[3.5] tiff: Multiple vulnerabilities (CVE-2017-7592, CVE-2017-7593, CVE-2017-7594, CVE-2017-7595, CVE-2017-7596, CVE-2017-7597, CVE-2017-7598, CVE-2017-7599, CVE-2017-7600, CVE-2017-7601, CVE-2017-7602)
CVE-2017-7592: Left shift of unsigned char without a cast
The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a
left-shift undefined behavior issue, which might allow remote
attackers to cause a denial of service (application crash) or possibly
have unspecified other impact via a crafted image.
References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2658
https://nvd.nist.gov/vuln/detail/CVE-2017-7592
Patch:
https://github.com/vadz/libtiff/commit/48780b4fcc425cddc4ef8ffdf536f96a0d1b313b
CVE-2017-7593: tif_rawdata not properly initialized in tif_read.c
tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is
properly initialized, which might allow remote
attackers to obtain sensitive information from process memory via a
crafted image.
References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2651
http://openwall.com/lists/oss-security/2017/04/10/2
https://nvd.nist.gov/vuln/detail/CVE-2017-7593
Patch:
https://github.com/vadz/libtiff/commit/d60332057b9575ada4f264489582b13e30137be1
CVE-2017-7594: Direct leak in tif_ojpeg.c
The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in
LibTIFF 4.0.7 allows remote attackers
to cause a denial of service (memory leak) via a crafted image.
References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2659
http://openwall.com/lists/oss-security/2017/04/10/3
https://nvd.nist.gov/vuln/detail/CVE-2017-7594
Patches:
https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b
https://github.com/vadz/libtiff/commit/8283e4d1b7e53340684d12932880cbcbaf23a8c1
CVE-2017-7595: Divide-by-zero in JPEGSetupEncode (tiff_jpeg.c)
The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows
remote attackers to cause a
denial of service (divide-by-zero error and application crash) via a
crafted image.
References:
http://openwall.com/lists/oss-security/2017/04/10/4
Patch:
https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122
CVE-2017-7596: Float out of range issue in tif_dir.c
LibTIFF 4.0.7 has an “outside the range of representable values of type
float” undefined behavior issue,
which might allow remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a
crafted image.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-7596
http://openwall.com/lists/oss-security/2017/04/10/5
Patch:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
CVE-2017-7597:Float out of range issue in tif_dirread.c
tif_dirread.c in LibTIFF 4.0.7 has an “outside the range of
representable values of type float” undefined behavior issue, which
might allow
remote attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted image.
References:
http://openwall.com/lists/oss-security/2017/04/10/5
Patch:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
CVE-2017-7598: tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted image.
References:
http://openwall.com/lists/oss-security/2017/04/10/5
Patch:
https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8
CVE-2017-7599: Unsigned short out of range in tif_dirwrite.c
LibTIFF 4.0.7 has an “outside the range of representable values of type
short” undefined behavior issue,
which might allow remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a
crafted image.
References:
http://openwall.com/lists/oss-security/2017/04/10/5
Patch:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
CVE-2017-7600: Unsigned char out of range in tif_dirwrite.c
LibTIFF 4.0.7 has an “outside the range of representable values of type
unsigned char” undefined behavior issue,
which might allow remote attackers to cause a denial of service
(application crash) or possibly have unspecified other impact via a
crafted image.
References:
http://openwall.com/lists/oss-security/2017/04/10/5
Patch:
https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490
CVE-2017-7601: Signed integer overflow in tif_jpeg.c
LibTIFF 4.0.7 has a “shift exponent too large for 64-bit type long”
undefined behavior issue, which might allow remote attackers
to cause a denial of service (application crash) or possibly have
unspecified other impact via a crafted image.
References:
http://openwall.com/lists/oss-security/2017/04/10/5
Patch:
https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490
CVE-2017-7602: Signed integer overflow in tif_read.c
LibTIFF 4.0.7 has a signed integer overflow, which might allow remote
attackers to cause
a denial of service (application crash) or possibly have unspecified
other impact via a crafted image.
References:
http://openwall.com/lists/oss-security/2017/04/10/5
Patch:
https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4
(from redmine: issue id 7119, created on 2017-04-12, closed on 2017-05-02)
- Relations:
- parent #7117 (closed)
- Changesets:
- Revision 4a95ad60 on 2017-04-26T07:20:55Z:
main/tiff: security fixes #7119
CVE-2017-7592, CVE-2017-7593, CVE-2017-7594, CVE-2017-7595, CVE-2017-7596,
CVE-2017-7598, CVE-2017-7601, CVE-2017-7602
CVE-2017-7597, CVE-2017-7599, CVE-2017-7600 are already included in upstream release