Bug 42312

Summary: tiff3: Multiple issues (4.1)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Janek Walkenhorst <walkenhorst>
Status: CLOSED FIXED QA Contact: Philipp Hahn <hahn>
Severity: normal    
Priority: P3 CC: gohmann
Version: UCS 4.1Flags: requate: Patch_Available+
Target Milestone: UCS 4.1-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:

Description Arvid Requate univentionstaff 2016-09-07 19:20:51 CEST 
Upstream Debian package version 3.9.6-11+deb7u1 fixes the following issues:

* The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to "downsampled OJPEG input." (CVE-2010-2596)
* Stack-based buffer overflow in the t2p_write_pdf_page function in tiff2pdf in libtiff before 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted image length and resolution in a TIFF image file (CVE-2013-1961)
* out-of-bound write (CVE-2014-8128)
* out-of-bound read and write (CVE-2014-8129)
* The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image (CVE-2014-9655)
* uninitialized memory in NeXTDecode (CVE-2015-1547)
* Out-of-bounds read in CIE Lab image format (CVE-2015-8683)
* Out-of-bounds read in TIFFRGBAImage interface (CVE-2015-8665)
* Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. (CVE-2016-3186)
* Divide By Zero in the rgb2ycbcr tool (CVE-2016-3623)
* Out-of-bounds Write in the tiff2rgba tool (CVE-2016-3945)
* tiffcp: out-of-bounds write in horizontalDifference8() (CVE-2016-3990)
* tiffcrop: out-of-bounds write in loadImage() (CVE-2016-3991)
* PixarLogDecode() out-of-bound writes (CVE-2016-5314)
* tif_dir.c: setByteArray() Read access violation (CVE-2016-5315)
* tif_pixarlog.c: PixarLogCleanup() Segmentation fault (CVE-2016-5316)
* GNOME nautilus: crash occurs when generating a thumbnail for a crafted TIFF image (CVE-2016-5317)
* rgb2ycbcr: command excution (CVE-2016-5320)
* DumpModeDecode(): Ddos (CVE-2016-5321)
* extractContigSamplesBytes: out-of-bounds read (CVE-2016-5322)
* tiffcrop _TIFFFax3fillruns(): NULL pointer dereference (CVE-2016-5323)
* tiff: heap-based buffer overflow when using the PixarLog compression format (CVE-2016-5875)
* tiff: information leak in libtiff/tif_read.c (CVE-2016-6223)

Note: The source package tiff3 generates the binary package libtiff4
Comment 1 Janek Walkenhorst univentionstaff 2016-10-13 17:23:01 CEST 
Tests (amd64): OK
Advisory: tiff3.yaml
Comment 2 Philipp Hahn univentionstaff 2016-10-17 11:50:36 CEST 
OK: errata-announce -V --only tiff3.yaml
FIXED: tiff3.yaml → r73270

OK: aptitude install '?source-package(tiff3)~i'
OK: aptitude install '?source-package(tiff3)'

OK: zless zless /usr/share/doc/libtiff4/changelog.Debian.gz # 3.9.6-11+deb7u1
OK: CVE-2010-2596
OK: CVE-2013-1961
OK: CVE-2014-8128
OK: CVE-2014-8129
OK: CVE-2014-9655
OK: CVE-2015-1547
OK: CVE-2015-8665
OK: CVE-2015-8683
OK: CVE-2016-3186
OK: CVE-2016-3623
OK: CVE-2016-3945
OK: CVE-2016-3990
OK: CVE-2016-3991
OK: CVE-2016-5314
OK: CVE-2016-5315
OK: CVE-2016-5316
OK: CVE-2016-5317
OK: CVE-2016-5320
OK: CVE-2016-5321
OK: CVE-2016-5322
OK: CVE-2016-5323
OK: CVE-2016-5875
OK: CVE-2016-6223
Comment 3 Janek Walkenhorst univentionstaff 2016-10-20 12:40:35 CEST 
<http://errata.software-univention.de/ucs/4.1/305.html>