Bug 33832

Summary: tiff: Multiple issues (3.2)
Product: UCS Reporter: Moritz Muehlenhoff <jmm>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Daniel Tröder <troeder>
Severity: normal    
Priority: P3 CC: gohmann, requate
Version: UCS 3.0Flags: requate: Patch_Available+
Target Milestone: UCS 3.2-8-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 33831    
Bug Blocks:    

Description Moritz Muehlenhoff univentionstaff 2014-01-02 12:59:42 CET 
+++ This bug was initially created as a clone of Bug #33831 +++

Buffer overflow in gif2tiff (CVE-2013-4243)

No upstream patch is available so far.
Comment 1 Moritz Muehlenhoff univentionstaff 2015-01-05 08:53:36 CET 
Buffer overflow in bmp2tiff (CVE-2014-9330)
Comment 2 Moritz Muehlenhoff univentionstaff 2015-02-06 10:18:14 CET 
Multiple out of bound reads in processing TIFF files (CVE-2014-8127) 
Multiple out of bound writes in processing TIFF files (CVE-2014-8128) 
Multiple out of bound reads/writes in processing TIFF files (CVE-2014-8129) 
Multiple NULL pointer dereferences in processing TIFF files (CVE-2014-8130)
Comment 3 Moritz Muehlenhoff univentionstaff 2015-02-09 09:45:16 CET 
Denial of service by accessing uninitialised memory (CVE-2015-1547, CVE-2014-9655)
Comment 4 Arvid Requate univentionstaff 2015-05-18 20:46:10 CEST 
Fixed in 3.9.4-5+squeeze12:

* Buffer overflow in gif2tiff (CVE-2013-4243)
* Buffer overflow in bmp2tiff (CVE-2014-9330)
* Multiple out of bound reads in processing TIFF files (CVE-2014-8127) 
* Multiple out of bound writes in processing TIFF files (CVE-2014-8128) 
* Multiple out of bound reads/writes in processing TIFF files (CVE-2014-8129) 
* Denial of service by accessing uninitialised memory (CVE-2014-9655)

No fix yet for:

* uninitialized memory in NeXTDecode (CVE-2015-1547) [patch available]
* Denial of service by accessing uninitialised memory/divide by zero (CVE-2014-8130) [marked as unimportant in Debian]
Comment 5 Arvid Requate univentionstaff 2016-01-05 18:50:47 CET 
* Out-of-bounds Read (CVE-2015-8665)
* Out-of-bounds read in CIE Lab image format (CVE-2015-8683)
Comment 6 Arvid Requate univentionstaff 2016-01-28 14:31:20 CET 
Fixed in 3.9.4-5+squeeze13:

* Out-of-bounds Read (CVE-2015-8665)
* Out-of-bounds read in CIE Lab image format (CVE-2015-8683)


CVE-2015-1547 may also be fixed by the patch for CVE-2014-9655, see Debian security tracker.
Comment 7 Arvid Requate univentionstaff 2016-02-01 11:28:13 CET 
Fixed in 3.9.4-5+squeeze14:

* an out of bounds write in tif_luv.c (CVE-2015-8781)
* other out-of-bounds writes (CVE-2015-8782)
* other out-of-bounds reads (CVE-2015-8783)
* potential out-of-bound write in NeXTDecode (CVE-2015-8784)
Comment 8 Arvid Requate univentionstaff 2016-06-13 14:05:39 CEST 
3.9.4-5+squeeze14 imported and built with fixed buildsystem version increment.
Advisory: tiff.yaml
Comment 9 Daniel Tröder univentionstaff 2016-06-20 13:27:47 CEST 
OK: advisory
OK: manual functional test:

# univention-install libtiff-tools caca-utils
# gif2tiff -c lzw /usr/share/apache2/icons/small/rainbow.gif /tmp/rainbow.tiff
# cacaview /usr/share/apache2/icons/small/rainbow.gif /tmp/rainbow.tiff
Comment 10 Janek Walkenhorst univentionstaff 2016-06-22 15:05:28 CEST 
<http://errata.software-univention.de/ucs/3.2/438.html>