Vulners
Lucene search
TencentOS Server 4: libtiff (TSSA-2024:0785)
10
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2024:0785.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(240052);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/11/20");
script_cve_id(
"CVE-2022-2056",
"CVE-2022-2057",
"CVE-2022-2058",
"CVE-2022-2519",
"CVE-2022-2520",
"CVE-2022-2521",
"CVE-2022-2953",
"CVE-2022-34526",
"CVE-2022-3570",
"CVE-2022-3597",
"CVE-2022-3598",
"CVE-2022-3599",
"CVE-2022-3626",
"CVE-2022-3627",
"CVE-2022-3970",
"CVE-2022-40090",
"CVE-2022-4645",
"CVE-2022-48281",
"CVE-2023-0795",
"CVE-2023-0796",
"CVE-2023-0797",
"CVE-2023-0798",
"CVE-2023-0799",
"CVE-2023-0800",
"CVE-2023-0801",
"CVE-2023-0802",
"CVE-2023-0803",
"CVE-2023-0804",
"CVE-2023-25433",
"CVE-2023-25434",
"CVE-2023-25435",
"CVE-2023-26965",
"CVE-2023-26966",
"CVE-2023-2731",
"CVE-2023-2908",
"CVE-2023-30086",
"CVE-2023-30774",
"CVE-2023-30775",
"CVE-2023-3316",
"CVE-2023-3576",
"CVE-2023-3618",
"CVE-2023-40745",
"CVE-2023-41175"
);
script_name(english:"TencentOS Server 4: libtiff (TSSA-2024:0785)");
script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 4 host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0785 advisory.
Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:
CVE-2023-40745:
LibTIFF is vulnerable to an integer overflow. This flaw allows remote attackers to cause a denial of
service (application crash) or possibly execute an arbitrary code via a crafted tiff image, which triggers
a heap-based buffer overflow.
CVE-2023-41175:
A vulnerability was found in libtiff due to multiple potential integer overflows in raw2tiff.c. This flaw
allows remote attackers to cause a denial of service or possibly execute an arbitrary code via a crafted
tiff image, which triggers a heap-based buffer overflow.
CVE-2023-0796:
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3592, allowing attackers to cause
a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is
available with commit afaabc3e.
CVE-2023-0802:
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3724, allowing attackers to cause
a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is
available with commit 33aee127.
CVE-2023-0804:
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3609, allowing attackers to cause
a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is
available with commit 33aee127.
CVE-2023-0801:
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_unix.c:368, invoked by
tools/tiffcrop.c:2903 and tools/tiffcrop.c:6778, allowing attackers to cause a denial-of-service via a
crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 33aee127.
CVE-2023-0795:
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3488, allowing attackers to cause
a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is
available with commit afaabc3e.
CVE-2023-0798:
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause
a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is
available with commit afaabc3e.
CVE-2023-0797:
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_unix.c:368, invoked by
tools/tiffcrop.c:2903 and tools/tiffcrop.c:6921, allowing attackers to cause a denial-of-service via a
crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
CVE-2022-48281:
processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g.,
WRITE of size 307203) via a crafted TIFF image.
CVE-2023-0800:
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3502, allowing attackers to cause
a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is
available with commit 33aee127.
CVE-2023-0803:
LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop.c:3516, allowing attackers to cause
a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is
available with commit 33aee127.
CVE-2023-0799:
LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3701, allowing attackers to cause
a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is
available with commit afaabc3e.
CVE-2022-3970:
A vulnerability was found in LibTIFF. It has been classified as critical. This affects the function
TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. It is
possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
The name of the patch is 227500897dfb07fb7d27f7aa570050e62617e3be. It is recommended to apply a patch to
fix this issue. The identifier VDB-213549 was assigned to this vulnerability.
CVE-2022-2519:
There is a double free or corruption in rotateImage() at tiffcrop.c:8839 found in libtiff 4.4.0rc1
CVE-2022-4645:
LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948, allowing attackers to cause a
denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is
available with commit e8131125.
CVE-2022-2521:
It was found in libtiff 4.4.0rc1 that there is an invalid pointer free operation in TIFFClose() at
tif_close.c:131 called by tiffcrop.c:2522 that can cause a program crash and denial of service while
processing crafted input.
CVE-2022-3599:
LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools/tiffcrop.c:7345, allowing attackers
to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix
is available with commit e8131125.
CVE-2022-3570:
Multiple heap buffer overflows in tiffcrop.c utility in libtiff library Version 4.4.0 allows attacker to
trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into
application crash, potential information disclosure or any other context-dependent impact
CVE-2022-3598:
LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifted24bits in tools/tiffcrop.c:3604,
allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff
from sources, the fix is available with commit cfbb883b.
CVE-2022-3626:
LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif_unix.c:340 when called from
processCropSelections, tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service via a
crafted tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.
CVE-2022-40090:
An issue was discovered in function TIFFReadDirectory libtiff before 4.4.0 allows attackers to cause a
denial of service via crafted TIFF file.
CVE-2022-3627:
LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from
extractImageSection, tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service via a crafted
tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.
CVE-2022-2520:
A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion fail in rotateImage() at
tiffcrop.c:8621 that can cause program crash when reading a crafted input.
CVE-2022-2058:
Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a
crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.
CVE-2022-34526:
A stack overflow was discovered in the _TIFFVGetField function of Tiffsplit v4.4.0. This vulnerability
allows attackers to cause a Denial of Service (DoS) via a crafted TIFF file parsed by the tiffsplit or
tiffcrop utilities.
CVE-2022-2953:
LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tools/tiffcrop.c:6905, allowing
attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from
sources, the fix is available with commit 48d6ece8.
CVE-2022-2057:
Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a
crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.
CVE-2022-2056:
Divide By Zero error in tiffcrop in libtiff 4.4.0 allows attackers to cause a denial-of-service via a
crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f3a5e010.
CVE-2022-3597:
LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif_unix.c:346 when called from
extractImageSection, tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service via a crafted
tiff file. For users that compile libtiff from sources, the fix is available with commit 236b7191.
CVE-2023-30086:
Buffer Overflow vulnerability found in Libtiff V.4.0.7 allows a local attacker to cause a denial of
service via the tiffcp function in tiffcp.c.
CVE-2023-30774:
A vulnerability was found in the libtiff library. This flaw causes a heap buffer overflow issue via the
TIFFTAG_INKNAMES and TIFFTAG_NUMBEROFINKS values.
CVE-2023-30775:
A vulnerability was found in the libtiff library. This security flaw causes a heap buffer overflow in
extractContigSamples32bits, tiffcrop.c.
CVE-2023-25435:
libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at
/libtiff/tools/tiffcrop.c:3753.
CVE-2023-2908:
A null pointer dereference issue was found in Libtiff/'s tif_dir.c file. This issue may allow an attacker
to pass a crafted TIFF image file to the tiffcp utility which triggers a runtime error that causes
undefined behavior. This will result in an application crash, eventually leading to a denial of service.
CVE-2023-3618:
A flaw was found in libtiff. A specially crafted tiff file can lead to a segmentation fault due to a
buffer overflow in the Fax3Encode function in libtiff/tif_fax3.c, resulting in a denial of service.
CVE-2023-3316:
A NULL pointer dereference in TIFFClose() is caused by a failure to open an output file (non-existent path
or a path that requires permissions like /dev/null) while specifying zones.
CVE-2023-25434:
libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesBytes() at
/libtiff/tools/tiffcrop.c:3215.
CVE-2023-26966:
libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when libtiff reads a corrupted little-endian
TIFF file and specifies the output to be big-endian.
CVE-2023-3576:
A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a
TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes
this memory leak issue, resulting an application crash, eventually leading to a denial of service.
CVE-2023-2731:
A NULL pointer dereference flaw was found in Libtiff/'s LZWDecode() function in the libtiff/tif_lzw.c
file. This flaw allows a local attacker to craft specific input data that can cause the program to
dereference a NULL pointer when decompressing a TIFF format file, resulting in a program crash or denial
of service.
CVE-2023-26965:
loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based use after free via a crafted
TIFF image.
CVE-2023-25433:
libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiffcrop.c:8499. Incorrect updating of
buffer size after rotateImage() in tiffcrop cause heap-buffer-overflow and SEGV.
Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20240785.xml");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-2058");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-25434");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/11/13");
script_set_attribute(attribute:"patch_publication_date", value:"2024/11/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:4");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:libtiff");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tencent Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info2.nasl");
script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");
exit(0);
}
include('rpm2.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^4([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 4.x', 'TencentOS ' + os_version);
if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);
var constraints = [
{
'release': '4',
'pkgs': [
{'reference':'libtiff-4.6.0-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-4.6.0-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-debuginfo-4.6.0-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-debuginfo-4.6.0-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-debugsource-4.6.0-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-debugsource-4.6.0-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-devel-4.6.0-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-devel-4.6.0-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-static-4.6.0-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-static-4.6.0-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-tools-4.6.0-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-tools-4.6.0-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-tools-debuginfo-4.6.0-1.tl4', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
{'reference':'libtiff-tools-debuginfo-4.6.0-1.tl4', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
]
}
];
var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');
var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
# Check that the target release is equal to the affected release
if (!empty_or_null(constraint['release'])){
if (constraint['release'] != os_release) continue;
}
if (!empty_or_null(constraint['sp'])){
if (constraint['sp'] != os_sp) continue;
}
foreach var pkg ( constraint['pkgs'] ) {
reference = NULL;
sp = NULL;
_cpu = NULL;
el_string = NULL;
rpm_spec_vers_cmp = NULL;
epoch = NULL;
allowmaj = NULL;
exists_check = NULL;
cves = NULL;
if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (reference &&
## (no known rpm to check OR known rpm_exists)
(!exists_check || rpm_exists(rpm:exists_check)) &&
rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libtiff / libtiff-debuginfo / libtiff-debugsource / etc');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Nov 2025 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 24.3
CVSS 3.18.8
EPSS0.00282
SSVC