[manjaro-security] [arch-security] [ASA-201611-26] libtiff: multiple issues
Levente Polyak
anthraxx at archlinux.org
Fri Nov 25 23:32:57 CET 2016
Arch Linux Security Advisory ASA-201611-26
==========================================
Severity: Critical
Date : 2016-11-25
CVE-ID : CVE-2010-2596 CVE-2014-8127 CVE-2014-8130 CVE-2015-7313
CVE-2015-8665 CVE-2015-8668 CVE-2015-8683 CVE-2016-3186
CVE-2016-3619 CVE-2016-3620 CVE-2016-3621 CVE-2016-3622
CVE-2016-3623 CVE-2016-3624 CVE-2016-3625 CVE-2016-3631
CVE-2016-3632 CVE-2016-3633 CVE-2016-3634 CVE-2016-3658
CVE-2016-3945 CVE-2016-3990 CVE-2016-3991 CVE-2016-5102
CVE-2016-5314 CVE-2016-5315 CVE-2016-5316 CVE-2016-5317
CVE-2016-5318 CVE-2016-5319 CVE-2016-5320 CVE-2016-5321
CVE-2016-5322 CVE-2016-5323 CVE-2016-5652 CVE-2016-5875
CVE-2016-6223 CVE-2016-9273 CVE-2016-9297 CVE-2016-9448
CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534
CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538
CVE-2016-9539 CVE-2016-9540
Package : libtiff
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package libtiff before version 4.0.7-1 is vulnerable to multiple
issues including arbitrary code execution, denial of service and
information disclosure.
Resolution
==========
Upgrade to 4.0.7-1.
# pacman -Syu "libtiff>=4.0.7-1"
The problems have been fixed upstream in version 4.0.7.
Workaround
==========
None.
Description
===========
- CVE-2010-2596 (denial of service)
The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2,
as used in tiff2ps, allows remote attackers to cause a denial of
service (assertion failure and application exit) via a crafted TIFF
image, related to "downsampled OJPEG input."
- CVE-2014-8127 (information disclosure)
LibTIFF provides support for the Tag Image File Format (TIFF), a widely
used format for storing image data. It is composed of a library for
working with TIFF files along with a small collection of tools for
doing simple manipulations of TIFF images.
Multiple out-of-bounds reads can be triggered with malformed TIFF
images in the following LibTIFF tools: thumbnail, tiff2bw, tiff2rgba,
tiff2ps, tiffdither, tiffmedian, tiffset
- CVE-2014-8130 (denial of service)
A floating point exception due to a division by zero in the tiffdither
tool can be triggered with a malformed TIFF file leading to denial of
service.
- CVE-2015-7313 (denial of service)
A denial of service flaw was found in the way libtiff parsed certain
tiff files. An attacker could use this flaw to create a specially
crafted TIFF file that would cause an application using libtiff to
exhaust all available memory on the system.
- CVE-2015-8665 (denial of service)
tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a
denial of service (out-of-bounds read) via the SamplesPerPixel tag in a
TIFF image.
- CVE-2015-8668 (arbitrary code execution)
Heap-based buffer overflow in the PackBitsPreEncode function in
tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote
attackers to execute arbitrary code or cause a denial of service via a
large width field in a BMP image.
- CVE-2015-8683 (denial of service)
An out-bounds-read flaw was found in the way libtiff processed CIE Lab
image format files. A attacker could create a specially-crafted CIE Lab
image format files which could cause libtiff to crash.
- CVE-2016-3186 (denial of service)
A buffer overflow vulnerability was reported in libtiff library, in the
readextension function in the gif2tiff component. A maliciously crafted
GIF file could cause the application to crash resulting in denial of
service.
- CVE-2016-3619 (denial of service)
An out-of-bounds read vulnerability has been discovered in the
DumpModeEncode function when handling maliciously crafted BMP files,
while doing operation _TIFFmemcpy. An attacker could exploit this issue
to cause a denial of service.
- CVE-2016-3620 (denial of service)
An out-of-bounds read vulnerability has been discovered in ZIPEncode
function in tif_zip.c. Running bmp2tiff on a specially crafted BMP file
results in an application crash.
- CVE-2016-3621 (denial of service)
The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF
4.0.6 and earlier, when the "-c lzw" option is used, allows remote
attackers to cause a denial of service (buffer over-read) via a crafted
BMP image.
- CVE-2016-3622 (denial of service)
Division by zero vulnerability was found in fpAcc function in
tif_predict.c in tiff2rgba, allowing attacker to cause a denial of
service via a crafted TIFF image.
- CVE-2016-3623 (denial of service)
Division by zero vulnerability was found in cvtRaster function in
rgb2ycybr.c, allowing attacker to cause a denial of service via a
crafted TIFF image.
- CVE-2016-3624 (arbitrary code execution)
An out-of-bounds write vulnerability was found in cvtClump function in
rgb2ycybr.c, allowing attacker to cause a denial of service or possibly
execute arbitrary code via a crafted TIFF image.
- CVE-2016-3625 (denial of service)
An out-of-bounds read vulnerability was found in tif_read.c in tiff2bw,
allowing attacker to cause a denial of service via a crafted TIFF
image.
- CVE-2016-3631 (denial of service)
The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in
LibTIFF 4.0.6 and earlier allow remote attackers to cause a denial of
service (out-of-bounds read) via vectors related to the bytecounts[]
array variable.
- CVE-2016-3632 (arbitrary code execution)
An out-of-bounds write vulnerability was found in _TIFFVGetField
function in tif_dirinfo.c, allowing attacker to cause a denial of
service or code execution via a crafted TIFF image.
- CVE-2016-3633 (denial of service)
An out-of-bounds read vulnerability was found in the _setrow function
in the libtiff library. Using a thumbnail command on a maliciously
crafted image could cause the application to crash.
- CVE-2016-3634 (denial of service)
A vulnerability was found in the libtiff library. Using the tagCompare
function with the thumbnail command on a maliciously crafted tiff file
could cause an out-of-bounds read leading to application crash.
- CVE-2016-3658 (denial of service)
An out-of-bounds read vulnerability was found in the
TIFFWriteDirectoryTagLongLong8Array function in the libtiff library.
Using a tiffset command on a maliciously crafted image could result in
a denial-of-service.
- CVE-2016-3945 (arbitrary code execution)
When libtiff's tiff2rgba handles a maliciously-crafted tiff file(width=
8388640, height=31) an illegal write happens. This vulnerability exists
in the function cvt_by_strip (and cvt_by_tile ) due to an improper
buffer allocation. An attacker may control the write address and/or
value to result in denial-of-service or arbitrary code execution.
- CVE-2016-3990 (arbitrary code execution)
An out-of-bounds write flaw was found in libtiff v4.0.6 when using
tiffcp command to handle malicious tiff file. The vulnerability exists
in the function horizontalDifference8(). An attacker could control the
head data of next heap which contains pre_size field and size filed to
result in denial of service or arbitrary code execution.
- CVE-2016-3991 (arbitrary code execution)
An out-of-bounds write caused by a heap overflow when using tiffcrop
tool. The vulnerability is located in the loadImage() function of
tiffcrop.c. loadImage() will read the numbers of tiles by calling
TIFFNumberOfTiles(). However, if the numbers of tiles is 0, loadImage()
will still read tile data by calling readContigTilesIntoBuffer() from
the image, regardless of the numbers. In that case, loadImage() will
allocate 3 bytes of heap to store a tile data, and a heap overflow
occurs if a tile data is beyond 3 bytes. This will cause denial of
service or arbitrary code execution upon freeing the buffer.
- CVE-2016-5102 (denial of service)
A vulnerability was found in libtiff. A maliciously crafted file could
cause the application to crash via buffer overflow in gif2tiff tool.
- CVE-2016-5314 (arbitrary code execution)
A vulnerability was found in libtiff. A maliciously crafted TIFF file
could cause the application to crash when using rgb2ycbcr command via
an out-of-bounds write in the PixarLogDecode() function.
- CVE-2016-5315 (denial of service)
An out-of-bounds read vulnerability was found in in the setByteArray()
function inlibtiff. A maliciously crafted TIFF file could cause the
application to crash when using rgb2ycbcr.
- CVE-2016-5316 (denial of service)
An out-of-bounds read vulnerability was found in the PixarLogCleanup()
function in libtiff. A maliciously crafted TIFF file could cause the
application to crash when using rgb2ycbcr.
- CVE-2016-5317 (arbitrary code execution)
An out-of-bounds write vulnerability was found in the PixarLogDecode()
function in libtiff. A maliciously crafted TIFF file could cause the
application to crash or possibly execute arbitrary code when generating
a thumbnail for it.
- CVE-2016-5318 (arbitrary code execution)
A stack-based buffer overflow vulnerability was reported in thumbnail's
_TIFFVGetField() function. Memory corruption can be triggered when
handling maliciously crafted tiff file causing application to crash or
possibly execute arbitrary code.
- CVE-2016-5319 (arbitrary code execution)
Heap-based buffer overflow vulnerability was found in tif_packbits.c in
PackBitsEncode function. Memory corruption can be triggered when
bmp2tiff is handling maliciously crafted bmp file causing application
to crash or possibly execute arbitrary code.
- CVE-2016-5320 (arbitrary code execution)
An out-of-bounds write vulnerability was found in the PixarLogDecode()
function in libtiff. A maliciously crafted TIFF file could cause the
application to crash or even execute arbitrary code on a vulnerable
machine when using the rgb2ycbcr command.
- CVE-2016-5321 (denial of service)
An out-of-bounds read vulnerability was found in the DumpModeDecode()
function in libtiff. A maliciously crafted TIFF file could cause the
application to crash when using tiffcrop command.
- CVE-2016-5322 (denial of service)
An out-of-bounds read vulnerability was found in the
extractContigSamplesBytes() function in libtiff. A maliciously crafted
TIFF file could cause the application to crash when using the tiffcrop
command.
- CVE-2016-5323 (denial of service)
When using the tiffcrop command and a crafted TIFF image, the function
_TIFFFax3fill() runs without checking the value of the divisor and
causes a divide by zero flaw. Attackers can exploit this issue to cause
a denial of service.
- CVE-2016-5652 (arbitrary code execution)
An exploitable heap based buffer overflow exists in the handling of
TIFF images in LibTIFF’s TIFF2PDF tool. A crafted TIFF document can
lead to a heap based buffer overflow via JPEG Compression Tables
resulting in remote code execution. This vulnerability can be triggered
via a saved TIFF file delivered by other means.
- CVE-2016-5875 (arbitrary code execution)
There is a heap-based buffer overflow on libtiff/tif_pixarlog.c. The
vulnerability allows an attacker to control the size of the allocated
heap-buffer while independently controlling the data to be written to
the buffer with no restrictions on the size of the written data.
- CVE-2016-6223 (information disclosure)
An out-of-bounds read vulnerability on memory-mapped files in
TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond
tmsize_t max value was found. The vulnerability allows an attacker to
specify a negative index into the file-content buffer and copy data
from that position until the end of the buffer. This will allow an
attacker to crash the process by accessing unmapped memory and
(depending on how LibTIFF is used) might also allow an attacker to leak
sensitive information.
- CVE-2016-9273 (denial of service)
A heap buffer overflow has been discovered resulting in a read outside
of the array boundaries leading to an application crash.
- CVE-2016-9297 (denial of service)
A buffer read overflow has been discovered in libtiff. The function
TIFFFetchNormalTag() in libtiff/tif_dirread.c did not make sure that
values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are null terminated leading to potential read outside the buffer
in _TIFFPrintField().
- CVE-2016-9448 (denial of service)
A null pointer dereference vulnerability in TIFFFetchNormalTag() occurs
when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII
access are 0-byte arrays leading to denial of service.
- CVE-2016-9453 (arbitrary code execution)
An out-of-bounds write vulnerability has been discovered caused by a
memcpy call without proper bounds checks. A malicious tiff file handled
by tiff2pdf will cause an illegal write to a potentially attacker
controlled target address.
- CVE-2016-9532 (arbitrary code execution)
Multiple uint32 overflows have been discovered that are leading to a
heap buffer overflow in writeBufferToSeparateStrips(). A maliciously
crafted TIFF file could cause the application to crash or even execute
arbitrary code on a vulnerable machine.
- CVE-2016-9533 (arbitrary code execution)
tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities
in heap allocated buffers. Reported as MSVR 35094, aka "PixarLog
horizontalDifference heap-buffer-overflow."
- CVE-2016-9534 (arbitrary code execution)
tif_write.c in libtiff 4.0.6 has an issue in the error code path of
TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members.
Reported as MSVR 35095, aka "TIFFFlushData1 heap-buffer-overflow."
- CVE-2016-9535 (arbitrary code execution)
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that
can lead to assertion failures in debug mode, or buffer overflows in
release mode, when dealing with unusual tile size like YCbCr with
subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-
overflow."
- CVE-2016-9536 (arbitrary code execution)
It was found that tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds
write vulnerabilities in heap allocated buffers in
t2p_process_jpeg_strip().
- CVE-2016-9537 (arbitrary code execution)
It was found that tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds
write vulnerabilities in heap allocated buffers.
- CVE-2016-9538 (denial of service)
It was found that tools/tiffcrop.c in libtiff 4.0.6 reads an undefined
buffer in readContigStripsIntoBuffer() because of a uint16 integer
overflow.
- CVE-2016-9539 (information disclosure)
It was found that tools/tiffcrop.c in libtiff 4.0.6 has an out-of-
bounds read in readContigTilesIntoBuffer() leading to possible
information disclosure.
- CVE-2016-9540 (arbitrary code execution)
It was found that tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds
heap write on tiled images with odd tile width versus image width. This
has also been reported as MSVR 35103, aka "cpStripToTile heap-buffer-
overflow."
Impact
======
A remote attacker is able to use specially crafted image files to
execute arbitrary code, disclose sensitive information or perform a
denial of service attack via various vectors.
References
==========
http://www.simplesystems.org/libtiff/v4.0.7.html
http://bugzilla.maptools.org/show_bug.cgi?id=2209#c6
http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.txt
http://www.conostix.com/pub/adv/CVE-2014-8130-LibTIFF-Division_By_Zero.txt
http://bugzilla.maptools.org/show_bug.cgi?id=2483
http://seclists.org/oss-sec/2015/q3/601
https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
http://www.openwall.com/lists/oss-security/2015/12/24/4
http://bugzilla.maptools.org/show_bug.cgi?id=2563#c4
http://seclists.org/bugtraq/2015/Dec/138
http://www.openwall.com/lists/oss-security/2015/12/25/1
http://www.openwall.com/lists/oss-security/2016/03/30/2
http://bugzilla.maptools.org/show_bug.cgi?id=2536
http://bugzilla.maptools.org/show_bug.cgi?id=2567
http://www.openwall.com/lists/oss-security/2016/04/07/1
http://seclists.org/oss-sec/2016/q2/21
http://bugzilla.maptools.org/show_bug.cgi?id=2570
http://seclists.org/oss-sec/2016/q2/22
http://bugzilla.maptools.org/show_bug.cgi?id=2565
http://seclists.org/oss-sec/2016/q2/23
http://seclists.org/oss-sec/2016/q2/27
http://bugzilla.maptools.org/show_bug.cgi?id=2569
http://seclists.org/oss-sec/2016/q2/28
http://bugzilla.maptools.org/show_bug.cgi?id=2566
http://seclists.org/oss-sec/2016/q2/29
http://seclists.org/oss-sec/2016/q2/24
http://bugzilla.maptools.org/show_bug.cgi?id=2549
http://seclists.org/oss-sec/2016/q2/33
http://bugzilla.maptools.org/show_bug.cgi?id=2548
http://www.openwall.com/lists/oss-security/2016/04/08/11
http://www.openwall.com/lists/oss-security/2016/04/08/13
http://bugzilla.maptools.org/show_bug.cgi?id=2500
http://www.openwall.com/lists/oss-security/2016/04/08/12
http://seclists.org/oss-sec/2016/q2/30
http://bugzilla.maptools.org/show_bug.cgi?id=2545
http://bugzilla.maptools.org/show_bug.cgi?id=2544
http://seclists.org/oss-sec/2016/q2/57
http://bugzilla.maptools.org/show_bug.cgi?id=2543
http://bugzilla.maptools.org/show_bug.cgi?id=2552
http://bugzilla.maptools.org/show_bug.cgi?id=2554
http://www.openwall.com/lists/oss-security/2016/06/15/1
https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2
http://www.openwall.com/lists/oss-security/2016/06/15/2
http://www.openwall.com/lists/oss-security/2016/06/15/3
http://www.openwall.com/lists/oss-security/2016/06/15/5
http://bugzilla.maptools.org/show_bug.cgi?id=2561
http://seclists.org/oss-sec/2016/q2/486
http://bugzilla.maptools.org/show_bug.cgi?id=2562
http://www.openwall.com/lists/oss-security/2016/06/15/9
http://bugzilla.maptools.org/show_bug.cgi?id=2554#c1
http://www.openwall.com/lists/oss-security/2016/06/15/7
http://bugzilla.maptools.org/show_bug.cgi?id=2558#c2
http://bugzilla.maptools.org/show_bug.cgi?id=2560
http://www.openwall.com/lists/oss-security/2016/06/15/8
http://seclists.org/oss-sec/2016/q2/548
http://bugzilla.maptools.org/show_bug.cgi?id=2559#c3
http://www.talosintelligence.com/reports/TALOS-2016-0187/
https://github.com/vadz/libtiff/commit/b5d6803f0898e931cf772d3d0755704ab8488e63
http://www.openwall.com/lists/oss-security/2016/06/29/6
https://github.com/vadz/libtiff/commit/0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496
http://www.openwall.com/lists/oss-security/2016/07/13/3
http://www.openwall.com/lists/oss-security/2016/11/09/20
https://github.com/vadz/libtiff/commit/d651abc097d91fac57f33b5f9447d0a9183f58e7
http://bugzilla.maptools.org/show_bug.cgi?id=2587
https://github.com/vadz/libtiff/commit/30c9234c7fd0dd5e8b1e83ad44370c875a0270ed
http://bugzilla.maptools.org/show_bug.cgi?id=2593
https://github.com/vadz/libtiff/commit/89406285f318ffad27af4b200204394b2ee6ba5e
http://bugzilla.maptools.org/show_bug.cgi?id=2590
http://seclists.org/oss-sec/2016/q4/464
http://bugzilla.maptools.org/show_bug.cgi?id=2579
http://www.openwall.com/lists/oss-security/2016/09/29/
http://www.openwall.com/lists/oss-security/2016/11/11/14
http://bugzilla.maptools.org/show_bug.cgi?id=2592
https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a
https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b
https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53
https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3
https://access.redhat.com/security/cve/CVE-2010-2596
https://access.redhat.com/security/cve/CVE-2014-8127
https://access.redhat.com/security/cve/CVE-2014-8130
https://access.redhat.com/security/cve/CVE-2015-7313
https://access.redhat.com/security/cve/CVE-2015-8665
https://access.redhat.com/security/cve/CVE-2015-8668
https://access.redhat.com/security/cve/CVE-2015-8683
https://access.redhat.com/security/cve/CVE-2016-3186
https://access.redhat.com/security/cve/CVE-2016-3619
https://access.redhat.com/security/cve/CVE-2016-3620
https://access.redhat.com/security/cve/CVE-2016-3621
https://access.redhat.com/security/cve/CVE-2016-3622
https://access.redhat.com/security/cve/CVE-2016-3623
https://access.redhat.com/security/cve/CVE-2016-3624
https://access.redhat.com/security/cve/CVE-2016-3625
https://access.redhat.com/security/cve/CVE-2016-3631
https://access.redhat.com/security/cve/CVE-2016-3632
https://access.redhat.com/security/cve/CVE-2016-3633
https://access.redhat.com/security/cve/CVE-2016-3634
https://access.redhat.com/security/cve/CVE-2016-3658
https://access.redhat.com/security/cve/CVE-2016-3945
https://access.redhat.com/security/cve/CVE-2016-3990
https://access.redhat.com/security/cve/CVE-2016-3991
https://access.redhat.com/security/cve/CVE-2016-5102
https://access.redhat.com/security/cve/CVE-2016-5314
https://access.redhat.com/security/cve/CVE-2016-5315
https://access.redhat.com/security/cve/CVE-2016-5316
https://access.redhat.com/security/cve/CVE-2016-5317
https://access.redhat.com/security/cve/CVE-2016-5318
https://access.redhat.com/security/cve/CVE-2016-5319
https://access.redhat.com/security/cve/CVE-2016-5320
https://access.redhat.com/security/cve/CVE-2016-5321
https://access.redhat.com/security/cve/CVE-2016-5322
https://access.redhat.com/security/cve/CVE-2016-5323
https://access.redhat.com/security/cve/CVE-2016-5652
https://access.redhat.com/security/cve/CVE-2016-5875
https://access.redhat.com/security/cve/CVE-2016-6223
https://access.redhat.com/security/cve/CVE-2016-9273
https://access.redhat.com/security/cve/CVE-2016-9297
https://access.redhat.com/security/cve/CVE-2016-9448
https://access.redhat.com/security/cve/CVE-2016-9453
https://access.redhat.com/security/cve/CVE-2016-9532
https://access.redhat.com/security/cve/CVE-2016-9533
https://access.redhat.com/security/cve/CVE-2016-9534
https://access.redhat.com/security/cve/CVE-2016-9535
https://access.redhat.com/security/cve/CVE-2016-9536
https://access.redhat.com/security/cve/CVE-2016-9537
https://access.redhat.com/security/cve/CVE-2016-9538
https://access.redhat.com/security/cve/CVE-2016-9539
https://access.redhat.com/security/cve/CVE-2016-9540
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20161125/b24fd8c5/attachment-0001.pgp>
More information about the manjaro-security
mailing list