Bug 42897 - tiff3: Multiple issues (4.1)
tiff3: Multiple issues (4.1)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Arvid Requate
Janek Walkenhorst
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-08 19:47 CET by Arvid Requate
Modified: 2017-04-19 13:29 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7 (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-11-08 19:47:28 CET
Upstream Debian package version 3.9.6-11+deb7u2 fixes the following issues:

* Applications using libtiff can trigger buffer overflows through TIFFGetField() when processing TIFF images with unknown tags (CVE-2015-7554, CVE-2016-5318)
Comment 1 Arvid Requate univentionstaff 2017-01-30 21:32:23 CET
3.9.6-11+deb7u3 fixes an issue in +deb7u1 that resulted in libtiff writing out invalid tiff files when the compression scheme in use relies on codec-specific TIFF tags embedded in the image.
Comment 2 Arvid Requate univentionstaff 2017-04-10 13:35:12 CEST
Upstream Debian package version 3.9.6-11+deb7u4 fixes:

* an out of bounds write in tif_luv.c (CVE-2015-8781)

* other out-of-bounds writes (CVE-2015-8782)

* other out-of-bounds reads (CVE-2015-8783)

* potential out-of-bound write in NeXTDecode (CVE-2015-8784)

* tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka "PixarLoghorizontalDifference heap-buffer-overflow." (CVE-2016-9533)

* tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka "TIFFFlushData1 heap-buffer-overflow."(CVE-2016-9534)

* tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow." (CVE-2016-9535)
Comment 3 Arvid Requate univentionstaff 2017-04-10 14:25:27 CEST
Upstream version imported and built.
Advisory: tiff3.yaml
Comment 4 Janek Walkenhorst univentionstaff 2017-04-13 11:51:21 CEST
Tests (amd64): OK
Advisory: OK
Comment 5 Janek Walkenhorst univentionstaff 2017-04-19 13:29:03 CEST
<http://errata.software-univention.de/ucs/4.1/410.html>