Vulnerabilities > CVE-2018-8905 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
libtiff
debian
canonical
redhat
CWE-787
nessus

Summary

In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2053.NASL
    descriptionAn update for libtiff is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Security Fix(es) : * libtiff: buffer overflow in gif2tiff (CVE-2016-3186) * libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service or possibly code execution (CVE-2018-12900) * libtiff: Out-of-bounds write in tif_jbig.c (CVE-2018-18557) * libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes a denial of service (CVE-2018-7456) * libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat() allows for denial of service (CVE-2018-8905) * libtiff: heap-based buffer over-read in TIFFWriteScanline function in tif_write.c (CVE-2018-10779) * libtiff: reachable assertion in TIFFWriteDirectorySec function in tif_dirwrite.c (CVE-2018-10963) * libtiff: Integer overflow in multiply_ms in tools/ppm2tiff.c (CVE-2018-17100) * libtiff: Two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/ pal2rgb.c (CVE-2018-17101) * libtiff: tiff2bw tool failed memory allocation leads to crash (CVE-2018-18661) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127662
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127662
    titleRHEL 7 : libtiff (RHSA-2019:2053)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:2053. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127662);
      script_version("1.5");
      script_cvs_date("Date: 2019/10/24 15:35:47");
    
      script_cve_id("CVE-2016-3186", "CVE-2018-10779", "CVE-2018-10963", "CVE-2018-12900", "CVE-2018-17100", "CVE-2018-17101", "CVE-2018-18557", "CVE-2018-18661", "CVE-2018-7456", "CVE-2018-8905");
      script_xref(name:"RHSA", value:"2019:2053");
    
      script_name(english:"RHEL 7 : libtiff (RHSA-2019:2053)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for libtiff is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The libtiff packages contain a library of functions for manipulating
    Tagged Image File Format (TIFF) files.
    
    Security Fix(es) :
    
    * libtiff: buffer overflow in gif2tiff (CVE-2016-3186)
    
    * libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf
    function resulting in a denial of service or possibly code execution
    (CVE-2018-12900)
    
    * libtiff: Out-of-bounds write in tif_jbig.c (CVE-2018-18557)
    
    * libtiff: NULL pointer dereference in
    tif_print.c:TIFFPrintDirectory() causes a denial of service
    (CVE-2018-7456)
    
    * libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat()
    allows for denial of service (CVE-2018-8905)
    
    * libtiff: heap-based buffer over-read in TIFFWriteScanline function
    in tif_write.c (CVE-2018-10779)
    
    * libtiff: reachable assertion in TIFFWriteDirectorySec function in
    tif_dirwrite.c (CVE-2018-10963)
    
    * libtiff: Integer overflow in multiply_ms in tools/ppm2tiff.c
    (CVE-2018-17100)
    
    * libtiff: Two out-of-bounds writes in cpTags in tools/tiff2bw.c and
    tools/ pal2rgb.c (CVE-2018-17101)
    
    * libtiff: tiff2bw tool failed memory allocation leads to crash
    (CVE-2018-18661)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.7 Release Notes linked from the References section."
      );
      # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3395ff0b"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:2053"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2016-3186"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-7456"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-8905"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10779"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-10963"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-12900"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-17100"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-17101"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-18557"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-18661"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtiff");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtiff-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtiff-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtiff-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libtiff-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:2053";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", reference:"libtiff-4.0.3-32.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"libtiff-debuginfo-4.0.3-32.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"libtiff-devel-4.0.3-32.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"libtiff-static-4.0.3-32.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"libtiff-tools-4.0.3-32.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"libtiff-tools-4.0.3-32.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff / libtiff-debuginfo / libtiff-devel / libtiff-static / etc");
      }
    }
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0227_LIBTIFF.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has libtiff packages installed that are affected by multiple vulnerabilities: - Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. (CVE-2016-3186) - Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file. (CVE-2018-12900) - The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (CVE-2018-10963) - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff. (CVE-2018-10779) - In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905) - A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) (CVE-2018-7456) - An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17100) - An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17101) - LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily- sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write. (CVE-2018-18557) - An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c. (CVE-2018-18661) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132506
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132506
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : libtiff Multiple Vulnerabilities (NS-SA-2019-0227)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0227. The text
    # itself is copyright (C) ZTE, Inc.
    
    include('compat.inc');
    
    if (description)
    {
      script_id(132506);
      script_version("1.2");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id(
        "CVE-2016-3186",
        "CVE-2018-7456",
        "CVE-2018-8905",
        "CVE-2018-10779",
        "CVE-2018-10963",
        "CVE-2018-12900",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661"
      );
      script_bugtraq_id(
        85744,
        104089,
        105370,
        105749,
        105762,
        107658
      );
    
      script_name(english:"NewStart CGSL CORE 5.05 / MAIN 5.05 : libtiff Multiple Vulnerabilities (NS-SA-2019-0227)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has libtiff packages installed that are affected
    by multiple vulnerabilities:
    
      - Buffer overflow in the readextension function in
        gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to
        cause a denial of service (application crash) via a
        crafted GIF file. (CVE-2016-3186)
    
      - Heap-based buffer overflow in the
        cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF
        4.0.9 allows remote attackers to cause a denial of
        service (crash) or possibly have unspecified other
        impact via a crafted TIFF file. (CVE-2018-12900)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726. (CVE-2018-10963)
    
      - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
        heap-based buffer over-read, as demonstrated by
        bmp2tiff. (CVE-2018-10779)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs in
        the function LZWDecodeCompat in tif_lzw.c via a crafted
        TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.) (CVE-2018-7456)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c, which
        can cause a denial of service (crash) or possibly have
        unspecified other impact via a crafted image file.
        (CVE-2018-17100)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file. (CVE-2018-17101)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-
        sized JBIG into a buffer, ignoring the buffer size,
        which leads to a tif_jbig.c JBIGDecode out-of-bounds
        write. (CVE-2018-18557)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c. (CVE-2018-18661)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0227");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL libtiff packages. Note that updated packages may not be available yet. Please contact ZTE
    for more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8905");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/31");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL CORE 5.05" &&
        release !~ "CGSL MAIN 5.05")
      audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL CORE 5.05": [
        "libtiff-4.0.3-32.el7",
        "libtiff-debuginfo-4.0.3-32.el7",
        "libtiff-devel-4.0.3-32.el7",
        "libtiff-static-4.0.3-32.el7",
        "libtiff-tools-4.0.3-32.el7"
      ],
      "CGSL MAIN 5.05": [
        "libtiff-4.0.3-32.el7",
        "libtiff-debuginfo-4.0.3-32.el7",
        "libtiff-devel-4.0.3-32.el7",
        "libtiff-static-4.0.3-32.el7",
        "libtiff-tools-4.0.3-32.el7"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1235.NASL
    descriptionAccording to the versions of the libtiff package installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-03-19
    modified2020-03-13
    plugin id134524
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134524
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2020-1235)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134524);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2016-10092",
        "CVE-2016-10266",
        "CVE-2016-10267",
        "CVE-2016-10268",
        "CVE-2016-10269",
        "CVE-2016-10270",
        "CVE-2016-10272",
        "CVE-2016-10371",
        "CVE-2016-3622",
        "CVE-2016-3623",
        "CVE-2016-3624",
        "CVE-2016-5102",
        "CVE-2016-5318",
        "CVE-2016-5321",
        "CVE-2016-5323",
        "CVE-2016-9273",
        "CVE-2016-9538",
        "CVE-2016-9539",
        "CVE-2017-10688",
        "CVE-2017-12944",
        "CVE-2017-13726",
        "CVE-2017-13727",
        "CVE-2017-7592",
        "CVE-2017-7593",
        "CVE-2017-7594",
        "CVE-2017-7595",
        "CVE-2017-7596",
        "CVE-2017-7597",
        "CVE-2017-7598",
        "CVE-2017-7599",
        "CVE-2017-7600",
        "CVE-2017-7601",
        "CVE-2017-7602",
        "CVE-2017-9117",
        "CVE-2017-9147",
        "CVE-2017-9403",
        "CVE-2017-9936",
        "CVE-2018-10779",
        "CVE-2018-10963",
        "CVE-2018-17100",
        "CVE-2018-17101",
        "CVE-2018-18557",
        "CVE-2018-18661",
        "CVE-2018-7456",
        "CVE-2018-8905",
        "CVE-2019-14973",
        "CVE-2019-17546"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : libtiff (EulerOS-SA-2020-1235)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the libtiff package installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - The _TIFFFax3fillruns function in libtiff before 4.0.6
        allows remote attackers to cause a denial of service
        (divide-by-zero error and application crash) via a
        crafted Tiff image.(CVE-2016-5323)
    
      - The cvtClump function in the rgb2ycbcr tool in LibTIFF
        4.0.6 and earlier allows remote attackers to cause a
        denial of service (out-of-bounds write) by setting the
        '-v' option to -1.(CVE-2016-3624)
    
      - The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows
        remote attackers to cause a denial of service
        (divide-by-zero) by setting the (1) v or (2) h
        parameter to 0.(CVE-2016-3623)
    
      - LibTIFF 4.0.9 (with JBIG enabled) decodes
        arbitrarily-sized JBIG into a buffer, ignoring the
        buffer size, which leads to a tif_jbig.c JBIGDecode
        out-of-bounds write.(CVE-2018-18557)
    
      - An issue was discovered in LibTIFF 4.0.9. There are two
        out-of-bounds writes in cpTags in tools/tiff2bw.c and
        tools/pal2rgb.c, which can cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image file.(CVE-2018-17101)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        int32 overflow in multiply_ms in tools/ppm2tiff.c,
        which can cause a denial of service (crash) or possibly
        have unspecified other impact via a crafted image
        file.(CVE-2018-17100)
    
      - In LibTIFF 4.0.9, a heap-based buffer overflow occurs
        in the function LZWDecodeCompat in tif_lzw.c via a
        crafted TIFF file, as demonstrated by
        tiff2ps.(CVE-2018-8905)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer overflow) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'WRITE of size 2048' and
        libtiff/tif_next.c:64:9.(CVE-2016-10272)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 8' and
        libtiff/tif_read.c:523:22.(CVE-2016-10270)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (heap-based buffer over-read) or possibly
        have unspecified other impact via a crafted TIFF image,
        related to 'READ of size 512' and
        libtiff/tif_unix.c:340:2.(CVE-2016-10269)
    
      - tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers
        to cause a denial of service (integer underflow and
        heap-based buffer under-read) or possibly have
        unspecified other impact via a crafted TIFF image,
        related to 'READ of size 78490' and
        libtiff/tif_unix.c:115:23.(CVE-2016-10268)
    
      - Heap-based buffer overflow in the
        readContigStripsIntoBuffer function in tif_unix.c in
        LibTIFF 4.0.7 allows remote attackers to have
        unspecified impact via a crafted image.(CVE-2016-10092)
    
      - The TIFFReadDirEntryArray function in tif_read.c in
        LibTIFF 4.0.8 mishandles memory allocation for short
        files, which allows remote attackers to cause a denial
        of service (allocation failure and application crash)
        in the TIFFFetchStripThing function in tif_dirread.c
        during a tiff2pdf invocation.(CVE-2017-12944)
    
      - In LibTIFF 4.0.8, there is a assertion abort in the
        TIFFWriteDirectoryTagCheckedLong8Array function in
        tif_dirwrite.c. A crafted input will lead to a remote
        denial of service attack.(CVE-2017-10688)
    
      - tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds
        read in readContigTilesIntoBuffer(). Reported as MSVR
        35092.(CVE-2016-9539)
    
      - tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
        buffer in readContigStripsIntoBuffer() because of a
        uint16 integer overflow. Reported as MSVR
        35100.(CVE-2016-9538)
    
      - LibTIFF 4.0.7 has a signed integer overflow, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7602)
    
      - LibTIFF 4.0.7 has a 'shift exponent too large for
        64-bit type long' undefined behavior issue, which might
        allow remote attackers to cause a denial of service
        (application crash) or possibly have unspecified other
        impact via a crafted image.(CVE-2017-7601)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type unsigned char' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7600)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type short' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7599)
    
      - tif_dirread.c in LibTIFF 4.0.7 might allow remote
        attackers to cause a denial of service (divide-by-zero
        error and application crash) via a crafted
        image.(CVE-2017-7598)
    
      - tif_dirread.c in LibTIFF 4.0.7 has an 'outside the
        range of representable values of type float' undefined
        behavior issue, which might allow remote attackers to
        cause a denial of service (application crash) or
        possibly have unspecified other impact via a crafted
        image.(CVE-2017-7597)
    
      - LibTIFF 4.0.7 has an 'outside the range of
        representable values of type float' undefined behavior
        issue, which might allow remote attackers to cause a
        denial of service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7596)
    
      - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF
        4.0.7 allows remote attackers to cause a denial of
        service (divide-by-zero error and application crash)
        via a crafted image.(CVE-2017-7595)
    
      - The putagreytile function in tif_getimage.c in LibTIFF
        4.0.7 has a left-shift undefined behavior issue, which
        might allow remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted
        image.(CVE-2017-7592)
    
      - In LibTIFF 4.0.7, the program processes BMP images
        without verifying that biWidth and biHeight in the
        bitmap-information header match the actual input,
        leading to a heap-based buffer over-read in
        bmp2tiff.(CVE-2017-9117)
    
      - The TIFFWriteDirectoryTagCheckedRational function in
        tif_dirwrite.c in LibTIFF 4.0.6 allows remote attackers
        to cause a denial of service (assertion failure and
        application exit) via a crafted TIFF
        file.(CVE-2016-10371)
    
      - The DumpModeDecode function in libtiff 4.0.6 and
        earlier allows attackers to cause a denial of service
        (invalid read and crash) via a crafted tiff
        image.(CVE-2016-5321)
    
      - The fpAcc function in tif_predict.c in the tiff2rgba
        tool in LibTIFF 4.0.6 and earlier allows remote
        attackers to cause a denial of service (divide-by-zero
        error) via a crafted TIFF image.(CVE-2016-3622)
    
      - The TIFFWriteDirectorySec() function in tif_dirwrite.c
        in LibTIFF through 4.0.9 allows remote attackers to
        cause a denial of service (assertion failure and
        application crash) via a crafted file, a different
        vulnerability than CVE-2017-13726.(CVE-2018-10963)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related
        to tif_dirwrite.c and a SubIFD tag. A crafted input
        will lead to a remote denial of service
        attack.(CVE-2017-13727)
    
      - There is a reachable assertion abort in the function
        TIFFWriteDirectorySec() in LibTIFF 4.0.8, related to
        tif_dirwrite.c and a SubIFD tag. A crafted input will
        lead to a remote denial of service
        attack.(CVE-2017-13726)
    
      - In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c.
        A crafted TIFF document can lead to a memory leak
        resulting in a remote denial of service
        attack.(CVE-2017-9936)
    
      - In LibTIFF 4.0.7, a memory leak vulnerability was found
        in the function TIFFReadDirEntryLong8Array in
        tif_dirread.c, which allows attackers to cause a denial
        of service via a crafted file.(CVE-2017-9403)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_ojpeg.c:816:8.(CVE-2016-10267)
    
      - An out-of-bounds heap read was discovered in libtiff. A
        crafted file could cause the application to crash or,
        potentially, disclose process memory.(CVE-2016-9273)
    
      - LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField
        function in tif_dir.c, which might allow remote
        attackers to cause a denial of service (crash) via a
        crafted TIFF file.(CVE-2017-9147)
    
      - Stack-based buffer overflow in the _TIFFVGetField
        function in libtiff 4.0.6 and earlier allows remote
        attackers to crash the application via a crafted
        tiff.(CVE-2016-5318)
    
      - An issue was discovered in LibTIFF 4.0.9. There is a
        NULL pointer dereference in the function LZWDecode in
        the file tif_lzw.c.(CVE-2018-18661)
    
      - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a
        heap-based buffer over-read, as demonstrated by
        bmp2tiff.(CVE-2018-10779)
    
      - The OJPEGReadHeaderInfoSecTablesDcTable function in
        tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to
        cause a denial of service (memory leak) via a crafted
        image.(CVE-2017-7594)
    
      - LibTIFF 4.0.7 allows remote attackers to cause a denial
        of service (divide-by-zero error and application crash)
        via a crafted TIFF image, related to
        libtiff/tif_read.c:351:22.(CVE-2016-10266)
    
      - Buffer overflow in the readgifimage function in
        gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows
        remote attackers to cause a denial of service
        (segmentation fault) via a crafted gif
        file.(CVE-2016-5102)
    
      - tif_read.c in LibTIFF 4.0.7 does not ensure that
        tif_rawdata is properly initialized, which might allow
        remote attackers to obtain sensitive information from
        process memory via a crafted image.(CVE-2017-7593)
    
      - A NULL Pointer Dereference occurs in the function
        TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when
        using the tiffinfo tool to print crafted TIFF
        information, a different vulnerability than
        CVE-2017-18013. (This affects an earlier part of the
        TIFFPrintDirectory function that was not addressed by
        the CVE-2017-18013 patch.)(CVE-2018-7456)
    
      - _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in
        LibTIFF through 4.0.10 mishandle Integer Overflow
        checks because they rely on compiler behavior that is
        undefined by the applicable C standards. This can, for
        example, lead to an application crash.(CVE-2019-14973)
    
      - tif_getimage.c in LibTIFF through 4.0.10, as used in
        GDAL through 3.0.1 and other products, has an integer
        overflow that potentially causes a heap-based buffer
        overflow via a crafted RGBA image, related to a
        'Negative-size-param' condition.(CVE-2019-17546)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1235
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?470ca94b");
      script_set_attribute(attribute:"solution", value:
    "Update the affected libtiff packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libtiff");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["libtiff-4.0.3-27.h22"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtiff");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-508.NASL
    descriptionThis update for tiff fixes the following security issues : These security issues were fixed : - CVE-2017-18013: Fixed a NULL pointer dereference in the tif_print.cTIFFPrintDirectory function that could have lead to denial of service (bsc#1074317). - CVE-2018-10963: Fixed an assertion failure in the TIFFWriteDirectorySec() function in tif_dirwrite.c, which allowed remote attackers to cause a denial of service via a crafted file (bsc#1092949). - CVE-2018-7456: Prevent a NULL pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825). - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332). - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id123213
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123213
    titleopenSUSE Security Update : tiff (openSUSE-2019-508)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4349.NASL
    descriptionMultiple vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.
    last seen2020-06-01
    modified2020-06-02
    plugin id119314
    published2018-12-01
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119314
    titleDebian DSA-4349-1 : tiff - security update
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0048.NASL
    descriptionAn update of {'libtiff'} packages of Photon OS has been released.
    last seen2019-02-08
    modified2019-02-07
    plugin id111303
    published2018-07-24
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111303
    titlePhoton OS 2.0 : libtiff (PhotonOS-PHSA-2018-2.0-0048) (deprecated)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1447.NASL
    descriptionAccording to the versions of the libtiff package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2017-17095) - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-04-30
    modified2020-04-16
    plugin id135609
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135609
    titleEulerOS Virtualization 3.0.2.2 : libtiff (EulerOS-SA-2020-1447)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1835-1.NASL
    descriptionThis update for tiff fixes the following security issues : - CVE-2017-5225: Prevent heap buffer overflow in the tools/tiffcp that could have caused DoS or code execution via a crafted BitsPerSample value (bsc#1019611) - CVE-2018-7456: Prevent a NULL pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825) - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332) - CVE-2016-10266: Prevent remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22 (bsc#1031263) - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408) - CVE-2016-9540: Prevent out-of-bounds write on tiled images with odd tile width versus image width (bsc#1011839). - CVE-2016-9535: tif_predict.h and tif_predict.c had assertions that could have lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling (bsc#1011846). - CVE-2016-9535: tif_predict.h and tif_predict.c had assertions that could have lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling (bsc#1011846). - Removed assert in readSeparateTilesIntoBuffer() function (bsc#1017689). - CVE-2016-10095: Prevent stack-based buffer overflow in the _TIFFVGetField function that allowed remote attackers to cause a denial of service (crash) via a crafted TIFF file (bsc#1017690). - CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF
    last seen2020-06-01
    modified2020-06-02
    plugin id110803
    published2018-06-29
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110803
    titleSUSE SLES11 Security Update : tiff (SUSE-SU-2018:1835-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2466.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. TIFF is a widely used file format for bitmapped images. TIFF files usually end in the .tif extension and they are often quite large. The libtiff package should be installed if you need to manipulate TIFF format image files. Security Fix(es):There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.(CVE-2017-13727)The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.(CVE-2017-7592)An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100)tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.(CVE-2017-7593)The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.(CVE-2017-7594)The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.(CVE-2017-7595)LibTIFF 4.0.7 has an
    last seen2020-05-08
    modified2019-12-04
    plugin id131619
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131619
    titleEulerOS 2.0 SP2 : libtiff (EulerOS-SA-2019-2466)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2053.NASL
    descriptionAn update for libtiff is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files. Security Fix(es) : * libtiff: buffer overflow in gif2tiff (CVE-2016-3186) * libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service or possibly code execution (CVE-2018-12900) * libtiff: Out-of-bounds write in tif_jbig.c (CVE-2018-18557) * libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes a denial of service (CVE-2018-7456) * libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat() allows for denial of service (CVE-2018-8905) * libtiff: heap-based buffer over-read in TIFFWriteScanline function in tif_write.c (CVE-2018-10779) * libtiff: reachable assertion in TIFFWriteDirectorySec function in tif_dirwrite.c (CVE-2018-10963) * libtiff: Integer overflow in multiply_ms in tools/ppm2tiff.c (CVE-2018-17100) * libtiff: Two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/ pal2rgb.c (CVE-2018-17101) * libtiff: tiff2bw tool failed memory allocation leads to crash (CVE-2018-18661) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128343
    published2019-08-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128343
    titleCentOS 7 : libtiff (CESA-2019:2053)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-728.NASL
    descriptionThis update for tiff fixes the following security issues : These security issues were fixed : - CVE-2017-18013: Fixed a NULL pointer dereference in the tif_print.cTIFFPrintDirectory function that could have lead to denial of service (bsc#1074317). - CVE-2018-10963: Fixed an assertion failure in the TIFFWriteDirectorySec() function in tif_dirwrite.c, which allowed remote attackers to cause a denial of service via a crafted file (bsc#1092949). - CVE-2018-7456: Prevent a NULL pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825). - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332). - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-05
    modified2018-07-16
    plugin id111099
    published2018-07-16
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111099
    titleopenSUSE Security Update : tiff (openSUSE-2018-728)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3864-1.NASL
    descriptionIt was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id121329
    published2019-01-23
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121329
    titleUbuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : tiff vulnerabilities (USN-3864-1)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-316-01.NASL
    descriptionNew libtiff packages are available for Slackware 14.2 and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118903
    published2018-11-13
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118903
    titleSlackware 14.2 / current : libtiff (SSA:2018-316-01)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0185_LIBTIFF.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has libtiff packages installed that are affected by multiple vulnerabilities: - Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. (CVE-2016-3186) - Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file. (CVE-2018-12900) - The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (CVE-2018-10963) - TIFFWriteScanline in tif_write.c in LibTIFF 3.8.2 has a heap-based buffer over-read, as demonstrated by bmp2tiff. (CVE-2018-10779) - In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905) - A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) (CVE-2018-7456) - An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17100) - An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file. (CVE-2018-17101) - LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily- sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write. (CVE-2018-18557) - An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c. (CVE-2018-18661) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id129913
    published2019-10-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129913
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : libtiff Multiple Vulnerabilities (NS-SA-2019-0185)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2209.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the
    last seen2020-05-08
    modified2019-11-08
    plugin id130671
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130671
    titleEulerOS 2.0 SP5 : libtiff (EulerOS-SA-2019-2209)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1889-1.NASL
    descriptionThis update for tiff fixes the following security issues: These security issues were fixed : - CVE-2017-18013: Fixed a NULL pointer dereference in the tif_print.cTIFFPrintDirectory function that could have lead to denial of service (bsc#1074317). - CVE-2018-10963: Fixed an assertion failure in the TIFFWriteDirectorySec() function in tif_dirwrite.c, which allowed remote attackers to cause a denial of service via a crafted file (bsc#1092949). - CVE-2018-7456: Prevent a NULL pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825). - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332). - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-21
    modified2019-01-02
    plugin id120035
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120035
    titleSUSE SLED15 / SLES15 Security Update : tiff (SUSE-SU-2018:1889-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1306.NASL
    descriptionBuffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.(CVE-2016-3186) An integer overflow has been discovered in libtiff in TIFFSetupStrips:tif_write.c, which could lead to a heap-based buffer overflow in TIFFWriteScanline:tif_write.c. An attacker may use this vulnerability to corrupt memory or cause Denial of Service.(CVE-2018-10779) The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726 .(CVE-2018-10963) Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2018-12900) An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100) An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17101) LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.(CVE-2018-18557) An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.(CVE-2018-18661) A NULL pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 . (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)(CVE-2018-7456) In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.(CVE-2018-8905)
    last seen2020-06-01
    modified2020-06-02
    plugin id129796
    published2019-10-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129796
    titleAmazon Linux AMI : libtiff (ALAS-2019-1306)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-677.NASL
    descriptionThis update for tiff fixes the following issues : These security issues were fixed : - CVE-2017-18013: There was a NULL pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. (bsc#1074317) - CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c allowed remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (bsc#1092949) - CVE-2018-7456: Prevent a NULL pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825) - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332) - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408) - CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF
    last seen2020-06-05
    modified2018-06-29
    plugin id110802
    published2018-06-29
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110802
    titleopenSUSE Security Update : tiff (openSUSE-2018-677)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1377.NASL
    descriptionA heap-based buffer overflow was discovered in the LZWDecodeCompat function in tif_lzw.c (LibTIFF 4.0.9 and earlier). This vulnerability might be leveraged by remote attackers to crash the client via a crafted TIFF LZW file. For Debian 7
    last seen2020-03-17
    modified2018-05-14
    plugin id109737
    published2018-05-14
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109737
    titleDebian DLA-1377-1 : tiff security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-44C6F91560.NASL
    descriptionAdded fixes for : - **CVE-2017-9935** - **CVE-2017-18013** - **CVE-2018-8905** - **CVE-2018-10963** Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-06-07
    plugin id110388
    published2018-06-07
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110388
    titleFedora 27 : libtiff (2018-44c6f91560)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1327.NASL
    descriptionBuffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.(CVE-2016-3186) An integer overflow has been discovered in libtiff in TIFFSetupStrips:tif_write.c, which could lead to a heap-based buffer overflow in TIFFWriteScanline:tif_write.c. An attacker may use this vulnerability to corrupt memory or cause Denial of Service.(CVE-2018-10779) The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726 . (CVE-2018-10963) Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.(CVE-2018-12900) An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100) An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17101) LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.(CVE-2018-18557) An issue was discovered in LibTIFF 4.0.9. There is a NULL pointer dereference in the function LZWDecode in the file tif_lzw.c.(CVE-2018-18661) A NULL pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 . (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)(CVE-2018-7456) In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.(CVE-2018-8905)
    last seen2020-06-01
    modified2020-06-02
    plugin id130223
    published2019-10-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130223
    titleAmazon Linux 2 : libtiff (ALAS-2019-1327)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1378.NASL
    descriptionA heap-based buffer overflow was discovered in the LZWDecodeCompat function in tif_lzw.c (LibTIFF 4.0.9 and earlier). This vulnerability might be leveraged by remote attackers to crash the client via a crafted TIFF LZW file. For Debian 7
    last seen2020-03-17
    modified2018-05-14
    plugin id109738
    published2018-05-14
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109738
    titleDebian DLA-1378-1 : tiff3 security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-D41D114D3E.NASL
    descriptionAdded fixes for : - **CVE-2017-9935** - **CVE-2017-18013** - **CVE-2018-8905** - **CVE-2018-10963** Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120824
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120824
    titleFedora 28 : libtiff (2018-d41d114d3e)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2018-2_0-0048_LIBTIFF.NASL
    descriptionAn update of the libtiff package has been released.
    last seen2020-03-17
    modified2019-02-07
    plugin id121946
    published2019-02-07
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121946
    titlePhoton OS 2.0: Libtiff PHSA-2018-2.0-0048
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2265.NASL
    descriptionAccording to the versions of the libtiff packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - There is a reachable assertion abort in the function TIFFWriteDirectoryTagSubifd() in LibTIFF 4.0.8, related to tif_dirwrite.c and a SubIFD tag. A crafted input will lead to a remote denial of service attack.(CVE-2017-13727) - The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.(CVE-2017-7592) - tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image.(CVE-2017-7593) - The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image.(CVE-2017-7594) - The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.(CVE-2017-7595) - LibTIFF 4.0.7 has an
    last seen2020-05-08
    modified2019-11-08
    plugin id130727
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130727
    titleEulerOS 2.0 SP3 : libtiff (EulerOS-SA-2019-2265)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1826-1.NASL
    descriptionThis update for tiff fixes the following issues: These security issues were fixed : - CVE-2017-18013: There was a NULL pointer Dereference in the tif_print.c TIFFPrintDirectory function, as demonstrated by a tiffinfo crash. (bsc#1074317) - CVE-2018-10963: The TIFFWriteDirectorySec() function in tif_dirwrite.c allowed remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (bsc#1092949) - CVE-2018-7456: Prevent a NULL pointer dereference in the function TIFFPrintDirectory when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013 (bsc#1082825) - CVE-2017-11613: Prevent denial of service in the TIFFOpen function. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer (bsc#1082332) - CVE-2018-8905: Prevent heap-based buffer overflow in the function LZWDecodeCompat via a crafted TIFF file (bsc#1086408) - CVE-2016-8331: Prevent remote code execution because of incorrect handling of TIFF images. A crafted TIFF document could have lead to a type confusion vulnerability resulting in remote code execution. This vulnerability could have been be triggered via a TIFF file delivered to the application using LibTIFF
    last seen2020-06-01
    modified2020-06-02
    plugin id110763
    published2018-06-28
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110763
    titleSUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2018:1826-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1411.NASL
    descriptionSeveral issues were discovered in TIFF, the Tag Image File Format library, that allowed remote attackers to cause a denial of service or other unspecified impact via a crafted image file. CVE-2017-11613: DoS vulnerability A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer. CVE-2018-10963: DoS vulnerability The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. CVE-2018-5784: DoS vulnerability In LibTIFF, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries. CVE-2018-7456: NULL pointer Dereference A NULL pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) CVE-2018-8905: Heap-based buffer overflow In LibTIFF, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id110840
    published2018-07-03
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110840
    titleDebian DLA-1411-1 : tiff security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190806_LIBTIFF_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - libtiff: buffer overflow in gif2tiff (CVE-2016-3186) - libtiff: Heap-based buffer overflow in the cpSeparateBufToContigBuf function resulting in a denial of service or possibly code execution (CVE-2018-12900) - libtiff: Out-of-bounds write in tif_jbig.c (CVE-2018-18557) - libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes a denial of service (CVE-2018-7456) - libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat() allows for denial of service (CVE-2018-8905) - libtiff: heap-based buffer over-read in TIFFWriteScanline function in tif_write.c (CVE-2018-10779) - libtiff: reachable assertion in TIFFWriteDirectorySec function in tif_dirwrite.c (CVE-2018-10963) - libtiff: Integer overflow in multiply_ms in tools/ppm2tiff.c (CVE-2018-17100) - libtiff: Two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c (CVE-2018-17101) - libtiff: tiff2bw tool failed memory allocation leads to crash (CVE-2018-18661)
    last seen2020-03-18
    modified2019-08-27
    plugin id128236
    published2019-08-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128236
    titleScientific Linux Security Update : libtiff on SL7.x x86_64 (20190806)

Redhat

advisories
bugzilla
id1644448
titleCVE-2018-18661 libtiff: tiff2bw tool failed memory allocation leads to crash
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentlibtiff is earlier than 0:4.0.3-32.el7
          ovaloval:com.redhat.rhsa:tst:20192053001
        • commentlibtiff is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110318016
      • AND
        • commentlibtiff-devel is earlier than 0:4.0.3-32.el7
          ovaloval:com.redhat.rhsa:tst:20192053003
        • commentlibtiff-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110318014
      • AND
        • commentlibtiff-static is earlier than 0:4.0.3-32.el7
          ovaloval:com.redhat.rhsa:tst:20192053005
        • commentlibtiff-static is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110318012
      • AND
        • commentlibtiff-tools is earlier than 0:4.0.3-32.el7
          ovaloval:com.redhat.rhsa:tst:20192053007
        • commentlibtiff-tools is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20161546006
rhsa
idRHSA-2019:2053
released2019-08-06
severityModerate
titleRHSA-2019:2053: libtiff security update (Moderate)
rpms
  • libtiff-0:4.0.3-32.el7
  • libtiff-debuginfo-0:4.0.3-32.el7
  • libtiff-devel-0:4.0.3-32.el7
  • libtiff-static-0:4.0.3-32.el7
  • libtiff-tools-0:4.0.3-32.el7