[SECURITY] [DLA 1094-1] tiff3 security update

2017-09-1002:14:08

lists.debian.org

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.012 Low

EPSS

Percentile

85.1%

JSON

Package : tiff3
Version : 3.9.6-11+deb7u8
CVE ID : CVE-2017-11335
Debian Bug : 868513

A heap based buffer overflow has been discovered in the tiff2pdf
utility, part of the Tag Image File Format (TIFF) library.

A PlanarConfig=Contig image can cause an out-of-bounds write (related to
the ZIPDecode function). A crafted input may lead to a remote denial of
service attack or an arbitrary code execution attack.

For Debian 7 "Wheezy", these problems have been fixed in version
3.9.6-11+deb7u8.

We recommend that you upgrade your tiff3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: Digital signature

OSVersionArchitecturePackageVersionFilename
Debian7armellibtiff5-dev< 4.0.2-6+deb7u16libtiff5-dev_4.0.2-6+deb7u16_armel.deb
Debian9mipsellibtiff-opengl< 4.0.8-2+deb9u2libtiff-opengl_4.0.8-2+deb9u2_mipsel.deb
Debian9alllibtiff-doc< 4.0.8-2+deb9u2libtiff-doc_4.0.8-2+deb9u2_all.deb
Debian8amd64libtiffxx5< 4.0.3-12.3+deb8u5libtiffxx5_4.0.3-12.3+deb8u5_amd64.deb
Debian9ppc64ellibtiff-tools-dbgsym< 4.0.8-2+deb9u2libtiff-tools-dbgsym_4.0.8-2+deb9u2_ppc64el.deb
Debian9s390xlibtiff5< 4.0.8-2+deb9u2libtiff5_4.0.8-2+deb9u2_s390x.deb
Debian9mips64ellibtiffxx5-dbgsym< 4.0.8-2+deb9u2libtiffxx5-dbgsym_4.0.8-2+deb9u2_mips64el.deb
Debian9i386libtiff-opengl< 4.0.8-2+deb9u2libtiff-opengl_4.0.8-2+deb9u2_i386.deb
Debian7alltiff3< 3.9.6-11+deb7u8tiff3_3.9.6-11+deb7u8_all.deb
Debian8armellibtiffxx5< 4.0.3-12.3+deb8u5libtiffxx5_4.0.3-12.3+deb8u5_armel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	armel	libtiff5-dev	< 4.0.2-6+deb7u16	libtiff5-dev_4.0.2-6+deb7u16_armel.deb
Debian	9	mipsel	libtiff-opengl	< 4.0.8-2+deb9u2	libtiff-opengl_4.0.8-2+deb9u2_mipsel.deb
Debian	9	all	libtiff-doc	< 4.0.8-2+deb9u2	libtiff-doc_4.0.8-2+deb9u2_all.deb
Debian	8	amd64	libtiffxx5	< 4.0.3-12.3+deb8u5	libtiffxx5_4.0.3-12.3+deb8u5_amd64.deb
Debian	9	ppc64el	libtiff-tools-dbgsym	< 4.0.8-2+deb9u2	libtiff-tools-dbgsym_4.0.8-2+deb9u2_ppc64el.deb
Debian	9	s390x	libtiff5	< 4.0.8-2+deb9u2	libtiff5_4.0.8-2+deb9u2_s390x.deb
Debian	9	mips64el	libtiffxx5-dbgsym	< 4.0.8-2+deb9u2	libtiffxx5-dbgsym_4.0.8-2+deb9u2_mips64el.deb
Debian	9	i386	libtiff-opengl	< 4.0.8-2+deb9u2	libtiff-opengl_4.0.8-2+deb9u2_i386.deb
Debian	7	all	tiff3	< 3.9.6-11+deb7u8	tiff3_3.9.6-11+deb7u8_all.deb
Debian	8	armel	libtiffxx5	< 4.0.3-12.3+deb8u5	libtiffxx5_4.0.3-12.3+deb8u5_armel.deb