[3.4] tiff: Multiple vulnerabilities (CVE-2016-9273, CVE-2016-9297, CVE-2016-9448, CVE-2016-9453)
CVE-2016-9273: heap-buffer-overflow in cpStrips
Reference:
http://bugzilla.maptools.org/show\_bug.cgi?id=2587
http://libtiff.maptools.org/v4.0.7.html
CVE-2016-9297: segfault in _TIFFPrintField
Reference:
http://bugzilla.maptools.org/show\_bug.cgi?id=2590
CVE-2016-9448: Invalid read of size 1 in TIFFFetchNormalTag
Fix for CVE-2016-9297 introduced this issue.
References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2593
http://seclists.org/oss-sec/2016/q4/464
CVE-2016-9453: out-of-bounds Write Caused by memcpy and no bound check in tiff2pdf
Affected: <=4.0.6
Fixed in: >=4.0.7
http://bugzilla.maptools.org/show\_bug.cgi?id=2579 http://libtiff.maptools.org/v4.0.7.html
References:(from redmine: issue id 6665, created on 2017-01-10, closed on 2017-01-23)
- Relations:
- parent #6664 (closed)
- Changesets:
- Revision e4001acb by Sergei Lukin on 2017-01-13T07:16:06Z:
main/tiff: security upgrade to 4.0.7 - fixes #6665
Fixes:
CVE-2016-9273: heap-buffer-overflow in cpStrips
CVE-2016-9297: segfault in _TIFFPrintField
CVE-2016-9448: Invalid read of size 1 in TIFFFetchNormalTag
CVE-2016-9453: out-of-bounds Write Caused by memcpy and no bound check in tiff2pdf
CVE-2016-3186: Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.
CVE-2016-3621: Out-of-bounds Read in the bmp2tiff tool
CVE-2016-3622: Divide By Zero in the tiff2rgba tool
CVE-2016-3623, CVE-2016-3624: Divide By Zero in the rgb2ycbcr tool
CVE-2016-3625: Out-of-bounds Read in the tiff2bw tool
CVE-2016-3658, CVE-2014-8127: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c
CVE-2016-5314, CVE-2016-5315, CVE-2016-5316, CVE-2016-5317: PixarLogDecode() out-of-bound writes
CVE-2016-5320, CVE-2016-5875: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c
bugzilla suppose that CVE-2016-5320 is a duplicate of CVE-2016-5314 (https://bugs.alpinelinux.org/issues/6661) which was fixed in tiff 4.0.7 (http://bugzilla.maptools.org/show_bug.cgi?id=2554#c1)
CVE-2016-5321: out-of-bounds read in tiffcrop / DumpModeDecode() function
CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function
CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow
TODO:
CVE-2016-5318: Memory corruption in _TIFFVGetField (thumbnail)
remains unfixed still (http://bugzilla.maptools.org/show_bug.cgi?id=2561)
because of that #6661 could not be marked as fixed
Comments:
4.0.7 contains lots of fixes:
http://libtiff.maptools.org/v4.0.7.html
https://fossies.org/diffs/tiff/4.0.6_vs_4.0.7/ChangeLog-diff.html
There is only one major change mentioned: The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and ycbcr are completely removed from the distribution. These tools were written in the late 1980s and early 1990s for test and demonstration purposes. In some cases the tools were never updated to support updates to the file format, or the file formats are now rarely used. In all cases these tools increased the libtiff security and maintenance exposure beyond the value offered by the tool.
http://libtiff.maptools.org/v4.0.7.html
Patches: CVE-2015-7554.patch, CVE-2015-8665.patch, CVE-2015-8668.patch, CVE-2015-8781-8782-8783.patch, CVE-2015-8784.patch, CVE-2016-3632.patch, CVE-2016-3945.patch, CVE-2016-3990.patch, CVE-2016-3991.patch
are not needed anymore, because these issues were fixed in 4.0.7