Oracle Linux 8 : mingw-libtiff (ELSA-2025-19906)

🗓️ 07 Nov 2025 00:00:00Reported by TenableType

Oracle Linux 8 mingw-libtiff fixes multiple CVEs per ELSA-2025-19906.

Reporter	Title	Published	Views	Family All 3354
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in LibTIFF	17 Dec 202104:20	–	ibm
IBM Security Bulletins	Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFixes for July 2025.	7 Aug 202508:58	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities in Cloud Pak foundational services are addressed with IBM Cloud Pak for Business Automation 24.0.1-IF001	28 Feb 202509:11	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cognos Analytics is affected by multiple vulnerabilities	26 Mar 202504:07	–	ibm
IBM Security Bulletins	Security Bulletin: Gdal vulnerabilities affect IBM Netezza Analytics for NPS	3 Jun 202214:32	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Machine Learning Accelerator for IBM Cloud Pak for Data is affected by multiple vulnerabilities.	19 Feb 202617:06	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)	9 Dec 202515:01	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in CloudPak for AIOps	26 Mar 202504:06	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in kernel affects IBM Netezza Appliance	23 Apr 202610:25	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities	27 Jan 202100:05	–	ibm

Source	Link
linux	www.linux.oracle.com/errata/ELSA-2025-19906.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2025-19906.
##

include('compat.inc');

if (description)
{
  script_id(274520);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/07");

  script_cve_id("CVE-2025-8176", "CVE-2025-9900");

  script_name(english:"Oracle Linux 8 : mingw-libtiff (ELSA-2025-19906)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2025-19906 advisory.

    - Fix CVE-2018-5784 CVE-2018-7456 CVE-2017-9935 CVE-2017-9935
    - Fix CVE-2017-18013 CVE-2018-8905 CVE-2018-10963 CVE-2018-17100
    - Fix CVE-2018-18557 CVE-2018-18661 (RHBZ #1602597) CVE-2018-12900
    - Fix CVE-2019-14973 CVE-2019-17546 CVE-2020-35521 CVE-2020-35522
    - Fix CVE-2020-35523 CVE-2020-35524 CVE-2020-19131 CVE-2022-0561
    - Fix CVE-2022-0562 CVE-2022-22844 CVE-2022-0865 CVE-2022-0891
    - Fix CVE-2022-0924 CVE-2022-0909 CVE-2022-0908 CVE-2022-1355
    - Fix CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2867
    - Fix CVE-2022-2868 CVE-2022-2519 CVE-2022-2520 CVE-2022-2521
    - Fix CVE-2022-2953 CVE-2022-3597 CVE-2022-3626 CVE-2022-3627
    - Fix CVE-2022-3970 CVE-2022-48281 CVE-2023-0800 CVE-2023-0801
    - Fix CVE-2023-0802 CVE-2023-0803 CVE-2022-3599 CVE-2018-15209
    - Fix CVE-2023-25433 CVE-2023-52356 CVE-2023-6228 CVE-2017-17095
    - Fix CVE-2024-7006
    - Fix CVE-2025-9900
      Resolves: RHEL-112538

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2025-19906.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-8176");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/07/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mingw32-libtiff");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mingw32-libtiff-static");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mingw64-libtiff");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:mingw64-libtiff-static");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_product)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
if (! preg(pattern:"^8([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'Oracle Linux 8.x', 'Oracle Linux ' + os_version);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
if ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);

var constraints = [
  {
    'release': '8',
    'pkgs': [
      {'reference':'mingw32-libtiff-4.0.9-3.el8_10', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'mingw32-libtiff-static-4.0.9-3.el8_10', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'mingw64-libtiff-4.0.9-3.el8_10', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'mingw64-libtiff-static-4.0.9-3.el8_10', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'mingw32-libtiff / mingw32-libtiff-static / mingw64-libtiff / etc');
}

07 Nov 2025 00:00Current

6.7Medium risk

Vulners AI Score6.7

CVSS 24.3 - 6.8

CVSS 35.3 - 8.8

CVSS 3.18.8

CVSS 44.8

EPSS0.23568

SSVC