Bug 47545 - tiff: Multiple issues (4.2)
tiff: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P3 normal (vote)
: UCS 4.2-4-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-09 10:19 CEST by Quality Assurance
Modified: 2018-08-15 16:20 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2018-08-09 10:19:50 CEST
New Debian tiff 4.0.3-12.3+deb8u6 fixes:
This update addresses the following issue(s):
* 
CVE_2010-2596 is open
CVE_2014-8127 is open
CVE_2014-8130 is open
CVE_2015-7313 is open
CVE_2016-9539 is open
CVE_2016-10268 is open
CVE_2017-5563 is open
CVE_2017-9117 is open
* In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. (CVE-2017-11613)
CVE_2017-16232 is open
CVE_2017-17095 is open
CVE_2017-17942 is open
CVE_2017-17973 is open
CVE_2018-5360 is open
* In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries. (CVE-2018-5784)
* A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) (CVE-2018-7456)
* In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps. (CVE-2018-8905)
CVE_2018-10126 is open
* The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. (CVE-2018-10963)
CVE_2018-12900 is open
CVE_2018-14373 is open
CVE_2018-14374 is open
CVE_2018-14375 is open
CVE_2018-14378 is open
TEMP-0846838-9738BD is open

4.0.3-12.3+deb8u6 (Mon, 02 Jul 2018 13:04:59 +0200) * Non-maintainer upload by the LTS team. * Fix CVE-2017-11613: DoS vulnerability A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If the value of td_imagelength is set close to the amount of system memory, it will hang the system or trigger the OOM killer. * Fix CVE-2018-10963: DoS vulnerability The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726. * Fix CVE-2018-5784: DoS vulnerability In LibTIFF, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries. * Fix CVE-2018-7456: NULL Pointer Dereference A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) * Fix CVE-2018-8905: Heap-based buffer overflow In LibTIFF, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.
* CVE-2017-11613 libtiff: Memory leak via corrupt td_imagelength in TIFFOpen function (CVE-2017-11613)
* CVE-2018-5784 libtiff: uncontrolled resource consumption in TIFFSetDirectory function in tif_dir.c (CVE-2018-5784)
* CVE-2018-7456 libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes a denial of service (CVE-2018-7456)
* CVE-2018-8905 libtiff: heap-based buffer overflow in tif_lzw.c:LZWDecodeCompat() allows for denial of service (CVE-2018-8905)
* CVE-2018-10963 libtiff: reachable assertion in TIFFWriteDirectorySec function in tif_dirwrite.c (CVE-2018-10963)
CVE_2018-15209 is open
* CVE-2017-18013 libtiff: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes crash (CVE-2017-18013)
* CVE-2017-13726 libtiff: Reachable assertion abort in the function TIFFWriteDirectorySec() (CVE-2017-13726)
Comment 1 Quality Assurance univentionstaff 2018-08-09 18:44:02 CEST
--- mirror/ftp/4.2/unmaintained/4.2-4/source/tiff_4.0.3-12.3+deb8u5.dsc
+++ apt/ucs_4.2-0-errata4.2-4/source/tiff_4.0.3-12.3+deb8u6.dsc
@@ -1,3 +1,36 @@
+4.0.3-12.3+deb8u6 [Mon, 02 Jul 2018 13:04:59 +0200] Markus Koschany <apo@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2017-11613: DoS vulnerability
+    A crafted input will lead to a denial of service attack. During the
+    TIFFOpen process, td_imagelength is not checked. The value of
+    td_imagelength can be directly controlled by an input file. In the
+    ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is
+    called based on td_imagelength. If  the value of td_imagelength is set close
+    to the amount of system memory, it will hang the system or trigger the OOM
+    killer. (Closes: #869823)
+  * Fix CVE-2018-10963: DoS vulnerability
+    The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF allows
+    remote attackers to cause a denial of service (assertion failure and
+    application crash) via a crafted file, a different vulnerability than
+    CVE-2017-13726. (Closes: #898348)
+  * Fix CVE-2018-5784: DoS vulnerability
+    In LibTIFF, there is an uncontrolled resource consumption in the
+    TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage
+    this vulnerability to cause a denial of service via a crafted tif file.
+    This occurs because the declared number of directory entries is not
+    validated against the actual number of directory entries. (Closes: #890441)
+  * Fix CVE-2018-7456: NULL Pointer Dereference
+    A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in
+    tif_print.c in LibTIFF when using the tiffinfo tool to print crafted
+    TIFF information, a different vulnerability than CVE-2017-18013. (This
+    affects an earlier part of the TIFFPrintDirectory function that was not
+    addressed by the CVE-2017-18013 patch.) (Closes: #891288)
+  * Fix CVE-2018-8905: Heap-based buffer overflow
+    In LibTIFF, a heap-based buffer overflow occurs in the function
+    LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by
+    tiff2ps. (Closes: #893806)
+
 4.0.3-12.3+deb8u5 [Fri, 26 Jan 2018 20:53:45 +0000] Moritz Muehlenhoff <jmm@debian.org>:
 
   [ Laszlo Boszormenyi (GCS) ]

<http://10.200.17.11/4.2-4/#573244148462271962>
Comment 2 Philipp Hahn univentionstaff 2018-08-10 10:11:29 CEST
OK: yaml
OK: errata-announce
OK: patch
OK: piuparts

[4.2-4] 77d8f20131 Bug #47545: tiff 4.0.3-12.3+deb8u6
 doc/errata/staging/tiff.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

[4.2-4] 5984f1fcdb Bug #47545: tiff 4.0.3-12.3+deb8u6
 doc/errata/staging/tiff.yaml | 52 +++++++++++++-------------------------------
 1 file changed, 15 insertions(+), 37 deletions(-)

[4.2-4] 24aa828c58 Bug #47545: tiff 4.0.3-12.3+deb8u6
 doc/errata/staging/tiff.yaml | 53 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
Comment 3 Arvid Requate univentionstaff 2018-08-15 16:20:37 CEST
<http://errata.software-univention.de/ucs/4.2/483.html>