Vulnerabilities > CVE-2017-9935 - Out-of-bounds Read vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1206.NASL description In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution. This overflow is linked to an underlying assumption that all pages in a tiff document will have the same transfer function. There is nothing in the tiff standard that says this needs to be the case. For Debian 7 last seen 2020-03-17 modified 2017-12-13 plugin id 105194 published 2017-12-13 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105194 title Debian DLA-1206-1 : tiff security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1206-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(105194); script_version("3.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2017-9935"); script_name(english:"Debian DLA-1206-1 : tiff security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution. This overflow is linked to an underlying assumption that all pages in a tiff document will have the same transfer function. There is nothing in the tiff standard that says this needs to be the case. For Debian 7 'Wheezy', these problems have been fixed in version 4.0.2-6+deb7u17. We recommend that you upgrade your tiff packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2017/12/msg00008.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/tiff" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff-opengl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff5-alt-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiff5-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtiffxx5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"libtiff-doc", reference:"4.0.2-6+deb7u17")) flag++; if (deb_check(release:"7.0", prefix:"libtiff-opengl", reference:"4.0.2-6+deb7u17")) flag++; if (deb_check(release:"7.0", prefix:"libtiff-tools", reference:"4.0.2-6+deb7u17")) flag++; if (deb_check(release:"7.0", prefix:"libtiff5", reference:"4.0.2-6+deb7u17")) flag++; if (deb_check(release:"7.0", prefix:"libtiff5-alt-dev", reference:"4.0.2-6+deb7u17")) flag++; if (deb_check(release:"7.0", prefix:"libtiff5-dev", reference:"4.0.2-6+deb7u17")) flag++; if (deb_check(release:"7.0", prefix:"libtiffxx5", reference:"4.0.2-6+deb7u17")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4100.NASL description Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 106414 published 2018-01-29 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106414 title Debian DSA-4100-1 : tiff - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4100. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(106414); script_version("3.3"); script_cvs_date("Date: 2018/11/13 12:30:46"); script_cve_id("CVE-2017-11335", "CVE-2017-12944", "CVE-2017-13726", "CVE-2017-13727", "CVE-2017-18013", "CVE-2017-9935"); script_xref(name:"DSA", value:"4100"); script_name(english:"Debian DSA-4100-1 : tiff - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/tiff" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/tiff" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/tiff" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2018/dsa-4100" ); script_set_attribute( attribute:"solution", value: "Upgrade the tiff packages. For the oldstable distribution (jessie), these problems have been fixed in version 4.0.3-12.3+deb8u5. For the stable distribution (stretch), these problems have been fixed in version 4.0.8-2+deb9u2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tiff"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libtiff-doc", reference:"4.0.3-12.3+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libtiff-opengl", reference:"4.0.3-12.3+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libtiff-tools", reference:"4.0.3-12.3+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libtiff5", reference:"4.0.3-12.3+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libtiff5-dev", reference:"4.0.3-12.3+deb8u5")) flag++; if (deb_check(release:"8.0", prefix:"libtiffxx5", reference:"4.0.3-12.3+deb8u5")) flag++; if (deb_check(release:"9.0", prefix:"libtiff-doc", reference:"4.0.8-2+deb9u2")) flag++; if (deb_check(release:"9.0", prefix:"libtiff-opengl", reference:"4.0.8-2+deb9u2")) flag++; if (deb_check(release:"9.0", prefix:"libtiff-tools", reference:"4.0.8-2+deb9u2")) flag++; if (deb_check(release:"9.0", prefix:"libtiff5", reference:"4.0.8-2+deb9u2")) flag++; if (deb_check(release:"9.0", prefix:"libtiff5-dev", reference:"4.0.8-2+deb9u2")) flag++; if (deb_check(release:"9.0", prefix:"libtiffxx5", reference:"4.0.8-2+deb9u2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-3327-1.NASL description This update for tiff fixes the following issues : Security issue fixed : CVE-2018-10779: TIFFWriteScanline in tif_write.c had a heap-based buffer over-read, as demonstrated by bmp2tiff.(bsc#1092480) CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637) CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627) CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358) CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2019-01-02 plugin id 120140 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120140 title SUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2018:3327-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-2_0-0007.NASL description An update of 'krb5', 'libjpeg-turbo', 'libtiff' packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111905 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111905 title Photon OS 2.0: Krb5 / Libjpeg / Libtiff PHSA-2017-2.0-0007 (deprecated) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1857.NASL description According to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.(CVE-2017-9935) - LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.(CVE-2018-5360) - tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2017-17095) - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff.(CVE-2018-10779) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-09-17 plugin id 128909 published 2019-09-17 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128909 title EulerOS 2.0 SP2 : libtiff (EulerOS-SA-2019-1857) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-443.NASL description This update for tiff fixes the following issues : - CVE-2017-9935: There was a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077) - CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318) - CVE-2018-5784: There is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries (bsc#1081690) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-05-11 plugin id 109716 published 2018-05-11 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109716 title openSUSE Security Update : tiff (openSUSE-2018-443) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_B38E8150053511E896AB0800271D4B9C.NASL description Debian Security Advisory reports : Multiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 106700 published 2018-02-09 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106700 title FreeBSD : tiff -- multiple vulnerabilities (b38e8150-0535-11e8-96ab-0800271d4b9c) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-847.NASL description This update for tiff fixes the following issues : Security issue fixed : - CVE-2018-10779: TIFFWriteScanline in tif_write.c had a heap-based buffer over-read, as demonstrated by bmp2tiff.(bsc#1092480) - CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637) - CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627) - CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358) - CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 123354 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123354 title openSUSE Security Update : tiff (openSUSE-2019-847) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1180-1.NASL description This update for tiff fixes the following issues : - CVE-2017-9935: There was a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077) - CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318) - CVE-2018-5784: There is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries (bsc#1081690) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 109675 published 2018-05-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109675 title SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:1180-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1700.NASL description According to the version of the libtiff package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.(CVE-2017-9935) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 126542 published 2019-07-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126542 title EulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2019-1700) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1249.NASL description This update for tiff fixes the following issues : - CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637) - CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627) - CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358) - CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2018-10-25 plugin id 118384 published 2018-10-25 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118384 title openSUSE Security Update : tiff (openSUSE-2018-1249) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1683.NASL description According to the version of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.(CVE-2017-9935) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2019-07-02 plugin id 126424 published 2019-07-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126424 title EulerOS 2.0 SP5 : libtiff (EulerOS-SA-2019-1683) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1242.NASL description This update for tiff fixes the following issues : Security issue fixed : - CVE-2018-10779: TIFFWriteScanline in tif_write.c had a heap-based buffer over-read, as demonstrated by bmp2tiff.(bsc#1092480) - CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637) - CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627) - CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358) - CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-05 modified 2018-10-25 plugin id 118378 published 2018-10-25 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118378 title openSUSE Security Update : tiff (openSUSE-2018-1242) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1179-1.NASL description This update for tiff fixes the following issues : - CVE-2016-9453: The t2p_readwrite_pdf_image_tile function allowed remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one (bsc#1011107). - CVE-2016-5652: An exploitable heap-based buffer overflow existed in the handling of TIFF images in the TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means (bsc#1007280). - CVE-2017-11335: There is a heap-based buffer overflow in tools/tiff2pdf.c via a PlanarConfig=Contig image, which caused a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack (bsc#1048937). - CVE-2016-9536: tools/tiff2pdf.c had an out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka last seen 2020-06-01 modified 2020-06-02 plugin id 109674 published 2018-05-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109674 title SUSE SLES11 Security Update : tiff (SUSE-SU-2018:1179-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3606-1.NASL description It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 108657 published 2018-03-27 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108657 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : tiff vulnerabilities (USN-3606-1) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-2_0-0007_LIBTIFF.NASL description An update of the libtiff package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121790 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121790 title Photon OS 2.0: Libtiff PHSA-2017-2.0-0007 NASL family Fedora Local Security Checks NASL id FEDORA_2018-44C6F91560.NASL description Added fixes for : - **CVE-2017-9935** - **CVE-2017-18013** - **CVE-2018-8905** - **CVE-2018-10963** Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-06-07 plugin id 110388 published 2018-06-07 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110388 title Fedora 27 : libtiff (2018-44c6f91560) NASL family Fedora Local Security Checks NASL id FEDORA_2018-D41D114D3E.NASL description Added fixes for : - **CVE-2017-9935** - **CVE-2017-18013** - **CVE-2018-8905** - **CVE-2018-10963** Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120824 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120824 title Fedora 28 : libtiff (2018-d41d114d3e) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0016.NASL description An update of {'linux', 'curl', 'binutils', 'postgresql', 'libtiff'} packages of Photon OS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111286 published 2018-07-24 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111286 title Photon OS 2.0 : Linux / Postgresql / Binutils / Curl / Libtiff (PhotonOS-PHSA-2018-2.0-0016) (deprecated) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-3391-1.NASL description This update for tiff fixes the following issues : CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637) CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627) CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358) CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 118391 published 2018-10-25 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118391 title SUSE SLES11 Security Update : tiff (SUSE-SU-2018:3391-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-3289-1.NASL description This update for tiff fixes the following issues : CVE-2018-17100: There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108637) CVE-2018-17101: There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (bsc#1108627) CVE-2018-17795: The function t2p_write_pdf in tiff2pdf.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935. (bsc#1110358) CVE-2018-16335: newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, as demonstrated by tiff2pdf. This is a different vulnerability than CVE-2018-15209. (bsc#1106853) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 118321 published 2018-10-23 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118321 title SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:3289-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2056.NASL description According to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.(CVE-2017-9935) - LibTIFF before 4.0.6 mishandles the reading of TIFF files, as demonstrated by a heap-based buffer over-read in the ReadTIFFImage function in coders/tiff.c in GraphicsMagick 1.3.27.(CVE-2018-5360) - tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2017-17095) - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff.(CVE-2018-10779) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-09-24 plugin id 129249 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129249 title EulerOS 2.0 SP3 : libtiff (EulerOS-SA-2019-2056) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2018-2_0-0016_LIBTIFF.NASL description An update of the libtiff package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121917 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121917 title Photon OS 2.0: Libtiff PHSA-2018-2.0-0016