Bug 44571 - tiff: Multiple issues (4.2)
tiff: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P3 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
http://metadata.ftp-master.debian.org...
:
Depends on:
Blocks: 42896
  Show dependency treegraph
 
Reported: 2017-05-10 13:41 CEST by Arvid Requate
Modified: 2018-05-08 14:56 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-05-10 13:41:12 CEST
Upstream Debian package version 4.0.3-12.3+deb8u3 fixes these issues:

* The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via vectors involving the ma variable. (CVE-2016-3658)
* tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow." (CVE-2016-9535)
tiff: Multiple issues (4.1)
* tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow." (CVE-2016-9535)
* LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value. (CVE-2017-5225)
* LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. (CVE-2016-10266)
* LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. (CVE-2016-10267)
* LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. (CVE-2016-10269)
* LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. (CVE-2016-10270)
* The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a left-shift undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7592)
* tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly initialized, which might allow remote attackers to obtain sensitive information from process memory via a crafted image. (CVE-2017-7593)
* The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (memory leak) via a crafted image. (CVE-2017-7594)
* The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. (CVE-2017-7595)
* LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7596)
* tif_dirread.c in LibTIFF 4.0.7 has an "outside the range of representable values of type float" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7597)
* tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image. (CVE-2017-7598)
* LibTIFF 4.0.7 has an "outside the range of representable values of type short" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7599)
* LibTIFF 4.0.7 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7600)
* LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7601)
* LibTIFF 4.0.7 has a signed integer overflow, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image. (CVE-2017-7602)
Comment 1 Arvid Requate univentionstaff 2017-07-11 16:11:35 CEST
Upstream Debian package version 4.0.3-12.3+deb8u4 fixes:

* assertion abort in the TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A crafted input will lead to a remote denial of service attack. (CVE-2017-10688)
* memory leak in tif_jbig.c. A crafted TIFF document can lead to a memory leak resulting in a remote denial of service attack. (CVE-2017-9936)
Comment 2 Philipp Hahn univentionstaff 2018-01-25 10:59:53 CET
Mass-import from Debian-Security:
  python -m univention.repong.^Cbmirror -s jessie -r 4.2-3 --override=$HOME/REPOS/repo-ng/mirror/update_ucs42_mirror_from_debian.yml --errata=doc/errata --sql --process=ALL -vvvv --now=201801211553

YAML: git:bd6159834a..449aa5a7cf
Comment 3 Philipp Hahn univentionstaff 2018-01-28 09:41:33 CET
tiff ( 4.0.3-12.3+deb8u5) jessie-security:

* CVE-2017-9935 libtiff: Heap-based buffer overflow in t2p_write_pdf function
* CVE-2017-11335 libtiff: Heap-based buffer overflow in tiff2pdf
* CVE-2017-12944 libtiff: Mishandled memory allocation for short files in the TIFFReadDirEntryArray function
* CVE-2017-13726 libtiff: Reachable assertion abort in the function TIFFWriteDirectorySec()
* CVE-2017-13727 libtiff: Reachable assertion abort in the function TIFFWriteDirectoryTagSubifd()
* CVE-2017-18013 libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes crash

d524ff9c13 Bug #44571: tiff
Comment 4 Quality Assurance univentionstaff 2018-05-04 16:56:03 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/tiff_4.0.3-12.3+deb8u2.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/tiff_4.0.3-12.3+deb8u5.dsc
@@ -1,3 +1,63 @@
+4.0.3-12.3+deb8u5 [Fri, 26 Jan 2018 20:53:45 +0000] Moritz Muehlenhoff <jmm@debian.org>:
+
+  [ Laszlo Boszormenyi (GCS) ]
+  * Fix CVE-2017-11335: heap based buffer write overflow in tiff2pdf
+    (closes: #868513).
+  * Fix CVE-2017-12944: OOM prevention in TIFFReadDirEntryArray()
+    (closes: #872607).
+  * Fix CVE-2017-13726: reachable assertion abort in TIFFWriteDirectorySec()
+    (closes: #873880).
+  * Fix CVE-2017-13727: reachable assertion abort in
+    TIFFWriteDirectoryTagSubifd() (closes: #873879).
+  * Fix CVE-2017-18013: NULL pointer dereference in TIFFPrintDirectory()
+    (closes: #885985).
+  * Fix CVE-2017-9935: heap-based buffer overflow in the t2p_write_pdf()
+    function (closes: #866109).
+      
+  [ Moritz Muehlenhoff ]
+  * CVE-2016-10371
+
+4.0.3-12.3+deb8u4 [Sun, 02 Jul 2017 08:35:22 +0000] Laszlo Boszormenyi (GCS) <gcs@debian.org>:
+
+  * Backport fix for the following vulnerabilities:
+    - CVE-2017-9403: fix memory leak in non DEFER_STRILE_LOAD mode,
+    - CVE-2017-9404: memory leak vulnerability was found in the function
+      OJPEGReadHeaderInfoSecTablesQTable(),
+    - CVE-2016-10095 and CVE-2017-9147: add _TIFFCheckFieldIsValidForCodec()
+      and use it in TIFFReadDirectory() (closes: #850316, #863185),
+    - CVE-2017-9936: memory leak in error code path of JBIGDecode()
+      (closes: #866113),
+    - prevent out of memory in gtTileContig() on corrupted files,
+    - CVE-2017-10688, assertion failure in TIFFWriteDirectoryTagCheckedXXXX()
+      (closes: #866611).
+  * Add required _TIFFCheckFieldIsValidForCodec@LIBTIFF_4.0 and
+    _TIFFReadEncodedStripAndAllocBuffer@LIBTIFF_4.0 symbols to the
+    libtiff5 package.
+
+4.0.3-12.3+deb8u3 [Fri, 21 Apr 2017 20:22:02 +0000] Laszlo Boszormenyi (GCS) <gcs@debian.org>:
+
+  * Backport fix for the following vulnerabilities:
+    - CVE-2014-8127 and CVE-2016-3658: out-of-bounds read in the tiffset tool,
+    - CVE-2016-9535: replace assertions by runtime checks to avoid assertions
+      in debug mode, or buffer overflows in release mode,
+    - CVE-2016-10266: divide-by-zero in TIFFReadEncodedStrip,
+    - CVE-2016-10267: divide-by-zero in OJPEGDecodeRaw,
+    - CVE-2016-10269: heap-based buffer overflow in _TIFFmemcpy,
+    - CVE-2016-10270: heap-based buffer overflow in TIFFFillStrip,
+    - CVE-2017-5225: heap buffer overflow via a crafted BitsPerSample value,
+    - CVE-2017-7592: left-shift undefined behavior issue in putagreytile,
+    - CVE-2017-7593: unitialized-memory access from tif_rawdata,
+    - CVE-2017-7594: leak in OJPEGReadHeaderInfoSecTablesAcTable,
+    - CVE-2017-7595: divide-by-zero in JPEGSetupEncode,
+    - CVE-2017-7596, CVE-2017-7597, CVE-2017-7598, CVE-2017-7599,
+      CVE-2017-7600, CVE-2017-7601 and CVE-2017-7602: multiple UBSAN crashes.
+  * Add required _TIFFcalloc@LIBTIFF_4.0 symbol to the libtiff5 package.
+
+  [ Tobias Lippert <lippertto_oss@fastmail.com> ]
+  * Fix a regression introduced by patch CVE-2014-8128-5 where enabling
+    compression of tif files results in corrupt files
+    (closes: #783555, #818360).
+
 4.0.3-12.3+deb8u2 [Mon, 21 Nov 2016 21:32:06 +0000] Laszlo Boszormenyi (GCS) <gcs@debian.org>:
 
   * Backport fix for the following vulnerabilities:
Comment 5 Arvid Requate univentionstaff 2018-05-07 13:30:40 CEST
* No UCS specific patches
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory adjusted:
  a08f56dd87 | Bug #44571: Fix CVE sorting
Comment 6 Arvid Requate univentionstaff 2018-05-08 14:56:22 CEST
<http://errata.software-univention.de/ucs/4.2/406.html>