[3.8] tiff: Multiple vulnerabilities (CVE-2017-9935, CVE-2017-11613, CVE-2018-10963)
CVE-2017-9935: In LibTIFF 4.0.8, there is a heap-based buffer
overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap
could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in
TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free.
Given these possibilities, it probably could cause arbitrary code execution.
CVE-2017-11613: In LibTIFF 4.0.8, there is a denial of service
vulnerability in the TIFFOpen function. A crafted input will lead to a
service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file.
In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of
td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer.
CVE-2018-10963: A flaw was found in LibTIFF through 4.0.9.
TIFFWriteDirectorySec() function in tif_dirwrite.c allows remote
to cause a denial of service (assertion failure and application crash) via a crafted file.
(from redmine: issue id 9163, created on 2018-07-31, closed on 2018-08-02)
- Revision 6659caf6 by Natanael Copa on 2018-08-01T12:06:26Z:
main/tiff: various security fixes - CVE-2017-9935 - CVE-2017-11613 - CVE-2017-17095 - CVE-2018-10963 fixes #8240 fixes #9163