating TIFF (Tagged Image File Format) image
        format files. TIFF is a widely used file format for
        bitmapped images. TIFF files usually end in the .tif
        extension and they are often quite large. The libtiff
        package should be installed if you need to manipulate
        TIFF format image files. Security Fix(es):There is a
        reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)The putagreytile function in
        tif_getimage.c in LibTIFF 4.0.7 has a left-shift
        undefined behavior issue, which might allow remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image.(CVE-2017-7592)An issue was discovered in
        LibTIFF 4.0.9. There is a int32 overflow in multiply_ms
        in tools/ppm2tiff.c, which can cause a denial of
        service (crash) or possibly have unspecified other
        impact via a crafted image
        file.(CVE-2018-17100)tif_read.c in LibTIFF 4.0.7 does
        not ensure that tif_rawdata is properly initialized,
        which might allow remote attackers to obtain sensitive
        information from process memory via a crafted
        image.(CVE-2017-7593)The
        OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)The JPEGSetupEncode function in
        tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (divide-by-zero error and
        application crash) via a crafted
        image.(CVE-2017-7595)LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7596)tif_dirread.c in LibTIFF 4.0.7 has
        an 'outside the range of representable values of type
        float' undefined behavior issue, which might allow
        remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7597)LibTIFF 4.0.7
        has an 'outside the range of representable values of
        type short' undefined behavior issue, which might allow
        remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7599)LibTIFF 4.0.7
        has an 'outside the range of representable values of
        type unsigned char' undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7600)tif_dirread.c in LibTIFF 4.0.7
        might allow remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7598)LibTIFF 4.0.7 has a
        'shift exponent too large for 64-bit type long'
        undefined behavior issue, which might allow remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image.(CVE-2017-7601)LibTIFF 4.0.7 has a signed
        integer overflow, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7602)LibTIFF version 4.0.7 is
        vulnerable to a heap-based buffer over-read in
        tif_lzw.c resulting in DoS or code execution via a
        crafted bmp image to tools/bmp2tiff.(CVE-2017-5563)In
        LibTIFF 4.0.7, the program processes BMP images without
        verifying that biWidth and biHeight in the
        bitmap-information header match the actual input,
        leading to a heap-based buffer over-read in
        bmp2tiff.(CVE-2017-9117)In LibTIFF 4.0.7, a memory leak
        vulnerability was found in the function
        TIFFReadDirEntryLong8Array in tif_dirread.c, which
        allows attackers to cause a denial of service via a
        crafted file.(CVE-2017-9403)In LibTIFF 4.0.8, there is
        a memory leak in tif_jbig.c. A crafted TIFF document
        can lead to a memory leak resulting in a remote denial
        of service attack.(CVE-2017-9936)In LibTIFF 4.0.9, a
        heap-based buffer overflow occurs in the function
        LZWDecodeCompat in tif_lzw.c via a crafted TIFF file,
        as demonstrated by tiff2ps.(CVE-2018-8905)Heap-based
        buffer overflow in the readContigStripsIntoBuffer
        function in tif_unix.c in LibTIFF 4.0.7 allows remote
        attackers to have unspecified impact via a crafted
        image.(CVE-2016-10092)LibTIFF 4.0.7 allows remote
        attackers to cause a denial of service (heap-based
        buffer overflow) or possibly have unspecified other
        impact via a crafted TIFF image, related to 'WRITE of
        size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)LibTIFF 4.0.7
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)LibTIFF 4.0.7
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)tools/tiffcp.
        c in LibTIFF 4.0.7 allows remote attackers to cause a
        denial of service (integer underflow and heap-based
        buffer under-read) or possibly have unspecified other
        impact via a crafted TIFF image, related to 'READ of
        size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)LibTIFF 4.0.7
        allows remote attackers to cause a denial of service
        (heap-based buffer over-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)LibTIFF 4.0.7
        allows remote attackers to cause a denial of service
        (heap-based buffer over-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)The
        TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)Buffer overflow in the
        readextension function in gif2tiff.c in LibTIFF 4.0.6
        allows remote attackers to cause a denial of service
        (application crash) via a crafted GIF
        file.(CVE-2016-3186)The fpAcc function in tif_predict.c
        in the tiff2rgba tool in LibTIFF 4.0.6 and earlier
        allows remote attackers to cause a denial of service
        (divide-by-zero error) via a crafted TIFF
        image.(CVE-2016-3622)tiffsplit in libtiff 4.0.6 allows
        remote attackers to cause a denial of service
        (out-of-bounds read) via a crafted file, related to
        changing td_nstrips in TIFF_STRIPCHOP
        mode.(CVE-2016-9273)tools/tiffcrop.c in libtiff 4.0.6
        reads an undefined buffer in
        readContigStripsIntoBuffer() because of a uint16
        integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)tools/tiffcrop.c in libtiff 4.0.6
        has an out-of-bounds read in
        readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)In LibTIFF 4.0.8, there is a
        assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)The
        TIFFReadDirEntryArray function in tif_read.c in LibTIFF
        4.0.8 mishandles memory allocation for short files,
        which allows remote attackers to cause a denial of
        service (allocation failure and application crash) in
        the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)There is a
        reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)tif_getimage.c in LibTIFF
        through 4.0.10, as used in GDAL through 3.0.1 and other
        products, has an integer overflow that potentially
        causes a heap-based buffer overflow via a crafted RGBA
        image, related to a 'Negative-size-param'
        condition.(CVE-2019-17546)_TIFFCheckMalloc and
        _TIFFCheckRealloc in tif_aux.c in LibTIFF through
        4.0.10 mishandle Integer Overflow checks because they
        rely on compiler behavior that is undefined by the
        applicable C standards. This can, for example, lead to
        an application crash.(CVE-2019-14973)Buffer overflow in
        the readgifimage function in gif2tiff.c in the gif2tiff
        tool in LibTIFF 4.0.6 allows remote attackers to cause
        a denial of service (segmentation fault) via a crafted
        gif file.(CVE-2016-5102)** DISPUTED ** LibTIFF 4.0.8
        has multiple memory leak vulnerabilities, which allow
        attackers to cause a denial of service (memory
        consumption), as demonstrated by tif_open.c, tif_lzw.c,
        and tif_aux.c. NOTE: Third parties were unable to
        reproduce the issue.(CVE-2017-16232)An issue was
        discovered in LibTIFF 4.0.9. There is a NULL pointer
        dereference in the function LZWDecode in the file
        tif_lzw.c.(CVE-2018-18661)The rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (divide-by-zero) by setting the (1) v
        or (2) h parameter to 0.(CVE-2016-3623)The cvtClump
        function in the rgb2ycbcr tool in LibTIFF 4.0.6 and
        earlier allows remote attackers to cause a denial of
        service (out-of-bounds write) by setting the '-v'
        option to -1.(CVE-2016-3624)Stack-based buffer overflow
        in the _TIFFVGetField function in libtiff 4.0.6 and
        earlier allows remote attackers to crash the
        application via a crafted tiff.(CVE-2016-5318)LibTIFF
        4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)The _TIFFFax3fillruns
        function in libtiff before 4.0.6 allows remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted Tiff
        image.(CVE-2016-5323)The DumpModeDecode function in
        libtiff 4.0.6 and earlier allows attackers to cause a
        denial of service (invalid read and crash) via a
        crafted tiff image.(CVE-2016-5321)The TIFFReadRawStrip1
        and TIFFReadRawTile1 functions in tif_read.c in libtiff
        before 4.0.7 allows remote attackers to cause a denial
        of service (crash) or possibly obtain sensitive
        information via a negative index in a file-content
        buffer.(CVE-2016-6223)Integer overflow in the
        writeBufferToSeparateStrips function in tiffcrop.c in
        LibTIFF before 4.0.7 allows remote attackers to cause a
        denial of service (out-of-bounds read) via a crafted
        tif file.(CVE-2016-9532)The TIFFWriteDirectorySec()
        function in tif_dirwrite.c in LibTIFF through 4.0.9
        allows remote attackers to cause a denial of service
        (assertion failure and application crash) via a crafted
        file, a different vulnerability than
        CVE-2017-13726.(CVE-2018-10963)Heap-based buffer
        overflow in the cpSeparateBufToContigBuf function in
        tiffcp.c in LibTIFF 4.0.9 allows remote attackers to
        cause a denial of service (crash) or possibly have
        unspecified other impact via a crafted TIFF
        file.(CVE-2018-12900)An issue was discovered in LibTIFF
        4.0.9. There are two out-of-bounds writes in cpTags in
        tools/tiff2bw.c and tools/pal2rgb.c, which can cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted image
        file.(CVE-2018-17101)LibTIFF 4.0.9 (with JBIG enabled)
        decodes arbitrarily-sized JBIG into a buffer, ignoring
        the buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)In LibTIFF 4.0.9,
        there is a NULL pointer dereference in the
        TIFFWriteDirectorySec function in tif_dirwrite.c that
        will lead to a denial of service attack, as
        demonstrated by tiffset.(CVE-2018-19210)The TIFFFdOpen
        function in tif_unix.c in LibTIFF 4.0.10 has a memory
        leak, as demonstrated by pal2rgb.(CVE-2019-6128)An
        Invalid Address dereference was discovered in
        TIFFWriteDirectoryTagTransferfunction in
        libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the
        cpSeparateBufToContigBuf function in tiffcp.c. Remote
        attackers could leverage this vulnerability to cause a
        denial-of-service via a crafted tiff file. This is
        different from CVE-2018-12900.(CVE-2019-7663)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2466
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1fc9e3a2");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/04");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h18",
            "libtiff-devel-4.0.3-27.h18"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3903.NASL
    descriptionMultiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id101241
    published2017-07-06
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101241
    titleDebian DSA-3903-1 : tiff - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3903. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101241);
      script_version("3.7");
      script_cvs_date("Date: 2018/11/10 11:49:38");
    
      script_cve_id("CVE-2016-10095", "CVE-2017-10688", "CVE-2017-9147", "CVE-2017-9403", "CVE-2017-9404", "CVE-2017-9936");
      script_xref(name:"DSA", value:"3903");
    
      script_name(english:"Debian DSA-3903-1 : tiff - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities have been discovered in the libtiff library
    and the included tools, which may result in denial of service or the
    execution of arbitrary code."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/tiff"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/tiff"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2017/dsa-3903"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the tiff packages.
    
    For the oldstable distribution (jessie), these problems have been
    fixed in version 4.0.3-12.3+deb8u4.
    
    For the stable distribution (stretch), these problems have been fixed
    in version 4.0.8-2+deb9u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"libtiff-doc", reference:"4.0.3-12.3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"libtiff-opengl", reference:"4.0.3-12.3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"libtiff-tools", reference:"4.0.3-12.3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"libtiff5", reference:"4.0.3-12.3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"libtiff5-dev", reference:"4.0.3-12.3+deb8u4")) flag++;
    if (deb_check(release:"8.0", prefix:"libtiffxx5", reference:"4.0.3-12.3+deb8u4")) flag++;
    if (deb_check(release:"9.0", prefix:"libtiff-doc", reference:"4.0.8-2+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libtiff-opengl", reference:"4.0.8-2+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libtiff-tools", reference:"4.0.8-2+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libtiff5", reference:"4.0.8-2+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libtiff5-dev", reference:"4.0.8-2+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"libtiffxx5", reference:"4.0.8-2+deb9u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201709-27.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201709-27 (libTIFF: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in LibTIFF. Please review the referenced CVE identifiers for details. Impact : A remote attacker, by enticing the user to process a specially crafted TIFF file, could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id103486
    published2017-09-27
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103486
    titleGLSA-201709-27 : libTIFF: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201709-27.
    #
    # The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103486);
      script_version("$Revision: 3.2 $");
      script_cvs_date("$Date: 2017/10/02 21:12:27 $");
    
      script_cve_id("CVE-2016-10267", "CVE-2016-10268", "CVE-2017-5225", "CVE-2017-5563", "CVE-2017-7592", "CVE-2017-7593", "CVE-2017-7594", "CVE-2017-7595", "CVE-2017-7596", "CVE-2017-7597", "CVE-2017-7598", "CVE-2017-7599", "CVE-2017-7600", "CVE-2017-7601", "CVE-2017-7602", "CVE-2017-9403");
      script_xref(name:"GLSA", value:"201709-27");
    
      script_name(english:"GLSA-201709-27 : libTIFF: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201709-27
    (libTIFF: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in LibTIFF. Please review
          the referenced CVE identifiers for details.
      
    Impact :
    
        A remote attacker, by enticing the user to process a specially crafted
          TIFF file, could possibly execute arbitrary code with the privileges of
          the process, cause a Denial of Service condition, obtain sensitive
          information, or have other unspecified impacts.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201709-27"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All LibTIFF users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=media-libs/tiff-4.0.8'
        Packages which depend on this library may need to be recompiled. Tools
          such as revdep-rebuild may assist in identifying some of these packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:tiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/09/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"media-libs/tiff", unaffected:make_list("ge 4.0.8"), vulnerable:make_list("lt 4.0.8"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libTIFF");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3602-1.NASL
    descriptionIt was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id108513
    published2018-03-21
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108513
    titleUbuntu 14.04 LTS / 16.04 LTS : tiff vulnerabilities (USN-3602-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3602-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108513);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2016-10266", "CVE-2016-10267", "CVE-2016-10268", "CVE-2016-10269", "CVE-2016-10371", "CVE-2017-10688", "CVE-2017-11335", "CVE-2017-12944", "CVE-2017-13726", "CVE-2017-13727", "CVE-2017-18013", "CVE-2017-7592", "CVE-2017-7593", "CVE-2017-7594", "CVE-2017-7595", "CVE-2017-7596", "CVE-2017-7597", "CVE-2017-7598", "CVE-2017-7599", "CVE-2017-7600", "CVE-2017-7601", "CVE-2017-7602", "CVE-2017-9403", "CVE-2017-9404", "CVE-2017-9815", "CVE-2017-9936", "CVE-2018-5784");
      script_xref(name:"USN", value:"3602-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS : tiff vulnerabilities (USN-3602-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that LibTIFF incorrectly handled certain malformed
    images. If a user or automated system were tricked into opening a
    specially crafted image, a remote attacker could crash the
    application, leading to a denial of service, or possibly execute
    arbitrary code with user privileges.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3602-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libtiff-tools and / or libtiff5 packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtiff-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtiff5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"libtiff-tools", pkgver:"4.0.3-7ubuntu0.8")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"libtiff5", pkgver:"4.0.3-7ubuntu0.8")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libtiff-tools", pkgver:"4.0.6-1ubuntu0.3")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"libtiff5", pkgver:"4.0.6-1ubuntu0.3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff-tools / libtiff5");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2569-1.NASL
    descriptionThis update for tiff to version 4.0.8 fixes a several bugs and security issues: These security issues were fixed : - CVE-2017-7595: The JPEGSetupEncode function allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033127). - CVE-2016-10371: The TIFFWriteDirectoryTagCheckedRational function allowed remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF file (bsc#1038438). - CVE-2017-7598: Error in tif_dirread.c allowed remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image (bsc#1033118). - CVE-2017-7596: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033126). - CVE-2017-7597: Undefined behavior because of floats outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033120). - CVE-2017-7599: Undefined behavior because of shorts outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033113). - CVE-2017-7600: Undefined behavior because of chars outside their expected value range, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033112). - CVE-2017-7601: Because of a shift exponent too large for 64-bit type long undefined behavior was caused, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033111). - CVE-2017-7602: Prevent signed integer overflow, which allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033109). - CVE-2017-7592: The putagreytile function had a left-shift undefined behavior issue, which might allowed remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033131). - CVE-2017-7593: Ensure that tif_rawdata is properly initialized, to prevent remote attackers to obtain sensitive information from process memory via a crafted image (bsc#1033129). - CVE-2017-7594: The OJPEGReadHeaderInfoSecTablesDcTable function allowed remote attackers to cause a denial of service (memory leak) via a crafted image (bsc#1033128). - CVE-2017-9403: Prevent memory leak in function TIFFReadDirEntryLong8Array, which allowed attackers to cause a denial of service via a crafted file (bsc#1042805). - CVE-2017-9404: Fixed memory leak vulnerability in function OJPEGReadHeaderInfoSecTablesQTable, which allowed attackers to cause a denial of service via a crafted file (bsc#1042804). These various other issues were fixed : - Fix uint32 overflow in TIFFReadEncodedStrip() that caused an integer division by zero. Reported by Agostino Sarubbo. - fix heap-based buffer overflow on generation of PixarLog / LUV compressed files, with ColorMap, TransferFunction attached and nasty plays with bitspersample. The fix for LUV has not been tested, but suffers from the same kind of issue of PixarLog. - modify ChopUpSingleUncompressedStrip() to instanciate compute ntrips as TIFFhowmany_32(td->td_imagelength, rowsperstrip), instead of a logic based on the total size of data. Which is faulty is the total size of data is not sufficient to fill the whole image, and thus results in reading outside of the StripByCounts/StripOffsets arrays when using TIFFReadScanline() - make OJPEGDecode() early exit in case of failure in OJPEGPreDecode(). This will avoid a divide by zero, and potential other issues. - fix misleading indentation as warned by GCC. - revert change done on 2016-01-09 that made Param member of TIFFFaxTabEnt structure a uint16 to reduce size of the binary. It happens that the Hylafax software uses the tables that follow this typedef (TIFFFaxMainTable, TIFFFaxWhiteTable, TIFFFaxBlackTable), although they are not in a public libtiff header. - add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt() variants of the functions without ext, with an extra argument to control the stop_on_error behaviour. - fix potential memory leaks in error code path of TIFFRGBAImageBegin(). - increase libjpeg max memory usable to 10 MB instead of libjpeg 1MB default. This helps when creating files with
    last seen2020-06-01
    modified2020-06-02
    plugin id103503
    published2017-09-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103503
    titleSUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2017:2569-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:2569-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103503);
      script_version("3.6");
      script_cvs_date("Date: 2019/09/11 11:22:16");
    
      script_cve_id("CVE-2016-10371", "CVE-2017-7592", "CVE-2017-7593", "CVE-2017-7594", "CVE-2017-7595", "CVE-2017-7596", "CVE-2017-7597", "CVE-2017-7598", "CVE-2017-7599", "CVE-2017-7600", "CVE-2017-7601", "CVE-2017-7602", "CVE-2017-9403", "CVE-2017-9404");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2017:2569-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for tiff to version 4.0.8 fixes a several bugs and
    security issues: These security issues were fixed :
    
      - CVE-2017-7595: The JPEGSetupEncode function allowed
        remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted image (bsc#1033127).
    
      - CVE-2016-10371: The TIFFWriteDirectoryTagCheckedRational
        function allowed remote attackers to cause a denial of
        service (assertion failure and application exit) via a
        crafted TIFF file (bsc#1038438).
    
      - CVE-2017-7598: Error in tif_dirread.c allowed remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted image
        (bsc#1033118).
    
      - CVE-2017-7596: Undefined behavior because of floats
        outside their expected value range, which allowed remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image (bsc#1033126).
    
      - CVE-2017-7597: Undefined behavior because of floats
        outside their expected value range, which allowed remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image (bsc#1033120).
    
      - CVE-2017-7599: Undefined behavior because of shorts
        outside their expected value range, which allowed remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image (bsc#1033113).
    
      - CVE-2017-7600: Undefined behavior because of chars
        outside their expected value range, which allowed remote
        attackers to cause a denial of service (application
        crash) or possibly have unspecified other impact via a
        crafted image (bsc#1033112).
    
      - CVE-2017-7601: Because of a shift exponent too large for
        64-bit type long undefined behavior was caused, which
        allowed remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image (bsc#1033111).
    
      - CVE-2017-7602: Prevent signed integer overflow, which
        allowed remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image (bsc#1033109).
    
      - CVE-2017-7592: The putagreytile function had a
        left-shift undefined behavior issue, which might allowed
        remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image (bsc#1033131).
    
      - CVE-2017-7593: Ensure that tif_rawdata is properly
        initialized, to prevent remote attackers to obtain
        sensitive information from process memory via a crafted
        image (bsc#1033129).
    
      - CVE-2017-7594: The OJPEGReadHeaderInfoSecTablesDcTable
        function allowed remote attackers to cause a denial of
        service (memory leak) via a crafted image (bsc#1033128).
    
      - CVE-2017-9403: Prevent memory leak in function
        TIFFReadDirEntryLong8Array, which allowed attackers to
        cause a denial of service via a crafted file
        (bsc#1042805).
    
      - CVE-2017-9404: Fixed memory leak vulnerability in
        function OJPEGReadHeaderInfoSecTablesQTable, which
        allowed attackers to cause a denial of service via a
        crafted file (bsc#1042804). These various other issues
        were fixed :
    
      - Fix uint32 overflow in TIFFReadEncodedStrip() that
        caused an integer division by zero. Reported by Agostino
        Sarubbo.
    
      - fix heap-based buffer overflow on generation of PixarLog
        / LUV compressed files, with ColorMap, TransferFunction
        attached and nasty plays with bitspersample. The fix for
        LUV has not been tested, but suffers from the same kind
        of issue of PixarLog.
    
      - modify ChopUpSingleUncompressedStrip() to instanciate
        compute ntrips as TIFFhowmany_32(td->td_imagelength,
        rowsperstrip), instead of a logic based on the total
        size of data. Which is faulty is the total size of data
        is not sufficient to fill the whole image, and thus
        results in reading outside of the
        StripByCounts/StripOffsets arrays when using
        TIFFReadScanline()
    
      - make OJPEGDecode() early exit in case of failure in
        OJPEGPreDecode(). This will avoid a divide by zero, and
        potential other issues.
    
      - fix misleading indentation as warned by GCC.
    
      - revert change done on 2016-01-09 that made Param member
        of TIFFFaxTabEnt structure a uint16 to reduce size of
        the binary. It happens that the Hylafax software uses
        the tables that follow this typedef (TIFFFaxMainTable,
        TIFFFaxWhiteTable, TIFFFaxBlackTable), although they are
        not in a public libtiff header.
    
      - add TIFFReadRGBAStripExt() and TIFFReadRGBATileExt()
        variants of the functions without ext, with an extra
        argument to control the stop_on_error behaviour.
    
      - fix potential memory leaks in error code path of
        TIFFRGBAImageBegin().
    
      - increase libjpeg max memory usable to 10 MB instead of
        libjpeg 1MB default. This helps when creating files with
        'big' tile, without using libjpeg temporary files.
    
      - add _TIFFcalloc()
    
      - return 0 in Encode functions instead of -1 when
        TIFFFlushData1() fails.
    
      - only run JPEGFixupTagsSubsampling() if the
        YCbCrSubsampling tag is not explicitly present. This
        helps a bit to reduce the I/O amount when the tag is
        present (especially on cloud hosted files).
    
      - in LZWPostEncode(), increase, if necessary, the code
        bit-width after flushing the remaining code and before
        emitting the EOI code.
    
      - fix memory leak in error code path of
        PixarLogSetupDecode().
    
      - fix potential memory leak in
        OJPEGReadHeaderInfoSecTablesQTable,
        OJPEGReadHeaderInfoSecTablesDcTable and
        OJPEGReadHeaderInfoSecTablesAcTable
    
      - avoid crash in Fax3Close() on empty file.
    
      - TIFFFillStrip(): add limitation to the number of bytes
        read in case td_stripbytecount[strip] is bigger than
        reasonable, so as to avoid excessive memory allocation.
    
      - fix memory leak when the underlying codec (ZIP,
        PixarLog) succeeds its setupdecode() method, but
        PredictorSetup fails.
    
      - TIFFFillStrip() and TIFFFillTile(): avoid excessive
        memory allocation in case of shorten files. Only
        effective on 64 bit builds and non-mapped cases.
    
      - TIFFFillStripPartial() / TIFFSeek(), avoid potential
        integer overflows with read_ahead in
        CHUNKY_STRIP_READ_SUPPORT mode.
    
      - avoid excessive memory allocation in case of shorten
        files. Only effective on 64 bit builds.
    
      - update tif_rawcc in CHUNKY_STRIP_READ_SUPPORT mode with
        tif_rawdataloaded when calling TIFFStartStrip() or
        TIFFFillStripPartial().
    
      - avoid potential int32 overflow in TIFFYCbCrToRGBInit()
        Fixes
    
      - avoid potential int32 overflows in multiply_ms() and
        add_ms().
    
      - fix out-of-buffer read in PackBitsDecode() Fixes
    
      - LogL16InitState(): avoid excessive memory allocation
        when RowsPerStrip tag is missing.
    
      - update dec_bitsleft at beginning of LZWDecode(), and
        update tif_rawcc at end of LZWDecode(). This is needed
        to properly work with the latest chnges in tif_read.c in
        CHUNKY_STRIP_READ_SUPPORT mode.
    
      - PixarLogDecode(): resync tif_rawcp with next_in and
        tif_rawcc with avail_in at beginning and end of
        function, similarly to what is done in LZWDecode().
        Likely needed so that it works properly with latest
        chnges in tif_read.c in CHUNKY_STRIP_READ_SUPPORT mode.
    
      - initYCbCrConversion(): add basic validation of luma and
        refBlackWhite coefficients (just check they are not NaN
        for now), to avoid potential float to int overflows.
    
      - _TIFFVSetField(): fix outside range cast of double to
        float.
    
      - initYCbCrConversion(): check luma[1] is not zero to
        avoid division by zero
    
      - _TIFFVSetField(): fix outside range cast of double to
        float.
    
      - initYCbCrConversion(): check luma[1] is not zero to
        avoid division by zero.
    
      - initYCbCrConversion(): stricter validation for
        refBlackWhite coefficients values.
    
      - avoid uint32 underflow in cpDecodedStrips that can cause
        various issues, such as buffer overflows in the library.
    
      - fix readContigStripsIntoBuffer() in -i (ignore) mode so
        that the output buffer is correctly incremented to avoid
        write outside bounds.
    
      - add 3 extra bytes at end of strip buffer in
        readSeparateStripsIntoBuffer() to avoid read outside of
        heap allocated buffer.
    
      - fix integer division by zero when BitsPerSample is
        missing.
    
      - fix NULL pointer dereference in -r mode when the image
        has no StripByteCount tag.
    
      - avoid potential division by zero is BitsPerSamples tag
        is missing.
    
      - when TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) is called,
        limit the return number of inks to SamplesPerPixel, so
        that code that parses ink names doesn't go past the end
        of the buffer.
    
      - avoid potential division by zero is BitsPerSamples tag
        is missing.
    
      - fix uint32 underflow/overflow that can cause heap-based
        buffer overflow.
    
      - replace assert( (bps % 8) == 0 ) by a non assert check.
    
      - fix 2 heap-based buffer overflows (in PSDataBW and
        PSDataColorContig).
    
      - prevent heap-based buffer overflow in -j mode on a
        paletted image.
    
      - fix wrong usage of memcpy() that can trigger unspecified
        behaviour.
    
      - avoid potential invalid memory read in t2p_writeproc.
    
      - avoid potential heap-based overflow in
        t2p_readwrite_pdf_image_tile().
    
      - remove extraneous TIFFClose() in error code path, that
        caused double free.
    
      - error out cleanly in cpContig2SeparateByRow and
        cpSeparate2ContigByRow if BitsPerSample != 8 to avoid
        heap based overflow.
    
      - avoid integer division by zero.
    
      - call TIFFClose() in error code paths.
    
      - emit appropriate message if the input file is empty.
    
      - close TIFF handle in error code path.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033112"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033113"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033120"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033126"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033127"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033128"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033129"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1033131"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1038438"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042804"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042805"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10371/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7592/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7593/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7594/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7595/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7596/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7597/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7598/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7599/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7600/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7601/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7602/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9403/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9404/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20172569-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6dda5e4a"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t
    patch SUSE-SLE-SDK-12-SP3-2017-1589=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
    patch SUSE-SLE-SDK-12-SP2-2017-1589=1
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2017-1589=1
    
    SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2017-1589=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2017-1589=1
    
    SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP3-2017-1589=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2017-1589=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libtiff5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libtiff5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:tiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:tiff-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:tiff-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/09/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2/3", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2/3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"3", reference:"libtiff5-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"libtiff5-debuginfo-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"tiff-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"tiff-debuginfo-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"tiff-debugsource-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"libtiff5-32bit-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"libtiff5-debuginfo-32bit-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"libtiff5-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"libtiff5-debuginfo-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"tiff-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"tiff-debuginfo-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"tiff-debugsource-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"libtiff5-32bit-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"libtiff5-debuginfo-32bit-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libtiff5-32bit-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libtiff5-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libtiff5-debuginfo-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"tiff-debuginfo-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"tiff-debugsource-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-32bit-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-debuginfo-32bit-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"libtiff5-debuginfo-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"tiff-debuginfo-4.0.8-44.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"tiff-debugsource-4.0.8-44.3.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tiff");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-984.NASL
    descriptiontiff was affected by multiple memory leaks (CVE-2017-9403, CVE-2017-9404) that could result in denial of service. Furthermore, while the current version in Debian was already patched for _TIFFVGetField issues (CVE-2016-10095, CVE-2017-9147), we replaced our Debian-specific patches by the upstream provided patches to stay closer to upstream. For Debian 7
    last seen2020-03-17
    modified2017-06-14
    plugin id100772
    published2017-06-14
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100772
    titleDebian DLA-984-1 : tiff security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-984-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100772);
      script_version("3.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2016-10095", "CVE-2017-9147", "CVE-2017-9403", "CVE-2017-9404");
    
      script_name(english:"Debian DLA-984-1 : tiff security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "tiff was affected by multiple memory leaks (CVE-2017-9403,
    CVE-2017-9404) that could result in denial of service. Furthermore,
    while the current version in Debian was already patched for
    _TIFFVGetField issues (CVE-2016-10095, CVE-2017-9147), we replaced our
    Debian-specific patches by the upstream provided patches to stay
    closer to upstream.
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    4.0.2-6+deb7u14.
    
    We recommend that you upgrade your tiff packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2017/06/msg00013.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/tiff"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff-opengl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff5-alt-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff5-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiffxx5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/14");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"libtiff-doc", reference:"4.0.2-6+deb7u14")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiff-opengl", reference:"4.0.2-6+deb7u14")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiff-tools", reference:"4.0.2-6+deb7u14")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiff5", reference:"4.0.2-6+deb7u14")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiff5-alt-dev", reference:"4.0.2-6+deb7u14")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiff5-dev", reference:"4.0.2-6+deb7u14")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiffxx5", reference:"4.0.2-6+deb7u14")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2209.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-05-08
    modified2019-11-08
    plugin id130671
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130671
    titleEulerOS 2.0 SP5 : libtiff (EulerOS-SA-2019-2209)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130671);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3622",
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2016-9273",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9117",
        "CVE-2017-9147",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-10779",
        "CVE-2018-10963",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-7456",
        "CVE-2018-8905",
        "CVE-2019-14973"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : libtiff (EulerOS-SA-2019-2209)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - The _TIFFFax3fillruns function in libtiff before 4.0.6
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted Tiff image.The _TIFFFax3fillruns function in
        libtiff before 4.0.6 allows remote attackers to cause a
        denial of service (divide-by-zero error and application
        crash) via a crafted Tiff image.(CVE-2016-5323)
    
      - The cvtClump function in the rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (out-of-bounds write) by setting the
        '-v' option to -1.(CVE-2016-3624)
    
      - The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows
        remote attackers to cause a denial of service
        (divide-by-zero) by setting the (1) v or (2) h
        parameter to 0.(CVE-2016-3623)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c,
        which can cause a denial of service (crash) or possibly
        have unspecified other impact via a crafted image
        file.(CVE-2018-17100)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file.(CVE-2018-17101)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes
        arbitrarily-sized JBIG into a buffer, ignoring the
        buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs
        in the function LZWDecodeCompat in tif_lzw.c via a
        crafted TIFF file, as demonstrated by
        tiff2ps.(CVE-2018-8905)
    
      - tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)
    
      - Heap-based buffer overflow in the
        readContigStripsIntoBuffer function in tif_unix.c in
        LibTIFF 4.0.7 allows remote attackers to have
        unspecified impact via a crafted image.(CVE-2016-10092)
    
      - In LibTIFF 4.0.8, there is a assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)
    
      - The TIFFReadDirEntryArray function in tif_read.c in
        LibTIFF 4.0.8 mishandles memory allocation for short
        files, which allows remote attackers to cause a denial
        of service (allocation failure and application crash)
        in the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)
    
      - tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
        buffer in readContigStripsIntoBuffer() because of a
        uint16 integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)
    
      - tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds
        read in readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)
    
      - The putagreytile function in tif_getimage.c in LibTIFF
        4.0.7 has a left-shift undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7592)
    
      - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
        4.0.7 allows remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7595)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type float' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7596)
    
      - tif_dirread.c in LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7597)
    
      - tif_dirread.c in LibTIFF 4.0.7 might allow remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted
        image.(CVE-2017-7598)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type short' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7599)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type unsigned char' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7600)
    
      - LibTIFF 4.0.7 has a 'shift exponent too large for
        64-bit type long' undefined behavior issue, which might
        allow remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7601)
    
      - LibTIFF 4.0.7 has a signed integer overflow, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7602)
    
      - In LibTIFF 4.0.7, the program processes BMP images
        without verifying that biWidth and biHeight in the
        bitmap-information header match the actual input,
        leading to a heap-based buffer over-read in
        bmp2tiff.(CVE-2017-9117)
    
      - The TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)
    
      - The fpAcc function in tif_predict.c in the tiff2rgba
        tool in LibTIFF 4.0.6 and earlier allows remote
        attackers to cause a denial of service (divide-by-zero
        error) via a crafted TIFF image.(CVE-2016-3622)
    
      - The DumpModeDecode function in libtiff 4.0.6 and
        earlier allows attackers to cause a denial of service
        (invalid read and crash) via a crafted tiff
        image.(CVE-2016-5321)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726.(CVE-2018-10963)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)
    
      - In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c.
        A crafted TIFF document can lead to a memory leak
        resulting in a remote denial of service
        attack.(CVE-2017-9936)
    
      - In LibTIFF 4.0.7, a memory leak vulnerability was found
        in the function TIFFReadDirEntryLong8Array in
        tif_dirread.c, which allows attackers to cause a denial
        of service via a crafted file.(CVE-2017-9403)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)
    
      - tiffsplit in libtiff 4.0.6 allows remote attackers to
        cause a denial of service (out-of-bounds read) via a
        crafted file, related to changing td_nstrips in
        TIFF_STRIPCHOP mode.(CVE-2016-9273)
    
      - LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)
    
      - Stack-based buffer overflow in the _TIFFVGetField
        function in libtiff 4.0.6 and earlier allows remote
        attackers to crash the application via a crafted
        tiff.(CVE-2016-5318)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c.(CVE-2018-18661)
    
      - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
        heap-based buffer over-read, as demonstrated by
        bmp2tiff.(CVE-2018-10779)
    
      - The OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)
    
      - Buffer overflow in the readgifimage function in
        gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows
        remote attackers to cause a denial of service
        (segmentation fault) via a crafted gif
        file.(CVE-2016-5102)
    
      - tif_read.c in LibTIFF 4.0.7 does not ensure that
        tif_rawdata is properly initialized, which might allow
        remote attackers to obtain sensitive information from
        process memory via a crafted image.(CVE-2017-7593)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.)(CVE-2018-7456)
    
      - _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in
        LibTIFF through 4.0.10 mishandle Integer Overflow
        checks because they rely on compiler behavior that is
        undefined by the applicable C standards. This can, for
        example, lead to an application crash.(CVE-2019-14973)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2209
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1833399b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h22.eulerosv2r7",
            "libtiff-devel-4.0.3-27.h22.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2265.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.(CVE-2017-13727) - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.(CVE-2017-7592) - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.(CVE-2017-7593) - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.(CVE-2017-7594) - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.(CVE-2017-7595) - LibTIFF 4.0.7 has an
    last seen2020-05-08
    modified2019-11-08
    plugin id130727
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130727
    titleEulerOS 2.0 SP3 : libtiff (EulerOS-SA-2019-2265)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130727);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3186",
        "CVE-2016-3622",
        "CVE-2016-9273",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-7456",
        "CVE-2018-8905"
      );
    
      script_name(english:"EulerOS 2.0 SP3 : libtiff (EulerOS-SA-2019-2265)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)
    
      - The putagreytile function in tif_getimage.c in LibTIFF
        4.0.7 has a left-shift undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7592)
    
      - tif_read.c in LibTIFF 4.0.7 does not ensure that
        tif_rawdata is properly initialized, which might allow
        remote attackers to obtain sensitive information from
        process memory via a crafted image.(CVE-2017-7593)
    
      - The OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)
    
      - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
        4.0.7 allows remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7595)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type float' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7596)
    
      - tif_dirread.c in LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7597)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type short' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7599)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type unsigned char' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7600)
    
      - tif_dirread.c in LibTIFF 4.0.7 might allow remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted
        image.(CVE-2017-7598)
    
      - LibTIFF 4.0.7 has a 'shift exponent too large for
        64-bit type long' undefined behavior issue, which might
        allow remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7601)
    
      - LibTIFF 4.0.7 has a signed integer overflow, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7602)
    
      - In LibTIFF 4.0.7, a memory leak vulnerability was found
        in the function TIFFReadDirEntryLong8Array in
        tif_dirread.c, which allows attackers to cause a denial
        of service via a crafted file.(CVE-2017-9403)
    
      - In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c.
        A crafted TIFF document can lead to a memory leak
        resulting in a remote denial of service
        attack.(CVE-2017-9936)
    
      - Heap-based buffer overflow in the
        readContigStripsIntoBuffer function in tif_unix.c in
        LibTIFF 4.0.7 allows remote attackers to have
        unspecified impact via a crafted image.(CVE-2016-10092)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)
    
      - tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)
    
      - The TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)
    
      - The fpAcc function in tif_predict.c in the tiff2rgba
        tool in LibTIFF 4.0.6 and earlier allows remote
        attackers to cause a denial of service (divide-by-zero
        error) via a crafted TIFF image.(CVE-2016-3622)
    
      - tiffsplit in libtiff 4.0.6 allows remote attackers to
        cause a denial of service (out-of-bounds read) via a
        crafted file, related to changing td_nstrips in
        TIFF_STRIPCHOP mode.(CVE-2016-9273)
    
      - The TIFFReadDirEntryArray function in tif_read.c in
        LibTIFF 4.0.8 mishandles memory allocation for short
        files, which allows remote attackers to cause a denial
        of service (allocation failure and application crash)
        in the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)
    
      - tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
        buffer in readContigStripsIntoBuffer() because of a
        uint16 integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)
    
      - tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds
        read in readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)
    
      - In LibTIFF 4.0.8, there is a assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)
    
      - Buffer overflow in the readextension function in
        gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to
        cause a denial of service (application crash) via a
        crafted GIF file.(CVE-2016-3186)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.)(CVE-2018-7456)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs
        in the function LZWDecodeCompat in tif_lzw.c via a
        crafted TIFF file, as demonstrated by
        tiff2ps.(CVE-2018-8905)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2265
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4354c43e");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h14",
            "libtiff-devel-4.0.3-27.h14"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-983.NASL
    descriptiontiff3 was affected by multiple memory leaks (CVE-2017-9403, CVE-2017-9404) that could result in denial of service. Furthermore, while the current version in Debian was already patched for _TIFFVGetField issues (CVE-2016-10095, CVE-2017-9147), we replaced our Debian-specific patches by the upstream provided patches to stay closer to upstream. For Debian 7
    last seen2020-03-17
    modified2017-06-14
    plugin id100771
    published2017-06-14
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100771
    titleDebian DLA-983-1 : tiff3 security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-983-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100771);
      script_version("3.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2016-10095", "CVE-2017-9147", "CVE-2017-9403", "CVE-2017-9404");
    
      script_name(english:"Debian DLA-983-1 : tiff3 security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "tiff3 was affected by multiple memory leaks (CVE-2017-9403,
    CVE-2017-9404) that could result in denial of service. Furthermore,
    while the current version in Debian was already patched for
    _TIFFVGetField issues (CVE-2016-10095, CVE-2017-9147), we replaced our
    Debian-specific patches by the upstream provided patches to stay
    closer to upstream.
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    3.9.6-11+deb7u6.
    
    We recommend that you upgrade your tiff3 packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2017/06/msg00012.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/tiff3"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff4-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiffxx0c2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/14");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"libtiff4", reference:"3.9.6-11+deb7u6")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiff4-dev", reference:"3.9.6-11+deb7u6")) flag++;
    if (deb_check(release:"7.0", prefix:"libtiffxx0c2", reference:"3.9.6-11+deb7u6")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");