[3.1] tiff: Several vulnerabilities (CVE-2015-7554, CVE-2015-8668, CVE-2016-3945, CVE-2016-3632, CVE-2016-3990, CVE-2016-3991)
CVE-2015-7554: invalid write
The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows
attackers to cause a denial of service
(invalid memory write and crash) or possibly have unspecified other
impact via crafted field data in an extension tag in a TIFF image.
References:
http://seclists.org/bugtraq/2015/Dec/137
http://www.openwall.com/lists/oss-security/2015/12/26/7
CVE-2015-8668: OOB read in bmp2tiff
Heap-based buffer overflow in the PackBitsPreEncode function in
tif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier
allows remote attackers to execute arbitrary code or cause a denial of
service via a large width field in a BMP image.
Reference:
http://seclists.org/bugtraq/2015/Dec/138
CVE-2016-3945: out-of-bounds write in the tiff2rgba tool
When libtiff 4.0.6 tiff2rgba handle malicious tif file(width= 8388640,
height=31) and set param -b will cause illegal
write. The vulnerability exist in function cvt_by_strip (also exist in
cvt_by_tile ) without checking the buffer
allocate result. An attacker may control the write address and/or value
to result in denial-of-service or command
execution.
Reference:
http://seclists.org/oss-sec/2016/q2/30
CVE-2016-3632: out-of-bounds write in _TIFFVGetField function
Out-of-bounds write vulnerability was found in _TIFFVGetField function
in tif_dirinfo.c, allowing attacker to cause
a denial of service or command execution via a crafted TIFF image.
Reference:
http://seclists.org/oss-sec/2016/q2/33
CVE-2016-3990: out-of-bounds write in horizontalDifference8()
An out-of-bounds write flaw was found in libtiff v4.0.6 when using
tiffcp command to handle malicious tiff file.
The vulnerability exists in function horizontalDifference8()
An attacker could control the head data of next heap which contains
pre_size field and size filed to result in DoS or potential code
execution.
Reference:
http://seclists.org/oss-sec/2016/q2/57
CVE-2016-3991: out-of-bounds write in loadImage() function
An Out-of-bounds write vulnerability caused by heap overflow when using
tiffcrop tool was found in the libtiff library.
The vulnerability is in loadImage() function in tiffcrop.c. loadImage()
will read the numbers of tiles by calling TIFFNumberOfTiles().
References:
http://www.openwall.com/lists/oss-security/2016/04/12/3
http://bugzilla.maptools.org/show\_bug.cgi?id=2543
CVE-2016-5320: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c
A maliciously crafted TIFF file could cause the application to crash or even enable RCE on vulnerable machine when using rgb2ycbcr command.
Reference:
http://seclists.org/oss-sec/2016/q2/551
(from redmine: issue id 6013, created on 2016-08-05, closed on 2017-09-05)
- Relations:
- parent #6008 (closed)