Log

CVE-2016-9535 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
References
+ https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
+ https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
Notes
CVE-2016-9536 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ It was found that tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip().
References
+ https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a
Notes
CVE-2016-9537 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Local
Type
+ Arbitrary code execution
Description
+ It was found that tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers.
References
+ https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a
Notes
CVE-2016-9538 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Denial of service
Description
+ It was found that tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in readContigStripsIntoBuffer() because of a uint16 integer overflow.
References
+ https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b
Notes
CVE-2016-9539 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Information disclosure
Description
+ It was found that tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer() leading to possible information disclosure.
References
+ https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53
Notes
CVE-2016-9540 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ It was found that tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds heap write on tiled images with odd tile width versus image width. This has also been reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow."
References
+ https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3
Notes
CVE-2016-9557 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ A signed integer overflow vulnerability has been discovered in jas_image.c triggered by a crafted image. An option max_samples has been added to the BMP and JPEG decoders to restrict the maximum size of image that they can decode. This change was made as a (possibly temporary) fix to address security concerns.
References
+ https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a
+ http://www.openwall.com/lists/oss-security/2016/11/23/2
Notes
CVE-2016-9558 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Local
Type
+ Denial of service
Description
+ A negation overflow vulnerability was found in dwarf_leb.c triggered by crafted input to dwarfdump utility.
References
+ https://blogs.gentoo.org/ago/2016/11/19/libdwarf-negation-overflow-in-dwarf_leb-c/
Notes
CVE-2016-9560 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A stack buffer overflow vulnerability has been discovered in jpc/jpc_dec.c duo to an out of bounds array write triggered by a crafted image.
References
+ https://github.com/mdadams/jasper/commit/1abc2e5a401a4bf1d5ca4df91358ce5df111f495
+ http://www.openwall.com/lists/oss-security/2016/11/23/5
Notes
CVE-2016-9586 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ libcurl's implementation of the printf() functions triggers a buffer overflow when doing a large floating point output. The bug occurs when the conversion outputs more than 255 bytes. The flaw happens because the floating point conversion is using system functions without the correct boundary checks.
+ The functions have been documented as deprecated for a long time and users are discouraged from using them in "new programs" as they are planned to get removed at a future point. But as the functions are present and there's nothing preventing users from using them, we expect there to be a certain amount of existing users in the wild.
+ If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.
References
+ https://curl.haxx.se/docs/adv_20161221A.html
Notes
+ This flaw is present in the curl_*printf (curlx_*printf) family of functions, which are not used by curl but are exposed from libcurl.
+ To be exposed, third-party code would need to be using these long-deprecated functions, with a floating-point specifier and user-controlled (floating-point) input. The overflow itself is of a 256-byte stack-allocated buffer, when the decimal expansion of the float exceeds that by up to 70 bytes. Beyond about 16 digits for a double, the decimal expansion is effectively random so the attacker has very little control over precisely what bytes are written.