Vulnerabilities > CVE-2018-18661 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
libtiff
canonical
CWE-476
nessus

Summary

An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2053.NASL
    descriptionAn update for libtiff is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Security Fix(es) : * libtiff: buffer overflow in gif2tiff (CVE-2016-3186) * libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service or possibly code execution (CVE-2018-12900) * libtiff: Out-of-bounds write in tif_jbig.c (CVE-2018-18557) * libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes a denial of service (CVE-2018-7456) * libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat() allows for denial of service (CVE-2018-8905) * libtiff: heap-based buffer over-read in TIFFWriteScanline function in tif_write.c (CVE-2018-10779) * libtiff: reachable assertion in TIFFWriteDirectorySec function in tif_dirwrite.c (CVE-2018-10963) * libtiff: Integer overflow in multiply_ms in tools/ppm2tiff.c (CVE-2018-17100) * libtiff: Two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/ pal2rgb.c (CVE-2018-17101) * libtiff: tiff2bw tool failed memory allocation leads to crash (CVE-2018-18661) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127662
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127662
    titleRHEL 7 : libtiff (RHSA-2019:2053)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:2053. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127662);
      script_version("1.5");
      script_cvs_date("Date: 2019/10/24 15:35:47");
    
      script_cve_id("CVE-2016-3186", "CVE-2018-10779", "CVE-2018-10963", "CVE-2018-12900", "CVE-2018-17100", "CVE-2018-17101", "CVE-2018-18557", "CVE-2018-18661", "CVE-2018-7456", "CVE-2018-8905");
      script_xref(name:"RHSA", value:"2019:2053");
    
      script_name(english:"RHEL 7 : libtiff (RHSA-2019:2053)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for libtiff is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The libtiff packages contain a library of functions for manipulating
    Tagged Image File Format (TIFF) files.
    
    Security Fix(es) :
    
    * libtiff: buffer overflow in gif2tiff (CVE-2016-3186)
    
    * libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf
    function resulting in a denial of service or possibly code execution
    (CVE-2018-12900)
    
    * libtiff: Out-of-bounds write in tif_jbig.c (CVE-2018-18557)
    
    * libtiff: NULL pointer dereference in
    tif_print.c:TIFFPrintDirectory() causes a denial of service
    (CVE-2018-7456)
    
    * libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat()
    allows for denial of service (CVE-2018-8905)
    
    * libtiff: heap-based buffer over-read in TIFFWriteScanline function
    in tif_write.c (CVE-2018-10779)
    
    * libtiff: reachable assertion in TIFFWriteDirectorySec function in
    tif_dirwrite.c (CVE-2018-10963)
    
    * libtiff: Integer overflow in multiply_ms in tools/ppm2tiff.c
    (CVE-2018-17100)
    
    * libtiff: Two out-of-bounds writes in cpTags in tools/tiff2bw.c and
    tools/ pal2rgb.c (CVE-2018-17101)
    
    * libtiff: tiff2bw tool failed memory allocation leads to crash
    (CVE-2018-18661)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.7 Release Notes linked from the References section."
      );
      # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3395ff0b"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:2053"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3186"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7456"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-8905"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10779"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10963"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-12900"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-17100"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-17101"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-18557"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-18661"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtiff-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtiff-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtiff-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:2053";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", reference:"libtiff-4.0.3-32.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"libtiff-debuginfo-4.0.3-32.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"libtiff-devel-4.0.3-32.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"libtiff-static-4.0.3-32.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libtiff-tools-4.0.3-32.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libtiff-tools-4.0.3-32.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff / libtiff-debuginfo / libtiff-devel / libtiff-static / etc");
      }
    }
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0227_LIBTIFF.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has libtiff packages installed that are affected by multiple vulnerabilities: - Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. (CVE-2016-3186) - Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file. (CVE-2018-12900) - The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (CVE-2018-10963) - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff. (CVE-2018-10779) - In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905) - A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) (CVE-2018-7456) - An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17100) - An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17101) - LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily- sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write. (CVE-2018-18557) - An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c. (CVE-2018-18661) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132506
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132506
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : libtiff Multiple Vulnerabilities (NS-SA-2019-0227)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0227. The text
    # itself is copyright (C) ZTE, Inc.
    
    include('compat.inc');
    
    if (description)
    {
      script_id(132506);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id(
        "CVE-2016-3186",
        "CVE-2018-7456",
        "CVE-2018-8905",
        "CVE-2018-10779",
        "CVE-2018-10963",
        "CVE-2018-12900",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661"
      );
      script_bugtraq_id(
        85744,
        104089,
        105370,
        105749,
        105762,
        107658
      );
    
      script_name(english:"NewStart CGSL CORE 5.05 / MAIN 5.05 : libtiff Multiple Vulnerabilities (NS-SA-2019-0227)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has libtiff packages installed that are affected
    by multiple vulnerabilities:
    
      - Buffer overflow in the readextension function in
        gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to
        cause a denial of service (application crash) via a
        crafted GIF file. (CVE-2016-3186)
    
      - Heap-based buffer overflow in the
        cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF
        4.0.9 allows remote attackers to cause a denial of
        service (crash) or possibly have unspecified other
        impact via a crafted TIFF file. (CVE-2018-12900)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726. (CVE-2018-10963)
    
      - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
        heap-based buffer over-read, as demonstrated by
        bmp2tiff. (CVE-2018-10779)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs in
        the function LZWDecodeCompat in tif_lzw.c via a crafted
        TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.) (CVE-2018-7456)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c, which
        can cause a denial of service (crash) or possibly have
        unspecified other impact via a crafted image file.
        (CVE-2018-17100)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file. (CVE-2018-17101)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-
        sized JBIG into a buffer, ignoring the buffer size,
        which leads to a tif_jbig.c JBIGDecode out-of-bounds
        write. (CVE-2018-18557)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c. (CVE-2018-18661)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0227");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL libtiff packages. Note that updated packages may not be available yet. Please contact ZTE
    for more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8905");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.05" &&
        release !~ "CGSL MAIN 5.05")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.05": [
        "libtiff-4.0.3-32.el7",
        "libtiff-debuginfo-4.0.3-32.el7",
        "libtiff-devel-4.0.3-32.el7",
        "libtiff-static-4.0.3-32.el7",
        "libtiff-tools-4.0.3-32.el7"
      ],
      "CGSL MAIN 5.05": [
        "libtiff-4.0.3-32.el7",
        "libtiff-debuginfo-4.0.3-32.el7",
        "libtiff-devel-4.0.3-32.el7",
        "libtiff-static-4.0.3-32.el7",
        "libtiff-tools-4.0.3-32.el7"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2621.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue.(CVE-2017-16232) - _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. This can, for example, lead to an application crash.(CVE-2019-14973) - An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from CVE-2018-12900.(CVE-2019-7663) - An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17101) - An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100) - An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.(CVE-2018-18661) - Buffer overflow in the readgifimage function in gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (segmentation fault) via a crafted gif file.(CVE-2016-5102) - Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2018-12900) - In LibTIFF 4.0.9, there is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset.(CVE-2018-19210) - LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in tif_dir.c, which might allow remote attackers to cause a denial of service (crash) via a crafted TIFF file.(CVE-2017-9147) - LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.(CVE-2018-18557) - Stack-based buffer overflow in the _TIFFVGetField function in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted tiff.(CVE-2016-5318) - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-05-08
    modified2019-12-18
    plugin id132156
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132156
    titleEulerOS 2.0 SP3 : libtiff (EulerOS-SA-2019-2621)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(132156);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2017-16232",
        "CVE-2017-9147",
        "CVE-2018-10963",
        "CVE-2018-12900",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-19210",
        "CVE-2019-14973",
        "CVE-2019-17546",
        "CVE-2019-6128",
        "CVE-2019-7663"
      );
    
      script_name(english:"EulerOS 2.0 SP3 : libtiff (EulerOS-SA-2019-2621)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - ** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak
        vulnerabilities, which allow attackers to cause a
        denial of service (memory consumption), as demonstrated
        by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third
        parties were unable to reproduce the
        issue.(CVE-2017-16232)
    
      - _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in
        LibTIFF through 4.0.10 mishandle Integer Overflow
        checks because they rely on compiler behavior that is
        undefined by the applicable C standards. This can, for
        example, lead to an application crash.(CVE-2019-14973)
    
      - An Invalid Address dereference was discovered in
        TIFFWriteDirectoryTagTransferfunction in
        libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the
        cpSeparateBufToContigBuf function in tiffcp.c. Remote
        attackers could leverage this vulnerability to cause a
        denial-of-service via a crafted tiff file. This is
        different from CVE-2018-12900.(CVE-2019-7663)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file.(CVE-2018-17101)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c,
        which can cause a denial of service (crash) or possibly
        have unspecified other impact via a crafted image
        file.(CVE-2018-17100)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c.(CVE-2018-18661)
    
      - Buffer overflow in the readgifimage function in
        gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows
        remote attackers to cause a denial of service
        (segmentation fault) via a crafted gif
        file.(CVE-2016-5102)
    
      - Heap-based buffer overflow in the
        cpSeparateBufToContigBuf function in tiffcp.c in
        LibTIFF 4.0.9 allows remote attackers to cause a denial
        of service (crash) or possibly have unspecified other
        impact via a crafted TIFF file.(CVE-2018-12900)
    
      - In LibTIFF 4.0.9, there is a NULL pointer dereference
        in the TIFFWriteDirectorySec function in tif_dirwrite.c
        that will lead to a denial of service attack, as
        demonstrated by tiffset.(CVE-2018-19210)
    
      - LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes
        arbitrarily-sized JBIG into a buffer, ignoring the
        buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)
    
      - Stack-based buffer overflow in the _TIFFVGetField
        function in libtiff 4.0.6 and earlier allows remote
        attackers to crash the application via a crafted
        tiff.(CVE-2016-5318)
    
      - The _TIFFFax3fillruns function in libtiff before 4.0.6
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted Tiff image.(CVE-2016-5323)
    
      - The cvtClump function in the rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (out-of-bounds write) by setting the
        '-v' option to -1.(CVE-2016-3624)
    
      - The DumpModeDecode function in libtiff 4.0.6 and
        earlier allows attackers to cause a denial of service
        (invalid read and crash) via a crafted tiff
        image.(CVE-2016-5321)
    
      - The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows
        remote attackers to cause a denial of service
        (divide-by-zero) by setting the (1) v or (2) h
        parameter to 0.(CVE-2016-3623)
    
      - The TIFFFdOpen function in tif_unix.c in LibTIFF 4.0.10
        has a memory leak, as demonstrated by
        pal2rgb.(CVE-2019-6128)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726.(CVE-2018-10963)
    
      - tif_getimage.c in LibTIFF through 4.0.10, as used in
        GDAL through 3.0.1 and other products, has an integer
        overflow that potentially causes a heap-based buffer
        overflow via a crafted RGBA image, related to a
        'Negative-size-param' condition.(CVE-2019-17546)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2621
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f75a97ab");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h18",
            "libtiff-devel-4.0.3-27.h18"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1235.NASL
    descriptionAccording to the versions of the libtiff package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-03-19
    modified2020-03-13
    plugin id134524
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134524
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2020-1235)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134524);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3622",
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2016-9273",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9117",
        "CVE-2017-9147",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-10779",
        "CVE-2018-10963",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-7456",
        "CVE-2018-8905",
        "CVE-2019-14973",
        "CVE-2019-17546"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2020-1235)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff package installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The _TIFFFax3fillruns function in libtiff before 4.0.6
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted Tiff image.(CVE-2016-5323)
    
      - The cvtClump function in the rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (out-of-bounds write) by setting the
        '-v' option to -1.(CVE-2016-3624)
    
      - The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows
        remote attackers to cause a denial of service
        (divide-by-zero) by setting the (1) v or (2) h
        parameter to 0.(CVE-2016-3623)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes
        arbitrarily-sized JBIG into a buffer, ignoring the
        buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file.(CVE-2018-17101)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c,
        which can cause a denial of service (crash) or possibly
        have unspecified other impact via a crafted image
        file.(CVE-2018-17100)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs
        in the function LZWDecodeCompat in tif_lzw.c via a
        crafted TIFF file, as demonstrated by
        tiff2ps.(CVE-2018-8905)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)
    
      - tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)
    
      - Heap-based buffer overflow in the
        readContigStripsIntoBuffer function in tif_unix.c in
        LibTIFF 4.0.7 allows remote attackers to have
        unspecified impact via a crafted image.(CVE-2016-10092)
    
      - The TIFFReadDirEntryArray function in tif_read.c in
        LibTIFF 4.0.8 mishandles memory allocation for short
        files, which allows remote attackers to cause a denial
        of service (allocation failure and application crash)
        in the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)
    
      - In LibTIFF 4.0.8, there is a assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)
    
      - tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds
        read in readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)
    
      - tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
        buffer in readContigStripsIntoBuffer() because of a
        uint16 integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)
    
      - LibTIFF 4.0.7 has a signed integer overflow, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7602)
    
      - LibTIFF 4.0.7 has a 'shift exponent too large for
        64-bit type long' undefined behavior issue, which might
        allow remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7601)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type unsigned char' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7600)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type short' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7599)
    
      - tif_dirread.c in LibTIFF 4.0.7 might allow remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted
        image.(CVE-2017-7598)
    
      - tif_dirread.c in LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7597)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type float' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7596)
    
      - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
        4.0.7 allows remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7595)
    
      - The putagreytile function in tif_getimage.c in LibTIFF
        4.0.7 has a left-shift undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7592)
    
      - In LibTIFF 4.0.7, the program processes BMP images
        without verifying that biWidth and biHeight in the
        bitmap-information header match the actual input,
        leading to a heap-based buffer over-read in
        bmp2tiff.(CVE-2017-9117)
    
      - The TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)
    
      - The DumpModeDecode function in libtiff 4.0.6 and
        earlier allows attackers to cause a denial of service
        (invalid read and crash) via a crafted tiff
        image.(CVE-2016-5321)
    
      - The fpAcc function in tif_predict.c in the tiff2rgba
        tool in LibTIFF 4.0.6 and earlier allows remote
        attackers to cause a denial of service (divide-by-zero
        error) via a crafted TIFF image.(CVE-2016-3622)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726.(CVE-2018-10963)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)
    
      - In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c.
        A crafted TIFF document can lead to a memory leak
        resulting in a remote denial of service
        attack.(CVE-2017-9936)
    
      - In LibTIFF 4.0.7, a memory leak vulnerability was found
        in the function TIFFReadDirEntryLong8Array in
        tif_dirread.c, which allows attackers to cause a denial
        of service via a crafted file.(CVE-2017-9403)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)
    
      - An out-of-bounds heap read was discovered in libtiff. A
        crafted file could cause the application to crash or,
        potentially, disclose process memory.(CVE-2016-9273)
    
      - LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)
    
      - Stack-based buffer overflow in the _TIFFVGetField
        function in libtiff 4.0.6 and earlier allows remote
        attackers to crash the application via a crafted
        tiff.(CVE-2016-5318)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c.(CVE-2018-18661)
    
      - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
        heap-based buffer over-read, as demonstrated by
        bmp2tiff.(CVE-2018-10779)
    
      - The OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)
    
      - Buffer overflow in the readgifimage function in
        gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows
        remote attackers to cause a denial of service
        (segmentation fault) via a crafted gif
        file.(CVE-2016-5102)
    
      - tif_read.c in LibTIFF 4.0.7 does not ensure that
        tif_rawdata is properly initialized, which might allow
        remote attackers to obtain sensitive information from
        process memory via a crafted image.(CVE-2017-7593)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.)(CVE-2018-7456)
    
      - _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in
        LibTIFF through 4.0.10 mishandle Integer Overflow
        checks because they rely on compiler behavior that is
        undefined by the applicable C standards. This can, for
        example, lead to an application crash.(CVE-2019-14973)
    
      - tif_getimage.c in LibTIFF through 4.0.10, as used in
        GDAL through 3.0.1 and other products, has an integer
        overflow that potentially causes a heap-based buffer
        overflow via a crafted RGBA image, related to a
        'Negative-size-param' condition.(CVE-2019-17546)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1235
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?470ca94b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h22"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-2009.NASL
    descriptionSeveral issues have been found in tiff, a Tag Image File Format library. CVE-2019-17546 The RGBA interface contains an integer overflow that might lead to heap buffer overflow write. CVE-2019-6128 A memory leak exists due to missing cleanup code. CVE-2018-18661 In case of exhausted memory there is a NULL pointer dereference in tiff2bw. CVE-2018-12900 Fix for heap-based buffer overflow, that could be used to crash an application or even to execute arbitrary code (with the permission of the user running this application). CVE-2017-17095 A crafted tiff file could lead to a heap buffer overflow in pal2rgb. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id131328
    published2019-11-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131328
    titleDebian DLA-2009-1 : tiff security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3911-2.NASL
    descriptionThis update for tiff fixes the following issues : Security issues fixed : CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257). CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672). CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094). Non-security issues fixed: asan_build: build ASAN included debug_build: build more suitable for debugging Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id119555
    published2018-12-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119555
    titleSUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:3911-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3879-1.NASL
    descriptionThis update for tiff fixes the following issues : Security issues fixed : CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672). CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257). CVE-2017-9147: Fixed invalid read in the _TIFFVGetField function in tif_dir.c, that allowed remote attackers to cause a DoS via acrafted TIFF file (bsc#1040322). CVE-2017-9117: Fixed BMP images processing that was verified without biWidth and biHeight values (bsc#1040080). CVE-2017-17942: Fixed issue in the function PackBitsEncode that could have led to a heap overflow and caused a DoS (bsc#1074186). CVE-2016-9273: Fixed heap-based buffer overflow issue (bsc#1010163). CVE-2016-5319: Fixed heap-based buffer overflow in PackBitsEncode (bsc#983440). CVE-2016-3621: Fixed out-of-bounds read in the bmp2tiff tool (lzw packing) (bsc#974448). CVE-2016-3620: Fixed out-of-bounds read in the bmp2tiff tool (zip packing) (bsc#974447) CVE-2016-3619: Fixed out-of-bounds read in the bmp2tiff tool (none packing) (bsc#974446) CVE-2015-8870: Fixed integer overflow in tools/bmp2tiff.c that allowed remote attackers to causea DOS (bsc#1014461). Non-security issues fixed: asan_build: build ASAN included debug_build: build more suitable for debugging Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id119143
    published2018-11-26
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119143
    titleSUSE SLES11 Security Update : tiff (SUSE-SU-2018:3879-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1447.NASL
    descriptionAccording to the versions of the libtiff package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2017-17095) - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-04-30
    modified2020-04-16
    plugin id135609
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135609
    titleEulerOS Virtualization 3.0.2.2 : libtiff (EulerOS-SA-2020-1447)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-67A6BF4AC1.NASL
    descriptionNew release with a lot of security fixes: http://www.simplesystems.org/libtiff/v4.0.10.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120487
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120487
    titleFedora 28 : libtiff (2018-67a6bf4ac1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1480.NASL
    descriptionThis update for tiff fixes the following issues : Security issues fixed : - CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257). - CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672). - CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094). Non-security issues fixed : - asan_build: build ASAN included - debug_build: build more suitable for debugging This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-05
    modified2018-11-30
    plugin id119298
    published2018-11-30
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119298
    titleopenSUSE Security Update : tiff (openSUSE-2018-1480)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2466.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF format image files. Security Fix(es):There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.(CVE-2017-13727)The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.(CVE-2017-7592)An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100)tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.(CVE-2017-7593)The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.(CVE-2017-7594)The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.(CVE-2017-7595)LibTIFF 4.0.7 has an
    last seen2020-05-08
    modified2019-12-04
    plugin id131619
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131619
    titleEulerOS 2.0 SP2 : libtiff (EulerOS-SA-2019-2466)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2053.NASL
    descriptionAn update for libtiff is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Security Fix(es) : * libtiff: buffer overflow in gif2tiff (CVE-2016-3186) * libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service or possibly code execution (CVE-2018-12900) * libtiff: Out-of-bounds write in tif_jbig.c (CVE-2018-18557) * libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes a denial of service (CVE-2018-7456) * libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat() allows for denial of service (CVE-2018-8905) * libtiff: heap-based buffer over-read in TIFFWriteScanline function in tif_write.c (CVE-2018-10779) * libtiff: reachable assertion in TIFFWriteDirectorySec function in tif_dirwrite.c (CVE-2018-10963) * libtiff: Integer overflow in multiply_ms in tools/ppm2tiff.c (CVE-2018-17100) * libtiff: Two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/ pal2rgb.c (CVE-2018-17101) * libtiff: tiff2bw tool failed memory allocation leads to crash (CVE-2018-18661) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128343
    published2019-08-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128343
    titleCentOS 7 : libtiff (CESA-2019:2053)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3911-1.NASL
    descriptionThis update for tiff fixes the following issues : Security issues fixed : CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257). CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672). CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094). Non-security issues fixed: asan_build: build ASAN included debug_build: build more suitable for debugging Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id119214
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119214
    titleSUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:3911-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3864-1.NASL
    descriptionIt was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id121329
    published2019-01-23
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121329
    titleUbuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : tiff vulnerabilities (USN-3864-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-BD18C784DE.NASL
    descriptionNew release with a lot of security fixes: http://www.simplesystems.org/libtiff/v4.0.10.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120748
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120748
    titleFedora 29 : libtiff (2018-bd18c784de)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-316-01.NASL
    descriptionNew libtiff packages are available for Slackware 14.2 and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118903
    published2018-11-13
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118903
    titleSlackware 14.2 / current : libtiff (SSA:2018-316-01)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0185_LIBTIFF.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libtiff packages installed that are affected by multiple vulnerabilities: - Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. (CVE-2016-3186) - Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file. (CVE-2018-12900) - The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (CVE-2018-10963) - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff. (CVE-2018-10779) - In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905) - A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) (CVE-2018-7456) - An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17100) - An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17101) - LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily- sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write. (CVE-2018-18557) - An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c. (CVE-2018-18661) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id129913
    published2019-10-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129913
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : libtiff Multiple Vulnerabilities (NS-SA-2019-0185)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-2_0-0118_LIBTIFF.NASL
    descriptionAn update of the libtiff package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id122024
    published2019-02-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122024
    titlePhoton OS 2.0: Libtiff PHSA-2019-2.0-0118
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2209.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-05-08
    modified2019-11-08
    plugin id130671
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130671
    titleEulerOS 2.0 SP5 : libtiff (EulerOS-SA-2019-2209)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1306.NASL
    descriptionBuffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.(CVE-2016-3186) An integer overflow has been discovered in libtiff in TIFFSetupStrips:tif_write.c, which could lead to a heap-based buffer overflow in TIFFWriteScanline:tif_write.c. An attacker may use this vulnerability to corrupt memory or cause Denial of Service.(CVE-2018-10779) The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726 .(CVE-2018-10963) Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2018-12900) An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100) An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17101) LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.(CVE-2018-18557) An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.(CVE-2018-18661) A NULL pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 . (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)(CVE-2018-7456) In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.(CVE-2018-8905)
    last seen2020-06-01
    modified2020-06-02
    plugin id129796
    published2019-10-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129796
    titleAmazon Linux AMI : libtiff (ALAS-2019-1306)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1327.NASL
    descriptionBuffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.(CVE-2016-3186) An integer overflow has been discovered in libtiff in TIFFSetupStrips:tif_write.c, which could lead to a heap-based buffer overflow in TIFFWriteScanline:tif_write.c. An attacker may use this vulnerability to corrupt memory or cause Denial of Service.(CVE-2018-10779) The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726 . (CVE-2018-10963) Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2018-12900) An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100) An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17101) LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.(CVE-2018-18557) An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.(CVE-2018-18661) A NULL pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 . (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)(CVE-2018-7456) In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.(CVE-2018-8905)
    last seen2020-06-01
    modified2020-06-02
    plugin id130223
    published2019-10-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130223
    titleAmazon Linux 2 : libtiff (ALAS-2019-1327)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-399BCE9F8F.NASL
    descriptionNew release with a lot of security fixes: http://www.simplesystems.org/libtiff/v4.0.10.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-11-26
    plugin id119126
    published2018-11-26
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119126
    titleFedora 27 : libtiff (2018-399bce9f8f)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1479.NASL
    descriptionThis update for tiff fixes the following issues : Security issues fixed : - CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257). - CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672). - CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094). Non-security issues fixed : - asan_build: build ASAN included - debug_build: build more suitable for debugging This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2018-11-30
    plugin id119297
    published2018-11-30
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119297
    titleopenSUSE Security Update : tiff (openSUSE-2018-1479)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-3925-1.NASL
    descriptionThis update for tiff fixes the following issues : Security issues fixed : CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257). CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672). CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094). Non-security issues fixed: asan_build: build ASAN included debug_build: build more suitable for debugging Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id120170
    published2019-01-02
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120170
    titleSUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2018:3925-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-962.NASL
    descriptionThis update for tiff fixes the following issues : Security issues fixed : - CVE-2018-12900: Fixed heap-based buffer overflow in the cpSeparateBufToContigBuf (bsc#1099257). - CVE-2018-18661: Fixed NULL pointer dereference in the function LZWDecode in the file tif_lzw.c (bsc#1113672). - CVE-2018-18557: Fixed JBIG decode can lead to out-of-bounds write (bsc#1113094). Non-security issues fixed : - asan_build: build ASAN included - debug_build: build more suitable for debugging This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id123390
    published2019-03-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123390
    titleopenSUSE Security Update : tiff (openSUSE-2019-962)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190806_LIBTIFF_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - libtiff: buffer overflow in gif2tiff (CVE-2016-3186) - libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service or possibly code execution (CVE-2018-12900) - libtiff: Out-of-bounds write in tif_jbig.c (CVE-2018-18557) - libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes a denial of service (CVE-2018-7456) - libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat() allows for denial of service (CVE-2018-8905) - libtiff: heap-based buffer over-read in TIFFWriteScanline function in tif_write.c (CVE-2018-10779) - libtiff: reachable assertion in TIFFWriteDirectorySec function in tif_dirwrite.c (CVE-2018-10963) - libtiff: Integer overflow in multiply_ms in tools/ppm2tiff.c (CVE-2018-17100) - libtiff: Two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c (CVE-2018-17101) - libtiff: tiff2bw tool failed memory allocation leads to crash (CVE-2018-18661)
    last seen2020-03-18
    modified2019-08-27
    plugin id128236
    published2019-08-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128236
    titleScientific Linux Security Update : libtiff on SL7.x x86_64 (20190806)

Redhat

advisories
rhsa
idRHSA-2019:2053
rpms
  • libtiff-0:4.0.3-32.el7
  • libtiff-debuginfo-0:4.0.3-32.el7
  • libtiff-devel-0:4.0.3-32.el7
  • libtiff-static-0:4.0.3-32.el7
  • libtiff-tools-0:4.0.3-32.el7