Arch Linux Security Advisory ASA-201611-26 ========================================== Severity: Critical Date : 2016-11-25 CVE-ID : CVE-2010-2596 CVE-2014-8127 CVE-2014-8130 CVE-2015-7313 CVE-2015-8665 CVE-2015-8668 CVE-2015-8683 CVE-2016-3186 CVE-2016-3619 CVE-2016-3620 CVE-2016-3621 CVE-2016-3622 CVE-2016-3623 CVE-2016-3624 CVE-2016-3625 CVE-2016-3631 CVE-2016-3632 CVE-2016-3633 CVE-2016-3634 CVE-2016-3658 CVE-2016-3945 CVE-2016-3990 CVE-2016-3991 CVE-2016-5102 CVE-2016-5314 CVE-2016-5315 CVE-2016-5316 CVE-2016-5317 CVE-2016-5318 CVE-2016-5319 CVE-2016-5320 CVE-2016-5321 CVE-2016-5322 CVE-2016-5323 CVE-2016-5652 CVE-2016-5875 CVE-2016-6223 CVE-2016-9273 CVE-2016-9297 CVE-2016-9448 CVE-2016-9453 CVE-2016-9532 CVE-2016-9533 CVE-2016-9534 CVE-2016-9535 CVE-2016-9536 CVE-2016-9537 CVE-2016-9538 CVE-2016-9539 CVE-2016-9540 Package : libtiff Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package libtiff before version 4.0.7-1 is vulnerable to multiple issues including arbitrary code execution, denial of service and information disclosure. Resolution ========== Upgrade to 4.0.7-1. # pacman -Syu "libtiff>=4.0.7-1" The problems have been fixed upstream in version 4.0.7. Workaround ========== None. Description =========== - CVE-2010-2596 (denial of service) The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to "downsampled OJPEG input." - CVE-2014-8127 (information disclosure) LibTIFF provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. It is composed of a library for working with TIFF files along with a small collection of tools for doing simple manipulations of TIFF images. Multiple out-of-bounds reads can be triggered with malformed TIFF images in the following LibTIFF tools: thumbnail, tiff2bw, tiff2rgba, tiff2ps, tiffdither, tiffmedian, tiffset - CVE-2014-8130 (denial of service) A floating point exception due to a division by zero in the tiffdither tool can be triggered with a malformed TIFF file leading to denial of service. - CVE-2015-7313 (denial of service) A denial of service flaw was found in the way libtiff parsed certain tiff files. An attacker could use this flaw to create a specially crafted TIFF file that would cause an application using libtiff to exhaust all available memory on the system. - CVE-2015-8665 (denial of service) tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image. - CVE-2015-8668 (arbitrary code execution) Heap-based buffer overflow in the PackBitsPreEncode function in tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a large width field in a BMP image. - CVE-2015-8683 (denial of service) An out-bounds-read flaw was found in the way libtiff processed CIE Lab image format files. A attacker could create a specially-crafted CIE Lab image format files which could cause libtiff to crash. - CVE-2016-3186 (denial of service) A buffer overflow vulnerability was reported in libtiff library, in the readextension function in the gif2tiff component. A maliciously crafted GIF file could cause the application to crash resulting in denial of service. - CVE-2016-3619 (denial of service) An out-of-bounds read vulnerability has been discovered in the DumpModeEncode function when handling maliciously crafted BMP files, while doing operation _TIFFmemcpy. An attacker could exploit this issue to cause a denial of service. - CVE-2016-3620 (denial of service) An out-of-bounds read vulnerability has been discovered in ZIPEncode function in tif_zip.c. Running bmp2tiff on a specially crafted BMP file results in an application crash. - CVE-2016-3621 (denial of service) The LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c lzw" option is used, allows remote attackers to cause a denial of service (buffer over-read) via a crafted BMP image. - CVE-2016-3622 (denial of service) Division by zero vulnerability was found in fpAcc function in tif_predict.c in tiff2rgba, allowing attacker to cause a denial of service via a crafted TIFF image. - CVE-2016-3623 (denial of service) Division by zero vulnerability was found in cvtRaster function in rgb2ycybr.c, allowing attacker to cause a denial of service via a crafted TIFF image. - CVE-2016-3624 (arbitrary code execution) An out-of-bounds write vulnerability was found in cvtClump function in rgb2ycybr.c, allowing attacker to cause a denial of service or possibly execute arbitrary code via a crafted TIFF image. - CVE-2016-3625 (denial of service) An out-of-bounds read vulnerability was found in tif_read.c in tiff2bw, allowing attacker to cause a denial of service via a crafted TIFF image. - CVE-2016-3631 (denial of service) The (1) cpStrips and (2) cpTiles functions in the thumbnail tool in LibTIFF 4.0.6 and earlier allow remote attackers to cause a denial of service (out-of-bounds read) via vectors related to the bytecounts[] array variable. - CVE-2016-3632 (arbitrary code execution) An out-of-bounds write vulnerability was found in _TIFFVGetField function in tif_dirinfo.c, allowing attacker to cause a denial of service or code execution via a crafted TIFF image. - CVE-2016-3633 (denial of service) An out-of-bounds read vulnerability was found in the _setrow function in the libtiff library. Using a thumbnail command on a maliciously crafted image could cause the application to crash. - CVE-2016-3634 (denial of service) A vulnerability was found in the libtiff library. Using the tagCompare function with the thumbnail command on a maliciously crafted tiff file could cause an out-of-bounds read leading to application crash. - CVE-2016-3658 (denial of service) An out-of-bounds read vulnerability was found in the TIFFWriteDirectoryTagLongLong8Array function in the libtiff library. Using a tiffset command on a maliciously crafted image could result in a denial-of-service. - CVE-2016-3945 (arbitrary code execution) When libtiff's tiff2rgba handles a maliciously-crafted tiff file(width= 8388640, height=31) an illegal write happens. This vulnerability exists in the function cvt_by_strip (and cvt_by_tile ) due to an improper buffer allocation. An attacker may control the write address and/or value to result in denial-of-service or arbitrary code execution. - CVE-2016-3990 (arbitrary code execution) An out-of-bounds write flaw was found in libtiff v4.0.6 when using tiffcp command to handle malicious tiff file. The vulnerability exists in the function horizontalDifference8(). An attacker could control the head data of next heap which contains pre_size field and size filed to result in denial of service or arbitrary code execution. - CVE-2016-3991 (arbitrary code execution) An out-of-bounds write caused by a heap overflow when using tiffcrop tool. The vulnerability is located in the loadImage() function of tiffcrop.c. loadImage() will read the numbers of tiles by calling TIFFNumberOfTiles(). However, if the numbers of tiles is 0, loadImage() will still read tile data by calling readContigTilesIntoBuffer() from the image, regardless of the numbers. In that case, loadImage() will allocate 3 bytes of heap to store a tile data, and a heap overflow occurs if a tile data is beyond 3 bytes. This will cause denial of service or arbitrary code execution upon freeing the buffer. - CVE-2016-5102 (denial of service) A vulnerability was found in libtiff. A maliciously crafted file could cause the application to crash via buffer overflow in gif2tiff tool. - CVE-2016-5314 (arbitrary code execution) A vulnerability was found in libtiff. A maliciously crafted TIFF file could cause the application to crash when using rgb2ycbcr command via an out-of-bounds write in the PixarLogDecode() function. - CVE-2016-5315 (denial of service) An out-of-bounds read vulnerability was found in in the setByteArray() function inlibtiff. A maliciously crafted TIFF file could cause the application to crash when using rgb2ycbcr. - CVE-2016-5316 (denial of service) An out-of-bounds read vulnerability was found in the PixarLogCleanup() function in libtiff. A maliciously crafted TIFF file could cause the application to crash when using rgb2ycbcr. - CVE-2016-5317 (arbitrary code execution) An out-of-bounds write vulnerability was found in the PixarLogDecode() function in libtiff. A maliciously crafted TIFF file could cause the application to crash or possibly execute arbitrary code when generating a thumbnail for it. - CVE-2016-5318 (arbitrary code execution) A stack-based buffer overflow vulnerability was reported in thumbnail's _TIFFVGetField() function. Memory corruption can be triggered when handling maliciously crafted tiff file causing application to crash or possibly execute arbitrary code. - CVE-2016-5319 (arbitrary code execution) Heap-based buffer overflow vulnerability was found in tif_packbits.c in PackBitsEncode function. Memory corruption can be triggered when bmp2tiff is handling maliciously crafted bmp file causing application to crash or possibly execute arbitrary code. - CVE-2016-5320 (arbitrary code execution) An out-of-bounds write vulnerability was found in the PixarLogDecode() function in libtiff. A maliciously crafted TIFF file could cause the application to crash or even execute arbitrary code on a vulnerable machine when using the rgb2ycbcr command. - CVE-2016-5321 (denial of service) An out-of-bounds read vulnerability was found in the DumpModeDecode() function in libtiff. A maliciously crafted TIFF file could cause the application to crash when using tiffcrop command. - CVE-2016-5322 (denial of service) An out-of-bounds read vulnerability was found in the extractContigSamplesBytes() function in libtiff. A maliciously crafted TIFF file could cause the application to crash when using the tiffcrop command. - CVE-2016-5323 (denial of service) When using the tiffcrop command and a crafted TIFF image, the function _TIFFFax3fill() runs without checking the value of the divisor and causes a divide by zero flaw. Attackers can exploit this issue to cause a denial of service. - CVE-2016-5652 (arbitrary code execution) An exploitable heap based buffer overflow exists in the handling of TIFF images in LibTIFF’s TIFF2PDF tool. A crafted TIFF document can lead to a heap based buffer overflow via JPEG Compression Tables resulting in remote code execution. This vulnerability can be triggered via a saved TIFF file delivered by other means. - CVE-2016-5875 (arbitrary code execution) There is a heap-based buffer overflow on libtiff/tif_pixarlog.c. The vulnerability allows an attacker to control the size of the allocated heap-buffer while independently controlling the data to be written to the buffer with no restrictions on the size of the written data. - CVE-2016-6223 (information disclosure) An out-of-bounds read vulnerability on memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond tmsize_t max value was found. The vulnerability allows an attacker to specify a negative index into the file-content buffer and copy data from that position until the end of the buffer. This will allow an attacker to crash the process by accessing unmapped memory and (depending on how LibTIFF is used) might also allow an attacker to leak sensitive information. - CVE-2016-9273 (denial of service) A heap buffer overflow has been discovered resulting in a read outside of the array boundaries leading to an application crash. - CVE-2016-9297 (denial of service) A buffer read overflow has been discovered in libtiff. The function TIFFFetchNormalTag() in libtiff/tif_dirread.c did not make sure that values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access are null terminated leading to potential read outside the buffer in _TIFFPrintField(). - CVE-2016-9448 (denial of service) A null pointer dereference vulnerability in TIFFFetchNormalTag() occurs when values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII access are 0-byte arrays leading to denial of service. - CVE-2016-9453 (arbitrary code execution) An out-of-bounds write vulnerability has been discovered caused by a memcpy call without proper bounds checks. A malicious tiff file handled by tiff2pdf will cause an illegal write to a potentially attacker controlled target address. - CVE-2016-9532 (arbitrary code execution) Multiple uint32 overflows have been discovered that are leading to a heap buffer overflow in writeBufferToSeparateStrips(). A maliciously crafted TIFF file could cause the application to crash or even execute arbitrary code on a vulnerable machine. - CVE-2016-9533 (arbitrary code execution) tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka "PixarLog horizontalDifference heap-buffer-overflow." - CVE-2016-9534 (arbitrary code execution) tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka "TIFFFlushData1 heap-buffer-overflow." - CVE-2016-9535 (arbitrary code execution) tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer- overflow." - CVE-2016-9536 (arbitrary code execution) It was found that tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). - CVE-2016-9537 (arbitrary code execution) It was found that tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. - CVE-2016-9538 (denial of service) It was found that tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in readContigStripsIntoBuffer() because of a uint16 integer overflow. - CVE-2016-9539 (information disclosure) It was found that tools/tiffcrop.c in libtiff 4.0.6 has an out-of- bounds read in readContigTilesIntoBuffer() leading to possible information disclosure. - CVE-2016-9540 (arbitrary code execution) It was found that tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds heap write on tiled images with odd tile width versus image width. This has also been reported as MSVR 35103, aka "cpStripToTile heap-buffer- overflow." Impact ====== A remote attacker is able to use specially crafted image files to execute arbitrary code, disclose sensitive information or perform a denial of service attack via various vectors. References ========== http://www.simplesystems.org/libtiff/v4.0.7.html http://bugzilla.maptools.org/show_bug.cgi?id=2209#c6 http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.txt http://www.conostix.com/pub/adv/CVE-2014-8130-LibTIFF-Division_By_Zero.txt http://bugzilla.maptools.org/show_bug.cgi?id=2483 http://seclists.org/oss-sec/2015/q3/601 https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55 http://www.openwall.com/lists/oss-security/2015/12/24/4 http://bugzilla.maptools.org/show_bug.cgi?id=2563#c4 http://seclists.org/bugtraq/2015/Dec/138 http://www.openwall.com/lists/oss-security/2015/12/25/1 http://www.openwall.com/lists/oss-security/2016/03/30/2 http://bugzilla.maptools.org/show_bug.cgi?id=2536 http://bugzilla.maptools.org/show_bug.cgi?id=2567 http://www.openwall.com/lists/oss-security/2016/04/07/1 http://seclists.org/oss-sec/2016/q2/21 http://bugzilla.maptools.org/show_bug.cgi?id=2570 http://seclists.org/oss-sec/2016/q2/22 http://bugzilla.maptools.org/show_bug.cgi?id=2565 http://seclists.org/oss-sec/2016/q2/23 http://seclists.org/oss-sec/2016/q2/27 http://bugzilla.maptools.org/show_bug.cgi?id=2569 http://seclists.org/oss-sec/2016/q2/28 http://bugzilla.maptools.org/show_bug.cgi?id=2566 http://seclists.org/oss-sec/2016/q2/29 http://seclists.org/oss-sec/2016/q2/24 http://bugzilla.maptools.org/show_bug.cgi?id=2549 http://seclists.org/oss-sec/2016/q2/33 http://bugzilla.maptools.org/show_bug.cgi?id=2548 http://www.openwall.com/lists/oss-security/2016/04/08/11 http://www.openwall.com/lists/oss-security/2016/04/08/13 http://bugzilla.maptools.org/show_bug.cgi?id=2500 http://www.openwall.com/lists/oss-security/2016/04/08/12 http://seclists.org/oss-sec/2016/q2/30 http://bugzilla.maptools.org/show_bug.cgi?id=2545 http://bugzilla.maptools.org/show_bug.cgi?id=2544 http://seclists.org/oss-sec/2016/q2/57 http://bugzilla.maptools.org/show_bug.cgi?id=2543 http://bugzilla.maptools.org/show_bug.cgi?id=2552 http://bugzilla.maptools.org/show_bug.cgi?id=2554 http://www.openwall.com/lists/oss-security/2016/06/15/1 https://github.com/vadz/libtiff/commit/391e77fcd217e78b2c51342ac3ddb7100ecacdd2 http://www.openwall.com/lists/oss-security/2016/06/15/2 http://www.openwall.com/lists/oss-security/2016/06/15/3 http://www.openwall.com/lists/oss-security/2016/06/15/5 http://bugzilla.maptools.org/show_bug.cgi?id=2561 http://seclists.org/oss-sec/2016/q2/486 http://bugzilla.maptools.org/show_bug.cgi?id=2562 http://www.openwall.com/lists/oss-security/2016/06/15/9 http://bugzilla.maptools.org/show_bug.cgi?id=2554#c1 http://www.openwall.com/lists/oss-security/2016/06/15/7 http://bugzilla.maptools.org/show_bug.cgi?id=2558#c2 http://bugzilla.maptools.org/show_bug.cgi?id=2560 http://www.openwall.com/lists/oss-security/2016/06/15/8 http://seclists.org/oss-sec/2016/q2/548 http://bugzilla.maptools.org/show_bug.cgi?id=2559#c3 http://www.talosintelligence.com/reports/TALOS-2016-0187/ https://github.com/vadz/libtiff/commit/b5d6803f0898e931cf772d3d0755704ab8488e63 http://www.openwall.com/lists/oss-security/2016/06/29/6 https://github.com/vadz/libtiff/commit/0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496 http://www.openwall.com/lists/oss-security/2016/07/13/3 http://www.openwall.com/lists/oss-security/2016/11/09/20 https://github.com/vadz/libtiff/commit/d651abc097d91fac57f33b5f9447d0a9183f58e7 http://bugzilla.maptools.org/show_bug.cgi?id=2587 https://github.com/vadz/libtiff/commit/30c9234c7fd0dd5e8b1e83ad44370c875a0270ed http://bugzilla.maptools.org/show_bug.cgi?id=2593 https://github.com/vadz/libtiff/commit/89406285f318ffad27af4b200204394b2ee6ba5e http://bugzilla.maptools.org/show_bug.cgi?id=2590 http://seclists.org/oss-sec/2016/q4/464 http://bugzilla.maptools.org/show_bug.cgi?id=2579 http://www.openwall.com/lists/oss-security/2016/09/29/ http://www.openwall.com/lists/oss-security/2016/11/11/14 http://bugzilla.maptools.org/show_bug.cgi?id=2592 https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33 https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1 https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 https://access.redhat.com/security/cve/CVE-2010-2596 https://access.redhat.com/security/cve/CVE-2014-8127 https://access.redhat.com/security/cve/CVE-2014-8130 https://access.redhat.com/security/cve/CVE-2015-7313 https://access.redhat.com/security/cve/CVE-2015-8665 https://access.redhat.com/security/cve/CVE-2015-8668 https://access.redhat.com/security/cve/CVE-2015-8683 https://access.redhat.com/security/cve/CVE-2016-3186 https://access.redhat.com/security/cve/CVE-2016-3619 https://access.redhat.com/security/cve/CVE-2016-3620 https://access.redhat.com/security/cve/CVE-2016-3621 https://access.redhat.com/security/cve/CVE-2016-3622 https://access.redhat.com/security/cve/CVE-2016-3623 https://access.redhat.com/security/cve/CVE-2016-3624 https://access.redhat.com/security/cve/CVE-2016-3625 https://access.redhat.com/security/cve/CVE-2016-3631 https://access.redhat.com/security/cve/CVE-2016-3632 https://access.redhat.com/security/cve/CVE-2016-3633 https://access.redhat.com/security/cve/CVE-2016-3634 https://access.redhat.com/security/cve/CVE-2016-3658 https://access.redhat.com/security/cve/CVE-2016-3945 https://access.redhat.com/security/cve/CVE-2016-3990 https://access.redhat.com/security/cve/CVE-2016-3991 https://access.redhat.com/security/cve/CVE-2016-5102 https://access.redhat.com/security/cve/CVE-2016-5314 https://access.redhat.com/security/cve/CVE-2016-5315 https://access.redhat.com/security/cve/CVE-2016-5316 https://access.redhat.com/security/cve/CVE-2016-5317 https://access.redhat.com/security/cve/CVE-2016-5318 https://access.redhat.com/security/cve/CVE-2016-5319 https://access.redhat.com/security/cve/CVE-2016-5320 https://access.redhat.com/security/cve/CVE-2016-5321 https://access.redhat.com/security/cve/CVE-2016-5322 https://access.redhat.com/security/cve/CVE-2016-5323 https://access.redhat.com/security/cve/CVE-2016-5652 https://access.redhat.com/security/cve/CVE-2016-5875 https://access.redhat.com/security/cve/CVE-2016-6223 https://access.redhat.com/security/cve/CVE-2016-9273 https://access.redhat.com/security/cve/CVE-2016-9297 https://access.redhat.com/security/cve/CVE-2016-9448 https://access.redhat.com/security/cve/CVE-2016-9453 https://access.redhat.com/security/cve/CVE-2016-9532 https://access.redhat.com/security/cve/CVE-2016-9533 https://access.redhat.com/security/cve/CVE-2016-9534 https://access.redhat.com/security/cve/CVE-2016-9535 https://access.redhat.com/security/cve/CVE-2016-9536 https://access.redhat.com/security/cve/CVE-2016-9537 https://access.redhat.com/security/cve/CVE-2016-9538 https://access.redhat.com/security/cve/CVE-2016-9539 https://access.redhat.com/security/cve/CVE-2016-9540