MiracleLinux 7 : libtiff-4.0.3-27.el7 (AXSA:2017-1282:01)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2017-1282:01.
##

include('compat.inc');

if (description)
{
  script_id(291585);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/19");

  script_cve_id(
    "CVE-2015-8870",
    "CVE-2016-5652",
    "CVE-2016-9533",
    "CVE-2016-9534",
    "CVE-2016-9535",
    "CVE-2016-9536",
    "CVE-2016-9537",
    "CVE-2016-9540"
  );

  script_name(english:"MiracleLinux 7 : libtiff-4.0.3-27.el7 (AXSA:2017-1282:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2017-1282:01 advisory.

    The libtiff package contains a library of functions for manipulating
    TIFF (Tagged Image File Format) image format files.  TIFF is a widely
    used file format for bitmapped images.  TIFF files usually end in the
    .tif extension and they are often quite large.
    The libtiff package should be installed if you need to manipulate TIFF
    format image files.
    Security issues fixed with this release:
    CVE-2015-8870
    Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows
    remote attackers to cause a denial of service (heap-based buffer
    over-read), or possibly obtain sensitive information from process
    memory, via crafted width and length values in RLE4 or RLE8 data in a
    BMP file.
    CVE-2016-5652
    An exploitable heap-based buffer overflow exists in the handling of
    TIFF images in LibTIFF's TIFF2PDF tool. A crafted TIFF document can
    lead to a heap-based buffer overflow resulting in remote code
    execution. Vulnerability can be triggered via a saved TIFF file
    delivered by other means.
    CVE-2016-9533
    tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities
    in heap allocated buffers. Reported as MSVR 35094, aka PixarLog
    horizontalDifference heap-buffer-overflow.
    CVE-2016-9534
    tif_write.c in libtiff 4.0.6 has an issue in the error code path of
    TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members.
    Reported as MSVR 35095, aka TIFFFlushData1 heap-buffer-overflow.
    CVE-2016-9535
    tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that
    can lead to assertion failures in debug mode, or buffer overflows in
    release mode, when dealing with unusual tile size like YCbCr with
    subsampling. Reported as MSVR 35105, aka Predictor
    heap-buffer-overflow.
    CVE-2016-9536
    tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds write
    vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip().
    Reported as MSVR 35098, aka t2p_process_jpeg_strip
    heap-buffer-overflow.
    CVE-2016-9537
    tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write
    vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096, and
    MSVR 35097.
    CVE-2016-9540
    tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled
    images with odd tile width versus image width. Reported as MSVR 35103,
    aka cpStripToTile heap-buffer-overflow.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/7714");
  script_set_attribute(attribute:"solution", value:
"Update the affected libtiff and / or libtiff-devel packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9540");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_severity", value:"Moderate");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/02/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/19");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libtiff");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:libtiff-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:7");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^7([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 7.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '7',
    'pkgs': [
      {'reference':'libtiff-4.0.3-27.el7', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libtiff-4.0.3-27.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libtiff-devel-4.0.3-27.el7', 'cpu':'i686', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'libtiff-devel-4.0.3-27.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libtiff / libtiff-devel');
}