ID USN-2939-1 Type ubuntu Reporter Ubuntu Modified 2016-03-23T00:00:00
Description
It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.
{"history": [], "description": "It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.", "affectedPackage": [{"OSVersion": "14.04", "OS": "Ubuntu", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "libtiff5", "packageVersion": "4.0.3-7ubuntu0.4"}, {"OSVersion": "15.10", "OS": "Ubuntu", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "libtiff5", "packageVersion": "4.0.3-12.3ubuntu2.1"}, {"OSVersion": "12.04", "OS": "Ubuntu", "arch": "noarch", "operator": "lt", "packageFilename": "UNKNOWN", "packageName": "libtiff4", "packageVersion": "3.9.5-2ubuntu1.9"}], "reporter": "Ubuntu", "href": "https://usn.ubuntu.com/2939-1/", "type": "ubuntu", "hashmap": [{"key": "affectedPackage", "hash": "b46b582e7d25e0b8179afec6e5a3b31a"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "aff9dfe9f4658b61c7e27eec972cfca9"}, {"key": "cvss", "hash": "3873c836ae45fd496c2b40bae50467ed"}, {"key": "description", "hash": "113e20025ea97ce424b931c5b43b7d5b"}, {"key": "href", "hash": "fbbc8f417358a57e0ca5bbf7213a0a5b"}, {"key": "modified", "hash": "e20a1536f6bff4dbc36b3cef61da7717"}, {"key": "published", "hash": "e20a1536f6bff4dbc36b3cef61da7717"}, {"key": "references", "hash": "0d806340e1ea638035869d94bcf7f520"}, {"key": "reporter", "hash": "3d945423f8e9496c429a5d8c65b4604f"}, {"key": "title", "hash": "7aa2dfdbda7c056fbbcb7b5d37f1bdeb"}, {"key": "type", "hash": "1d41c853af58d3a7ae54990ce29417d8"}], "viewCount": 0, "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2015-8781", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-8665", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-8784", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-8683", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-8783", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-8782"], "lastseen": "2018-03-29T18:20:12", "published": "2016-03-23T00:00:00", "objectVersion": "1.3", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8683", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8665"], "id": "USN-2939-1", "hash": "a475b4bb895d947f0222062e851c14f2cfa877807b61b3769b261c4e71fee2e2", "modified": "2016-03-23T00:00:00", "title": "LibTIFF vulnerabilities", "edition": 1, "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "bulletinFamily": "unix", "enchantments": {"vulnersScore": 6.8}}
{"result": {"cve": [{"id": "CVE-2015-8783", "type": "cve", "title": "CVE-2015-8783", "description": "tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.", "published": "2016-02-01T16:59:03", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8783", "cvelist": ["CVE-2015-8783"], "lastseen": "2018-01-05T11:51:56"}, {"id": "CVE-2015-8784", "type": "cve", "title": "CVE-2015-8784", "description": "The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image, as demonstrated by libtiff5.tif.", "published": "2016-04-13T13:59:06", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8784", "cvelist": ["CVE-2015-8784"], "lastseen": "2018-01-05T11:51:56"}, {"id": "CVE-2015-8683", "type": "cve", "title": "CVE-2015-8683", "description": "The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image.", "published": "2016-04-13T13:59:05", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8683", "cvelist": ["CVE-2015-8683"], "lastseen": "2018-01-05T11:51:55"}, {"id": "CVE-2015-8781", "type": "cve", "title": "CVE-2015-8781", "description": "tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782.", "published": "2016-02-01T16:59:01", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8781", "cvelist": ["CVE-2015-8781"], "lastseen": "2018-01-05T11:51:55"}, {"id": "CVE-2015-8782", "type": "cve", "title": "CVE-2015-8782", "description": "tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781.", "published": "2016-02-01T16:59:02", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8782", "cvelist": ["CVE-2015-8782"], "lastseen": "2018-01-05T11:51:56"}, {"id": "CVE-2015-8665", "type": "cve", "title": "CVE-2015-8665", "description": "tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image.", "published": "2016-04-13T13:59:04", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8665", "cvelist": ["CVE-2015-8665"], "lastseen": "2018-01-05T11:51:55"}], "nessus": [{"id": "OPENSUSE-2016-184.NASL", "type": "nessus", "title": "openSUSE Security Update : tiff (openSUSE-2016-184)", "description": "This update for tiff fixes the following issues :\n\n - CVE-2015-8781, CVE-2015-8782, CVE-2015-8783:\n Out-of-bounds writes for invalid images (boo#964225)", "published": "2016-02-12T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88704", "cvelist": ["CVE-2015-8783", "CVE-2015-8781", "CVE-2015-8782"], "lastseen": "2017-10-29T13:34:03"}, {"id": "OPENSUSE-2016-179.NASL", "type": "nessus", "title": "openSUSE Security Update : tiff (openSUSE-2016-179)", "description": "This update for tiff fixes the following issues :\n\n - CVE-2015-8781, CVE-2015-8782, CVE-2015-8783:\n Out-of-bounds writes for invalid images (boo#964225)", "published": "2016-02-11T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88685", "cvelist": ["CVE-2015-8783", "CVE-2015-8781", "CVE-2015-8782"], "lastseen": "2017-10-29T13:34:36"}, {"id": "SUSE_SU-2016-0353-1.NASL", "type": "nessus", "title": "SUSE SLED11 / SLES11 Security Update : tiff (SUSE-SU-2016:0353-1)", "description": "This update for tiff fixes the following issues :\n\n - CVE-2015-8781, CVE-2015-8782, CVE-2015-8783:\n Out-of-bounds writes for invalid images (bsc#964225)\n\n - CVE-2015-7554: Out-of-bounds Write in the thumbnail and tiffcmp tools (bsc#960341)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-02-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88677", "cvelist": ["CVE-2015-8783", "CVE-2015-8781", "CVE-2015-7554", "CVE-2015-8782"], "lastseen": "2017-10-29T13:43:05"}, {"id": "DEBIAN_DLA-405.NASL", "type": "nessus", "title": "Debian DLA-405-1 : tiff security update", "description": "Several security flaws have been found and solved in libtiff, a library that provides support for handling Tag Image File Format (TIFF). These flaws concern out of bounds reads and writes in the LogL16Decode, LogLuvDecode24, LogLuvDecode32, LogLuvDecodeTile, LogL16Encode, LogLuvEncode24, LogLuvEncode32 and NeXTDecode functions.\n\nThese IDs were assigned for the problems: CVE-2015-8781, CVE-2015-8782, CVE-2015-8783 and CVE-2015-8784.\n\nFor Debian 6 'Squeeze', these issues have been fixed in tiff version 3.9.4-5+squeeze14. We recommend you to upgrade your tiff packages.\n\nLearn more about the Debian Long Term Support (LTS) Project and how to apply these updates at: https://wiki.debian.org/LTS/\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-02-01T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88491", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8781", "CVE-2015-8782"], "lastseen": "2018-07-10T05:54:53"}, {"id": "UBUNTU_USN-2939-1.NASL", "type": "nessus", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : tiff vulnerabilities (USN-2939-1)", "description": "It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-03-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90147", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8683", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8665"], "lastseen": "2017-10-29T13:44:09"}, {"id": "DEBIAN_DSA-3467.NASL", "type": "nessus", "title": "Debian DSA-3467-1 : tiff - security update", "description": "Several vulnerabilities have been found in tiff, a Tag Image File Format library. Multiple out-of-bounds read and write flaws could cause an application using the tiff library to crash.", "published": "2016-02-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88601", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8683", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8665"], "lastseen": "2018-07-12T18:03:58"}, {"id": "F5_BIGIP_SOL35155453.NASL", "type": "nessus", "title": "F5 Networks BIG-IP : Multiple LibTIFF vulnerabilities (K35155453)", "description": "CVE-2015-8683\n\nThe putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image.\n\nCVE-2015-8665 tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image.\n\nCVE-2014-8129 LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by failure of tif_next.c to verify that the BitsPerSample value is 2, and the t2p_sample_lab_signed_to_unsigned function in tiff2pdf.c.\n\nCVE-2014-8130 The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither.\n\nCVE-2014-8127 LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted TIFF image to the (1) checkInkNamesString function in tif_dir.c in the thumbnail tool, (2) compresscontig function in tiff2bw.c in the tiff2bw tool, (3) putcontig8bitCIELab function in tif_getimage.c in the tiff2rgba tool, LZWPreDecode function in tif_lzw.c in the (4) tiff2ps or (5) tiffdither tool, (6) NeXTDecode function in tif_next.c in the tiffmedian tool, or (7) TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool.\n\nCVE-2014-9655 The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif.\n\nCVE-2015-8781 tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image, a different vulnerability than CVE-2015-8782.\n\nCVE-2015-8782 tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image, a different vulnerability than CVE-2015-8781.\n\nCVE-2015-8783 tif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.\n\nImpact\n\nAn attacker can use specially crafted TIFF files to execute arbitrary code with the limited privileges of the image optimization process.", "published": "2016-11-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=94647", "cvelist": ["CVE-2015-8783", "CVE-2014-8127", "CVE-2015-8683", "CVE-2014-8130", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2014-9655"], "lastseen": "2018-07-12T18:10:19"}, {"id": "SUSE_SU-2016-2271-1.NASL", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : tiff (SUSE-SU-2016:2271-1)", "description": "This update for tiff fixes the following issues :\n\n - CVE-2015-8781, CVE-2015-8782, CVE-2015-8783:\n Out-of-bounds writes for invalid images (bsc#964225)\n\n - CVE-2016-3186: Buffer overflow in gif2tiff (bnc#973340).\n\n - CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat (bsc#987351)\n\n - CVE-2016-5316: Out-of-bounds read in PixarLogCleanup() function in tif_pixarlog.c (bsc#984837)\n\n - CVE-2016-5314: Out-of-bounds write in PixarLogDecode() function (bsc#984831)\n\n - CVE-2016-5317: Out-of-bounds write in PixarLogDecode() function in libtiff.so (bsc#984842)\n\n - CVE-2016-5320: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c (bsc#984808)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-09-12T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=93439", "cvelist": ["CVE-2015-8783", "CVE-2016-5314", "CVE-2016-5316", "CVE-2016-5320", "CVE-2016-3186", "CVE-2015-8781", "CVE-2016-5317", "CVE-2015-8782", "CVE-2016-5875"], "lastseen": "2018-04-08T17:19:47"}, {"id": "OPENSUSE-2016-1089.NASL", "type": "nessus", "title": "openSUSE Security Update : tiff (openSUSE-2016-1089)", "description": "This update for tiff fixes the following issues :\n\n - CVE-2015-8781, CVE-2015-8782, CVE-2015-8783:\n Out-of-bounds writes for invalid images (bsc#964225)\n\n - CVE-2016-3186: Buffer overflow in gif2tiff (bnc#973340).\n\n - CVE-2016-5875: heap-based buffer overflow when using the PixarLog compressionformat (bsc#987351)\n\n - CVE-2016-5316: Out-of-bounds read in PixarLogCleanup() function in tif_pixarlog.c (bsc#984837)\n\n - CVE-2016-5314: Out-of-bounds write in PixarLogDecode() function (bsc#984831)\n\n - CVE-2016-5317: Out-of-bounds write in PixarLogDecode() function in libtiff.so (bsc#984842)\n\n - CVE-2016-5320: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c (bsc#984808) \n\nThis update was imported from the SUSE:SLE-12:Update update project.", "published": "2016-09-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=93585", "cvelist": ["CVE-2015-8783", "CVE-2016-5314", "CVE-2016-5316", "CVE-2016-5320", "CVE-2016-3186", "CVE-2015-8781", "CVE-2016-5317", "CVE-2015-8782", "CVE-2016-5875"], "lastseen": "2018-04-08T17:59:53"}, {"id": "DEBIAN_DLA-880.NASL", "type": "nessus", "title": "Debian DLA-880-1 : tiff3 security update", "description": "tiff3 is affected by multiple issues that can result at least in denial of services of applications using libtiff4. Crafted TIFF files can be provided to trigger: abort() calls via failing assertions, buffer overruns (both in read and write mode).\n\nCVE-2015-8781\n\ntif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds write) via an invalid number of samples per pixel in a LogL compressed TIFF image.\n\nCVE-2015-8782\n\ntif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds writes) via a crafted TIFF image.\n\nCVE-2015-8783\n\ntif_luv.c in libtiff allows attackers to cause a denial of service (out-of-bounds reads) via a crafted TIFF image.\n\nCVE-2015-8784\n\nThe NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image.\n\nCVE-2016-9533\n\ntif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers.\n\nCVE-2016-9534\n\ntif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. \n\nCVE-2016-9535\n\ntif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 3.9.6-11+deb7u4.\n\nWe recommend that you upgrade your tiff3 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2017-03-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=99107", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2016-9534", "CVE-2016-9535", "CVE-2015-8781", "CVE-2015-8782", "CVE-2016-9533"], "lastseen": "2018-07-12T18:16:54"}], "debian": [{"id": "DLA-405", "type": "debian", "title": "tiff -- LTS security update", "description": "Several security flaws have been found and solved in libtiff, a library that provides support for handling Tag Image File Format (TIFF). These flaws concern out of bounds reads and writes in the LogL16Decode, LogLuvDecode24, LogLuvDecode32, LogLuvDecodeTile, LogL16Encode, LogLuvEncode24, LogLuvEncode32 and NeXTDecode functions.\n\nThese IDs were assigned for the problems: [CVE-2015-8781](<https://security-tracker.debian.org/tracker/CVE-2015-8781>), [CVE-2015-8782](<https://security-tracker.debian.org/tracker/CVE-2015-8782>), [CVE-2015-8783](<https://security-tracker.debian.org/tracker/CVE-2015-8783>) and [CVE-2015-8784](<https://security-tracker.debian.org/tracker/CVE-2015-8784>).\n\nFor Debian 6 Squeeze, these issues have been fixed in tiff version 3.9.4-5+squeeze14. We recommend you to upgrade your tiff packages.", "published": "2016-01-30T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.debian.org/security/2016/dla-405", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8781", "CVE-2015-8782"], "lastseen": "2016-09-02T12:57:15"}, {"id": "DSA-3467", "type": "debian", "title": "tiff -- security update", "description": "Several vulnerabilities have been found in tiff, a Tag Image File Format library. Multiple out-of-bounds read and write flaws could cause an application using the tiff library to crash.\n\nFor the oldstable distribution (wheezy), these problems have been fixed in version 4.0.2-6+deb7u5.\n\nFor the stable distribution (jessie), these problems have been fixed in version 4.0.3-12.3+deb8u1.\n\nFor the testing distribution (stretch), these problems have been fixed in version 4.0.6-1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 4.0.6-1.\n\nWe recommend that you upgrade your tiff packages.", "published": "2016-02-06T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-3467", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8683", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-9655"], "lastseen": "2018-07-04T02:00:28"}, {"id": "DLA-402", "type": "debian", "title": "tiff -- LTS security update", "description": "Two security flaws have been found and solved in libtiff, library that provides support for handling Tag Image File Format (TIFF). These flaws concern out of bounds reads in the TIFFRGBAImage interface, when parsing unsupported values related to LogLUV and CIELab. [CVE-2015-8665](<https://security-tracker.debian.org/tracker/CVE-2015-8665>) was reported by limingxing and [CVE-2015-8683](<https://security-tracker.debian.org/tracker/CVE-2015-8683>) by zzf of Alibaba.\n\nFor Debian 6 Squeeze, these issues have been fixed in tiff version 3.9.4-5+squeeze13. We recommend you to upgrade your tiff packages.", "published": "2016-01-26T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.debian.org/security/2016/dla-402", "cvelist": ["CVE-2015-8683", "CVE-2015-8665"], "lastseen": "2017-10-05T12:56:39"}], "openvas": [{"id": "OPENVAS:703467", "type": "openvas", "title": "Debian Security Advisory DSA 3467-1 (tiff - security update)", "description": "Several vulnerabilities have been\nfound in tiff, a Tag Image File Format library. Multiple out-of-bounds read and\nwrite flaws could cause an application using the tiff library to crash.", "published": "2016-02-06T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703467", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8683", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8665"], "lastseen": "2017-07-24T12:54:41"}, {"id": "OPENVAS:1361412562310703467", "type": "openvas", "title": "Debian Security Advisory DSA 3467-1 (tiff - security update)", "description": "Several vulnerabilities have been\nfound in tiff, a Tag Image File Format library. Multiple out-of-bounds read and\nwrite flaws could cause an application using the tiff library to crash.", "published": "2016-02-06T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703467", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8683", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8665"], "lastseen": "2017-12-20T13:26:37"}, {"id": "OPENVAS:1361412562310842702", "type": "openvas", "title": "Ubuntu Update for tiff USN-2939-1", "description": "Check the version of tiff", "published": "2016-03-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842702", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8683", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8665"], "lastseen": "2018-04-30T14:10:12"}, {"id": "OPENVAS:1361412562310890880", "type": "openvas", "title": "Debian LTS Advisory ([SECURITY] [DLA 880-1] tiff3 security update)", "description": "tiff3 is affected by multiple issues that can result at least in denial of\nservices of applications using libtiff4. Crafted TIFF files can be\nprovided to trigger: abort() calls via failing assertions, buffer overruns\n(both in read and write mode).\n\nCVE-2015-8781\n\ntif_luv.c in libtiff allows attackers to cause a denial of service\n(out-of-bounds write) via an invalid number of samples per pixel in a\nLogL compressed TIFF image.\n\nCVE-2015-8782\n\ntif_luv.c in libtiff allows attackers to cause a denial of service\n(out-of-bounds writes) via a crafted TIFF image.\n\nCVE-2015-8783\n\ntif_luv.c in libtiff allows attackers to cause a denial of service\n(out-of-bounds reads) via a crafted TIFF image.\n\nCVE-2015-8784\n\nThe NeXTDecode function in tif_next.c in LibTIFF allows remote\nattackers to cause a denial of service (out-of-bounds write) via a\ncrafted TIFF image.\n\nCVE-2016-9533\n\ntif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write\nvulnerabilities in heap allocated buffers.\n\nCVE-2016-9534\n\ntif_write.c in libtiff 4.0.6 has an issue in the error code path of\nTIFFFlushData1() that didn", "published": "2018-01-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890880", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2016-9534", "CVE-2016-9535", "CVE-2015-8781", "CVE-2015-8782", "CVE-2016-9533"], "lastseen": "2018-07-10T17:26:07"}, {"id": "OPENVAS:1361412562310120723", "type": "openvas", "title": "Amazon Linux Local Check: alas-2016-734", "description": "Amazon Linux Local Security Checks", "published": "2016-10-26T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120723", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8683", "CVE-2016-5320", "CVE-2015-1547", "CVE-2015-8781", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-9655"], "lastseen": "2017-07-24T12:54:46"}, {"id": "OPENVAS:1361412562310871645", "type": "openvas", "title": "RedHat Update for libtiff RHSA-2016:1546-01", "description": "Check the version of libtiff", "published": "2016-08-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871645", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8668", "CVE-2014-8127", "CVE-2016-3632", "CVE-2014-9330", "CVE-2015-8683", "CVE-2016-5320", "CVE-2014-8130", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-7554", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2016-3945", "CVE-2016-3991", "CVE-2014-9655"], "lastseen": "2017-07-27T10:53:57"}, {"id": "OPENVAS:1361412562310120722", "type": "openvas", "title": "Amazon Linux Local Check: alas-2016-733", "description": "Amazon Linux Local Security Checks", "published": "2016-10-26T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120722", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8668", "CVE-2014-8127", "CVE-2016-3632", "CVE-2014-9330", "CVE-2015-8683", "CVE-2016-5320", "CVE-2014-8130", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-7554", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2016-3945", "CVE-2016-3991", "CVE-2014-9655"], "lastseen": "2017-07-24T12:55:16"}, {"id": "OPENVAS:1361412562310882532", "type": "openvas", "title": "CentOS Update for libtiff CESA-2016:1546 centos7 ", "description": "Check the version of libtiff", "published": "2016-08-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882532", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8668", "CVE-2014-8127", "CVE-2016-3632", "CVE-2014-9330", "CVE-2015-8683", "CVE-2016-5320", "CVE-2014-8130", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-7554", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2016-3945", "CVE-2016-3991", "CVE-2014-9655"], "lastseen": "2017-07-25T10:54:28"}, {"id": "OPENVAS:1361412562310882531", "type": "openvas", "title": "CentOS Update for libtiff CESA-2016:1547 centos6 ", "description": "Check the version of libtiff", "published": "2016-08-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882531", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8668", "CVE-2014-8127", "CVE-2016-3632", "CVE-2014-9330", "CVE-2015-8683", "CVE-2016-5320", "CVE-2014-8130", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-7554", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2016-3945", "CVE-2016-3991", "CVE-2014-9655"], "lastseen": "2017-07-25T10:54:06"}, {"id": "OPENVAS:1361412562310871643", "type": "openvas", "title": "RedHat Update for libtiff RHSA-2016:1547-01", "description": "Check the version of libtiff", "published": "2016-08-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871643", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8668", "CVE-2014-8127", "CVE-2016-3632", "CVE-2014-9330", "CVE-2015-8683", "CVE-2016-5320", "CVE-2014-8130", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-7554", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2016-3945", "CVE-2016-3991", "CVE-2014-9655"], "lastseen": "2017-07-27T10:54:20"}], "cloudfoundry": [{"id": "CFOUNDRY:59FC9A5F51F25015CCCC9BDD3BD3CF91", "type": "cloudfoundry", "title": "USN-2939-1 LibTIFF vulnerabilities - Cloud Foundry", "description": "USN-2939-1 LibTIFF vulnerabilities\n\n# \n\nLow\n\n# Vendor\n\nUbuntu, LibTIFF\n\n# Versions Affected\n\n * Ubuntu 14.04 \n\n# Description\n\nLibTIFF could be made to crash or run programs as your login if it opened a specially crafted file.\n\nIt was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.\n\n# Affected Products and Versions\n\n_Severity is low unless otherwise noted. \n_\n\n * All versions of Cloud Foundry rootfs prior to 1.48.0 \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with rootfs version 1.48.0 and higher \n\n# Credit\n\nNone\n\n# References\n\n * <http://www.ubuntu.com/usn/usn-2939-1/>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8665.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8683.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8781.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8782.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8783.html>\n * <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8784.html>\n", "published": "2016-03-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.cloudfoundry.org/blog/usn-2939-1/", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8683", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8665"], "lastseen": "2018-01-12T14:52:59"}], "f5": [{"id": "F5:K35155453", "type": "f5", "title": "Multiple LibTIFF vulnerabilities", "description": "\nF5 Product Development has assigned ID 608601 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H627024 on the **Diagnostics** > **Identified** > **Medium** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP AAM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 | Medium | LibTIFF \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | Not vulnerable | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None \nBIG-IP Edge Gateway | None | 11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP GTM | None | 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | Not vulnerable | None \nBIG-IP PSM | None | 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | 11.2.1 | 10.2.1 - 10.2.4 | Medium | LibTIFF \nBIG-IP WebSafe | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | Not vulnerable \n\n \n\n| None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.1.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.0.1 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate the risk posed by this vulnerability, you can ensure that TIFF file processing via BIG-IP AAM or WebAccelerator policies is disabled, or ensure that TIFF files processed by BIG-IP AAM and WebAccelerator cannot be modified by attackers.\n\n**Impact of action:** Performing the suggested mitigation should not have a negative impact on your system.\n\nFor more information about disabling image optimization, refer to:\n\n * BIG-IP AAM: The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration Implementations** _manual\n * BIG-IP WebAccelerator: The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP WebAccelerator System Implementations** _manual\n\n**Note**: For information about how to locate F5 product manuals, refer to [K12453464: Finding product documentation on AskF5](<https://support.f5.com/csp/article/K12453464>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2016-11-08T18:39:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K35155453", "cvelist": ["CVE-2015-8783", "CVE-2014-8127", "CVE-2015-8683", "CVE-2014-8130", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2014-9655"], "lastseen": "2018-04-07T13:09:12"}, {"id": "SOL35155453", "type": "f5", "title": "SOL35155453 - Multiple LibTIFF vulnerabilities", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate the risk posed by this vulnerability, you can ensure that TIFF file processing via BIG-IP AAM or WebAccelerator policies is disabled, or ensure that TIFF files processed by BIG-IP AAM and WebAccelerator cannot be modified by attackers.\n\n**Impact of action:** Performing the suggested mitigation should not have a negative impact on your system.\n\nFor more information about disabling image optimization, refer to:\n\n * BIG-IP AAM: The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration Implementations** _guide\n * BIG-IP WebAccelerator: The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP WebAccelerator System Implementations** _guide\n\n**Note**: For information about how to locate F5 product guides, refer to SOL12453464: Finding product documentation on AskF5.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL9502: BIG-IP hotfix matrix\n", "published": "2016-11-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/35/sol35155453.html", "cvelist": ["CVE-2015-8783", "CVE-2014-8127", "CVE-2015-8683", "CVE-2014-8130", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2014-9655"], "lastseen": "2016-11-08T17:26:33"}, {"id": "F5:K89096577", "type": "f5", "title": "LibTIFF vulnerabilities CVE-2016-5314 and CVE-2015-8784", "description": "\nF5 Product Development has assigned ID 608601 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H627031 on the **Diagnostics** > **Identified** > **High** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP AAM | 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.0.0 | High | LibTIFF \nBIG-IP AFM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | Not vulnerable | None \nBIG-IP Analytics | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP APM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP ASM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None \nBIG-IP Edge Gateway | None | 11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP GTM | None | 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP Link Controller | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP PEM | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | Not vulnerable | None \nBIG-IP PSM | None | 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | 11.2.1 | 10.2.1 - 10.2.4 | High | LibTIFF \nBIG-IP WebSafe | None | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | Not vulnerable \n\n \n\n| None \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.1.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.0.1 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate the risk posed by this vulnerability, you can ensure that TIFF file processing via BIG-IP AAM or WebAccelerator policies is disabled, or ensure that TIFF files processed by BIG-IP AAM and WebAccelerator cannot be modified by attackers.\n\n**Impact of action:** Performing the suggested mitigation should not have a negative impact on your system.\n\nFor more information about disabling image optimization, refer to:\n\n * BIG-IP AAM: The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP Acceleration Implementations**_ manual\n * BIG-IP WebAccelerator: The **Accelerating Images with Image Optimization** chapter of the _**BIG-IP WebAccelerator System Implementations** _manual\n\n**Note**: For information about how to locate F5 product manuals, refer to [K12453464: Finding product documentation on AskF5](<https://support.f5.com/csp/article/K12453464>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2016-11-08T18:45:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K89096577", "cvelist": ["CVE-2016-5314", "CVE-2015-8784", "CVE-2016-5320"], "lastseen": "2018-04-06T13:11:12"}], "amazon": [{"id": "ALAS-2016-734", "type": "amazon", "title": "Important: compat-libtiff3", "description": "**Issue Overview:**\n\nMultiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. ([CVE-2014-9655 __](<https://access.redhat.com/security/cve/CVE-2014-9655>), [CVE-2015-1547 __](<https://access.redhat.com/security/cve/CVE-2015-1547>), [CVE-2015-8784 __](<https://access.redhat.com/security/cve/CVE-2015-8784>), [CVE-2015-8683 __](<https://access.redhat.com/security/cve/CVE-2015-8683>), [CVE-2015-8665 __](<https://access.redhat.com/security/cve/CVE-2015-8665>), [CVE-2015-8781 __](<https://access.redhat.com/security/cve/CVE-2015-8781>), [CVE-2015-8782 __](<https://access.redhat.com/security/cve/CVE-2015-8782>), [CVE-2015-8783 __](<https://access.redhat.com/security/cve/CVE-2015-8783>), [CVE-2016-3990 __](<https://access.redhat.com/security/cve/CVE-2016-3990>), [CVE-2016-5320 __](<https://access.redhat.com/security/cve/CVE-2016-5320>))\n\n \n**Affected Packages:** \n\n\ncompat-libtiff3\n\n \n**Issue Correction:** \nRun _yum update compat-libtiff3_ to update your system. \n\n\n \n**New Packages:**\n \n \n i686: \n compat-libtiff3-3.9.4-18.14.amzn1.i686 \n compat-libtiff3-debuginfo-3.9.4-18.14.amzn1.i686 \n \n src: \n compat-libtiff3-3.9.4-18.14.amzn1.src \n \n x86_64: \n compat-libtiff3-3.9.4-18.14.amzn1.x86_64 \n compat-libtiff3-debuginfo-3.9.4-18.14.amzn1.x86_64 \n \n \n", "published": "2016-08-17T13:30:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://alas.aws.amazon.com/ALAS-2016-734.html", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8683", "CVE-2016-5320", "CVE-2015-1547", "CVE-2015-8781", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-9655"], "lastseen": "2016-09-28T21:04:12"}, {"id": "ALAS-2016-733", "type": "amazon", "title": "Important: libtiff", "description": "**Issue Overview:**\n\nMultiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. ([CVE-2014-9655 __](<https://access.redhat.com/security/cve/CVE-2014-9655>), [CVE-2015-1547 __](<https://access.redhat.com/security/cve/CVE-2015-1547>), [CVE-2015-8784 __](<https://access.redhat.com/security/cve/CVE-2015-8784>), [CVE-2015-8683 __](<https://access.redhat.com/security/cve/CVE-2015-8683>), [CVE-2015-8665 __](<https://access.redhat.com/security/cve/CVE-2015-8665>), [CVE-2015-8781 __](<https://access.redhat.com/security/cve/CVE-2015-8781>), [CVE-2015-8782 __](<https://access.redhat.com/security/cve/CVE-2015-8782>), [CVE-2015-8783 __](<https://access.redhat.com/security/cve/CVE-2015-8783>), [CVE-2016-3990 __](<https://access.redhat.com/security/cve/CVE-2016-3990>), [CVE-2016-5320 __](<https://access.redhat.com/security/cve/CVE-2016-5320>))\n\nMultiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. ([CVE-2014-8127 __](<https://access.redhat.com/security/cve/CVE-2014-8127>), [CVE-2014-8129 __](<https://access.redhat.com/security/cve/CVE-2014-8129>), [CVE-2014-8130 __](<https://access.redhat.com/security/cve/CVE-2014-8130>), [CVE-2014-9330 __](<https://access.redhat.com/security/cve/CVE-2014-9330>), [CVE-2015-7554 __](<https://access.redhat.com/security/cve/CVE-2015-7554>), [CVE-2015-8668 __](<https://access.redhat.com/security/cve/CVE-2015-8668>), [CVE-2016-3632 __](<https://access.redhat.com/security/cve/CVE-2016-3632>), [CVE-2016-3945 __](<https://access.redhat.com/security/cve/CVE-2016-3945>), [CVE-2016-3991 __](<https://access.redhat.com/security/cve/CVE-2016-3991>))\n\n \n**Affected Packages:** \n\n\nlibtiff\n\n \n**Issue Correction:** \nRun _yum update libtiff_ to update your system. \n\n\n \n**New Packages:**\n \n \n i686: \n libtiff-devel-4.0.3-25.27.amzn1.i686 \n libtiff-4.0.3-25.27.amzn1.i686 \n libtiff-static-4.0.3-25.27.amzn1.i686 \n libtiff-debuginfo-4.0.3-25.27.amzn1.i686 \n \n src: \n libtiff-4.0.3-25.27.amzn1.src \n \n x86_64: \n libtiff-devel-4.0.3-25.27.amzn1.x86_64 \n libtiff-4.0.3-25.27.amzn1.x86_64 \n libtiff-static-4.0.3-25.27.amzn1.x86_64 \n libtiff-debuginfo-4.0.3-25.27.amzn1.x86_64 \n \n \n", "published": "2016-08-17T13:30:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://alas.aws.amazon.com/ALAS-2016-733.html", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8668", "CVE-2014-8127", "CVE-2016-3632", "CVE-2014-9330", "CVE-2015-8683", "CVE-2016-5320", "CVE-2014-8130", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-7554", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2016-3945", "CVE-2016-3991", "CVE-2014-9655"], "lastseen": "2016-09-28T21:03:56"}], "oraclelinux": [{"id": "ELSA-2016-1546", "type": "oraclelinux", "title": "libtiff security update", "description": "[4.0.3-25]\n- Add patches for CVEs:\n CVE-2015-7554, CVE-2015-8683, CVE-2015-8665,\n CVE-2015-8781, CVE-2015-8782, CVE-2015-8783,\n CVE-2015-8784\n- Related: #1299920\n[4.0.3-24]\n- Update patches for CVEs:\n CVE-2014-8127, CVE-2014-8130\n- Related: #1299920\n[4.0.3-23]\n- Update patches:\n CVE-2014-9330, CVE-2014-8127, CVE-2014-8129\n CVE-2014-8130\n- Related: #1299920\n[4.0.3-22]\n- Update patch for CVE-2015-8668\n- Related: #1299920\n[4.0.3-21]\n- Remove patches for CVEs:\n CVE-2014-8127, CVE-2014-8129, CVE-2014-8130,\n CVE-2014-9330, CVE-2015-7554, CVE-2015-8665,\n CVE-2015-8683, CVE-2015-8781, CVE-2015-8784\n- Add patches for CVEs:\n CVE-2016-3632, CVE-2016-3945, CVE-2016-3990,\n CVE-2016-3991, CVE-2016-5320\n- Update patches for CVEs:\n CVE-2014-9655, CVE-2015-1547, CVE-2015-8668\n- Related: #1299920\n[4.0.3-20]\n- CVE-2014-8127 should contain only two fixes\n- Related: #1299920\n[4.0.3-19]\n- Revert previous patch CVE-2014-8127\n- Related: #1299920\n[4.0.3-18]\n- Fix patch CVE-2014-8127. Wrongly applied\n- Related: #1299920\n[4.0.3-17]\n- Fix patch CVE-2015-8668. Wrongly applied by me\n- Related: #1299920\n[4.0.3-16]\n- Fixed patches on preview CVEs\n- Related: #1299920\n[4.0.3-15]\n- This resolves several CVEs\n- CVE-2014-8127, CVE-2014-8129, CVE-2014-8130\n- CVE-2014-9330, CVE-2014-9655, CVE-2015-8781\n- CVE-2015-8784, CVE-2015-1547, CVE-2015-8683\n- CVE-2015-8665, CVE-2015-7554, CVE-2015-8668\n- Resolves: #1299920", "published": "2016-08-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-1546.html", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8668", "CVE-2014-8127", "CVE-2016-3632", "CVE-2014-9330", "CVE-2015-8683", "CVE-2016-5320", "CVE-2014-8130", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-7554", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2016-3945", "CVE-2016-3991", "CVE-2014-9655"], "lastseen": "2016-09-04T11:17:05"}, {"id": "ELSA-2016-1547", "type": "oraclelinux", "title": "libtiff security update", "description": "[3.9.4-18]\n- Update patch for CVE-2014-8127\n- Related: #1335099\n[3.9.4-17]\n- Fix patches for CVE-2016-3990 and CVE-2016-5320\n- Related: #1335099\n[3.9.4-16]\n- Add patches for CVEs:\n- CVE-2016-3632 CVE-2016-3945 CVE-2016-3990\n- CVE-2016-3991 CVE-2016-5320\n- Related: #1335099\n[3.9.4-15]\n- Update patch for CVE-2014-8129\n- Related: #1335099\n[3.9.4-14]\n- Merge previously released fixes for CVEs:\n- CVE-2013-1960 CVE-2013-1961 CVE-2013-4231\n- CVE-2013-4232 CVE-2013-4243 CVE-2013-4244\n- Resolves: #1335099\n[3.9.4-13]\n- Patch typos in CVE-2014-8127\n- Related: #1299919\n[3.9.4-12]\n- Fix CVE-2014-8127 and CVE-2015-8668 patches\n- Related: #1299919\n[3.9.4-11]\n- Fixed patches on preview CVEs\n- Related: #1299919", "published": "2016-08-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-1547.html", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2013-4232", "CVE-2015-8668", "CVE-2013-1960", "CVE-2014-8127", "CVE-2016-3632", "CVE-2014-9330", "CVE-2015-8683", "CVE-2016-5320", "CVE-2013-4243", "CVE-2013-1961", "CVE-2014-8130", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-7554", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2013-4244", "CVE-2016-3945", "CVE-2016-3991", "CVE-2013-4231", "CVE-2014-9655"], "lastseen": "2016-09-04T11:16:37"}], "redhat": [{"id": "RHSA-2016:1546", "type": "redhat", "title": "(RHSA-2016:1546) Important: libtiff security update", "description": "The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.\n\nSecurity Fix(es):\n\n* Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. (CVE-2014-9655, CVE-2015-1547, CVE-2015-8784, CVE-2015-8683, CVE-2015-8665, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3990, CVE-2016-5320)\n\n* Multiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, CVE-2014-9330, CVE-2015-7554, CVE-2015-8668, CVE-2016-3632, CVE-2016-3945, CVE-2016-3991)", "published": "2016-08-02T18:26:49", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2016:1546", "cvelist": ["CVE-2014-8127", "CVE-2014-8129", "CVE-2014-8130", "CVE-2014-9330", "CVE-2014-9655", "CVE-2015-1547", "CVE-2015-7554", "CVE-2015-8665", "CVE-2015-8668", "CVE-2015-8683", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8783", "CVE-2015-8784", "CVE-2016-3632", "CVE-2016-3945", "CVE-2016-3990", "CVE-2016-3991", "CVE-2016-5320"], "lastseen": "2018-04-15T14:25:45"}, {"id": "RHSA-2016:1547", "type": "redhat", "title": "(RHSA-2016:1547) Important: libtiff security update", "description": "The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.\n\nSecurity Fix(es):\n\n* Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. (CVE-2014-9655, CVE-2015-1547, CVE-2015-8784, CVE-2015-8683, CVE-2015-8665, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3990, CVE-2016-5320)\n\n* Multiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, CVE-2014-9330, CVE-2015-7554, CVE-2015-8668, CVE-2016-3632, CVE-2016-3945, CVE-2016-3991)", "published": "2016-08-02T18:27:54", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2016:1547", "cvelist": ["CVE-2014-8127", "CVE-2014-8129", "CVE-2014-8130", "CVE-2014-9330", "CVE-2014-9655", "CVE-2015-1547", "CVE-2015-7554", "CVE-2015-8665", "CVE-2015-8668", "CVE-2015-8683", "CVE-2015-8781", "CVE-2015-8782", "CVE-2015-8783", "CVE-2015-8784", "CVE-2016-3632", "CVE-2016-3945", "CVE-2016-3990", "CVE-2016-3991", "CVE-2016-5320"], "lastseen": "2018-06-12T21:09:16"}], "centos": [{"id": "CESA-2016:1546", "type": "centos", "title": "libtiff security update", "description": "**CentOS Errata and Security Advisory** CESA-2016:1546\n\n\nThe libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.\n\nSecurity Fix(es):\n\n* Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. (CVE-2014-9655, CVE-2015-1547, CVE-2015-8784, CVE-2015-8683, CVE-2015-8665, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3990, CVE-2016-5320)\n\n* Multiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, CVE-2014-9330, CVE-2015-7554, CVE-2015-8668, CVE-2016-3632, CVE-2016-3945, CVE-2016-3991)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-August/022010.html\n\n**Affected packages:**\nlibtiff\nlibtiff-devel\nlibtiff-static\nlibtiff-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-1546.html", "published": "2016-08-02T21:57:58", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2016-August/022010.html", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8668", "CVE-2014-8127", "CVE-2016-3632", "CVE-2014-9330", "CVE-2015-8683", "CVE-2016-5320", "CVE-2014-8130", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-7554", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2016-3945", "CVE-2016-3991", "CVE-2014-9655"], "lastseen": "2017-10-03T18:26:31"}, {"id": "CESA-2016:1547", "type": "centos", "title": "libtiff security update", "description": "**CentOS Errata and Security Advisory** CESA-2016:1547\n\n\nThe libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.\n\nSecurity Fix(es):\n\n* Multiple flaws have been discovered in libtiff. A remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code by tricking an application linked against libtiff into processing specially crafted files. (CVE-2014-9655, CVE-2015-1547, CVE-2015-8784, CVE-2015-8683, CVE-2015-8665, CVE-2015-8781, CVE-2015-8782, CVE-2015-8783, CVE-2016-3990, CVE-2016-5320)\n\n* Multiple flaws have been discovered in various libtiff tools (bmp2tiff, pal2rgb, thumbnail, tiff2bw, tiff2pdf, tiffcrop, tiffdither, tiffsplit, tiff2rgba). By tricking a user into processing a specially crafted file, a remote attacker could exploit these flaws to cause a crash or memory corruption and, possibly, execute arbitrary code with the privileges of the user running the libtiff tool. (CVE-2014-8127, CVE-2014-8129, CVE-2014-8130, CVE-2014-9330, CVE-2015-7554, CVE-2015-8668, CVE-2016-3632, CVE-2016-3945, CVE-2016-3991)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-August/021999.html\n\n**Affected packages:**\nlibtiff\nlibtiff-devel\nlibtiff-static\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-1547.html", "published": "2016-08-02T15:06:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2016-August/021999.html", "cvelist": ["CVE-2015-8783", "CVE-2015-8784", "CVE-2015-8668", "CVE-2014-8127", "CVE-2016-3632", "CVE-2014-9330", "CVE-2015-8683", "CVE-2016-5320", "CVE-2014-8130", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-7554", "CVE-2016-3990", "CVE-2015-8782", "CVE-2015-8665", "CVE-2014-8129", "CVE-2016-3945", "CVE-2016-3991", "CVE-2014-9655"], "lastseen": "2017-10-03T18:24:56"}], "gentoo": [{"id": "GLSA-201701-16", "type": "gentoo", "title": "libTIFF: Multiple vulnerabilities", "description": "### Background\n\nThe TIFF library contains encoding and decoding routines for the Tag Image File Format. It is called by numerous programs, including GNOME and KDE applications, to interpret TIFF images. \n\n### Description\n\nMultiple vulnerabilities have been discovered in libTIFF. Please review the CVE identifier and bug reports referenced for details. \n\n### Impact\n\nA remote attacker could entice a user to process a specially crafted image file, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll libTIFF users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/tiff-4.0.7\"", "published": "2017-01-09T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201701-16", "cvelist": ["CVE-2016-9453", "CVE-2016-3622", "CVE-2015-8783", "CVE-2016-5314", "CVE-2016-9448", "CVE-2016-3623", "CVE-2015-8784", "CVE-2016-5319", "CVE-2016-3631", "CVE-2015-8668", "CVE-2016-3625", "CVE-2016-3619", "CVE-2016-5322", "CVE-2016-5318", "CVE-2014-8127", "CVE-2016-3621", "CVE-2016-3658", "CVE-2016-9297", "CVE-2016-3632", "CVE-2014-9330", "CVE-2016-9318", "CVE-2016-3620", "CVE-2015-8683", "CVE-2016-5316", "CVE-2016-5320", "CVE-2015-7313", "CVE-2016-3186", "CVE-2013-4243", "CVE-2016-5323", "CVE-2016-5652", "CVE-2016-5315", "CVE-2014-8130", "CVE-2015-1547", "CVE-2015-8781", "CVE-2015-7554", "CVE-2016-8331", "CVE-2016-3990", "CVE-2016-3633", "CVE-2016-6223", "CVE-2016-5317", "CVE-2016-3624", "CVE-2015-8782", "CVE-2016-9532", "CVE-2015-8665", "CVE-2016-5102", "CVE-2014-8128", "CVE-2014-8129", "CVE-2016-5321", "CVE-2016-3634", "CVE-2016-3945", "CVE-2016-3991", "CVE-2016-5875", "CVE-2016-9273", "CVE-2014-9655"], "lastseen": "2017-01-09T18:13:57"}], "freebsd": [{"id": "B65E4914-B3BC-11E5-8255-5453ED2E2B49", "type": "freebsd", "title": "tiff -- out-of-bounds read in CIE Lab image format", "description": "\nzzf of Alibaba discovered an out-of-bounds vulnerability in the code\n\t processing the LogLUV and CIE Lab image format files. An attacker\n\t could create a specially-crafted TIFF file that could cause libtiff\n\t to crash.\n", "published": "2015-12-25T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/b65e4914-b3bc-11e5-8255-5453ed2e2b49.html", "cvelist": ["CVE-2015-8683"], "lastseen": "2016-09-26T17:24:10"}, {"id": "BD349F7A-B3B9-11E5-8255-5453ED2E2B49", "type": "freebsd", "title": "tiff -- out-of-bounds read in tif_getimage.c", "description": "\nLMX of Qihoo 360 Codesafe Team discovered an out-of-bounds read in\n\t tif_getimage.c. An attacker could create a specially-crafted TIFF\n\t file that could cause libtiff to crash.\n", "published": "2015-12-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/bd349f7a-b3b9-11e5-8255-5453ed2e2b49.html", "cvelist": ["CVE-2015-8665"], "lastseen": "2016-09-26T17:24:10"}], "slackware": [{"id": "SSA-2017-098-01", "type": "slackware", "title": "libtiff", "description": "New libtiff packages are available for Slackware 14.2 and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/libtiff-4.0.7-i586-1_slack14.2.txz: Upgraded.\n This release contains security fixes and improvements.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8127\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8665\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8683\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3622\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3658\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5321\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5323\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5652\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5875\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9273\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/libtiff-4.0.7-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/libtiff-4.0.7-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/libtiff-4.0.7-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/libtiff-4.0.7-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.2 package:\na0b2f84a88036a4e8e01165d522fdf09 libtiff-4.0.7-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\nfccecb6c9e1eea06607442bd6b58e63f libtiff-4.0.7-x86_64-1_slack14.2.txz\n\nSlackware -current package:\na1699ec0db14b6563390f78f9c9bee8e l/libtiff-4.0.7-i586-1.txz\n\nSlackware x86_64 -current package:\n9e5280389d6fc4a80fb0c42a026a942c l/libtiff-4.0.7-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg libtiff-4.0.7-i586-1_slack14.2.txz", "published": "2017-04-08T13:11:36", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.395195", "cvelist": ["CVE-2016-3622", "CVE-2016-9448", "CVE-2016-3623", "CVE-2014-8127", "CVE-2016-3658", "CVE-2015-8683", "CVE-2016-5323", "CVE-2016-5652", "CVE-2015-8665", "CVE-2016-5321", "CVE-2016-5875", "CVE-2016-9273"], "lastseen": "2018-02-02T18:11:27"}], "suse": [{"id": "OPENSUSE-SU-2016:3035-1", "type": "suse", "title": "Security update for tiff (important)", "description": "Tiff was updated to version 4.0.7. This update fixes the following issues:\n\n * libtiff/tif_aux.c\n + Fix crash in TIFFVGetFieldDefaulted() when requesting Predictor tag\n and that the zip/lzw codec is not configured.\n (<a rel=\"nofollow\" href=\"http://bugzilla.maptools.org/show_bug.cgi?id=2591\">http://bugzilla.maptools.org/show_bug.cgi?id=2591</a>)\n * libtiff/tif_compress.c\n + Make TIFFNoDecode() return 0 to indicate an error and make upper\n level read routines treat it accordingly.\n (<a rel=\"nofollow\" href=\"http://bugzilla.maptools.org/show_bug.cgi?id=2517\">http://bugzilla.maptools.org/show_bug.cgi?id=2517</a>)\n * libtiff/tif_dir.c\n + Discard values of SMinSampleValue and SMaxSampleValue when they have\n been read and the value of SamplesPerPixel is changed afterwards\n (like when reading a OJPEG compressed image with a missing\n SamplesPerPixel tag, and whose photometric is RGB or YCbCr, forcing\n SamplesPerPixel being 3). Otherwise when rewriting the directory\n (for example with tiffset, we will expect 3 values whereas the array\n had been allocated with just\n one), thus causing a out of bound read access. (CVE-2014-8127,\n boo#914890, duplicate: CVE-2016-3658, boo#974840)\n * libtiff/tif_dirread.c\n + In TIFFFetchNormalTag(), do not dereference NULL pointer when values\n of tags with TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII access are\n 0-byte arrays. (CVE-2016-9448, boo#1011103)\n + In TIFFFetchNormalTag(), make sure that values of tags with\n TIFF_SETGET_C16_ASCII/TIFF_SETGET_C32_ASCII access are null\n terminated, to avoid potential read outside buffer in\n _TIFFPrintField(). (CVE-2016-9297, boo#1010161)\n + Prevent reading ColorMap or TransferFunction if BitsPerPixel > 24,\n so as to avoid huge memory allocation and file read attempts\n + Reject images with OJPEG compression that have no\n TileOffsets/StripOffsets tag, when OJPEG compression is disabled.\n Prevent null pointer dereference in TIFFReadRawStrip1() and other\n functions that expect td_stripbytecount to be non NULL.\n (<a rel=\"nofollow\" href=\"http://bugzilla.maptools.org/show_bug.cgi?id=2585\">http://bugzilla.maptools.org/show_bug.cgi?id=2585</a>)\n + When compiled with DEFER_STRILE_LOAD, fix regression, when reading a\n one-strip file without a StripByteCounts tag.\n + Workaround false positive warning of Clang Static Analyzer about\n null pointer dereference in TIFFCheckDirOffset().\n * libtiff/tif_dirwrite.c\n + Avoid null pointer dereference on td_stripoffset when writing\n directory, if FIELD_STRIPOFFSETS was artificially set for a hack\n case in OJPEG case. Fixes (CVE-2014-8127, boo#914890, duplicate:\n CVE-2016-3658, boo#974840)\n + Fix truncation to 32 bit of file offsets in TIFFLinkDirectory() and\n TIFFWriteDirectorySec() when aligning directory offsets on an even\n offset (affects BigTIFF).\n * libtiff/tif_dumpmode.c\n + DumpModeEncode() should return 0 in case of failure so that the\n above mentionned functions detect the error.\n * libtiff/tif_fax3.c\n + remove dead assignment in Fax3PutEOLgdal().\n * libtiff/tif_fax3.h\n + make Param member of TIFFFaxTabEnt structure a uint16 to reduce size\n of the binary.\n * libtiff/tif_getimage.c\n + Fix out-of-bound reads in TIFFRGBAImage interface in case of\n unsupported values of SamplesPerPixel/ExtraSamples for\n LogLUV/CIELab. Add explicit call to TIFFRGBAImageOK() in\n TIFFRGBAImageBegin(). Fix CVE-2015-8665 and CVE-2015-8683.\n + TIFFRGBAImageOK: Reject attempts to read floating point images.\n * libtiff/tif_luv.c\n + Fix potential out-of-bound writes in decode functions in non debug\n builds by replacing assert()s by regular if checks\n (<a rel=\"nofollow\" href=\"http://bugzilla.maptools.org/show_bug.cgi?id=2522\">http://bugzilla.maptools.org/show_bug.cgi?id=2522</a>). Fix potential\n out-of-bound reads in case of short input data.\n + Validate that for COMPRESSION_SGILOG and PHOTOMETRIC_LOGL, there is\n only one sample per pixel. Avoid potential invalid memory write on\n corrupted/unexpected images when using the TIFFRGBAImageBegin()\n interface\n * libtiff/tif_next.c\n + Fix potential out-of-bound write in NeXTDecode()\n (<a rel=\"nofollow\" href=\"http://bugzilla.maptools.org/show_bug.cgi?id=2508\">http://bugzilla.maptools.org/show_bug.cgi?id=2508</a>)\n * libtiff/tif_pixarlog.c\n + Avoid zlib error messages to pass a NULL string to %s formatter,\n which is undefined behaviour in sprintf().\n + Fix out-of-bounds write vulnerabilities in heap allocated buffers.\n Reported as MSVR 35094.\n + Fix potential buffer write overrun in PixarLogDecode() on\n corrupted/unexpected images (CVE-2016-5875, boo#987351)\n * libtiff/tif_predict.c\n + PredictorSetup: Enforce bits-per-sample requirements of floating\n point predictor (3). (CVE-2016-3622, boo#974449)\n * libtiff/tif_predict.h, libtiff/tif_predict.c\n + Replace assertions by runtime checks to avoid assertions in debug\n mode, or buffer overflows in release mode. Can happen when dealing\n with unusual tile size like YCbCr with subsampling. Reported as MSVR\n 35105.\n * libtiff/tif_read.c\n + Fix out-of-bounds read on memory-mapped files in TIFFReadRawStrip1()\n and TIFFReadRawTile1() when stripoffset is beyond tmsize_t max value\n + Make TIFFReadEncodedStrip() and TIFFReadEncodedTile() directly use\n user provided buffer when no compression (and other conditions) to\n save a memcpy().\n * libtiff/tif_strip.c\n + Make TIFFNumberOfStrips() return the td->td_nstrips value when it is\n non-zero, instead of recomputing it. This is needed in\n TIFF_STRIPCHOP mode where td_nstrips is modified. Fixes a read\n outsize of array in tiffsplit (or other utilities using\n TIFFNumberOfStrips()). (CVE-2016-9273, boo#1010163)\n * libtiff/tif_write.c\n + Fix issue in error code path of TIFFFlushData1() that didn't reset\n the tif_rawcc and tif_rawcp members. I'm not completely sure if that\n could happen in practice outside of the odd behaviour of\n t2p_seekproc() of tiff2pdf). The report points that a better fix\n could be to check the return value of TIFFFlushData1() in places\n where it isn't done currently, but it seems this patch is enough.\n Reported as MSVR 35095.\n + Make TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() directly use\n user provided buffer when no compression to save a memcpy().\n + TIFFWriteEncodedStrip() and TIFFWriteEncodedTile() should return -1\n in case of failure of tif_encodestrip() as documented\n * tools/fax2tiff.c\n + Fix segfault when specifying -r without argument.\n (<a rel=\"nofollow\" href=\"http://bugzilla.maptools.org/show_bug.cgi?id=2572\">http://bugzilla.maptools.org/show_bug.cgi?id=2572</a>)\n * tools/Makefile.am\n + The libtiff tools bmp2tiff, gif2tiff, ras2tiff, sgi2tiff, sgisv, and\n ycbcr are completely removed from the distribution. The libtiff\n tools rgb2ycbcr and thumbnail are only built in the build tree for\n testing. Old files are put in new 'archive' subdirectory of the\n source repository, but not in distribution archives. These changes\n are made in order to lessen the maintenance burden.\n * tools/tiff2bw.c\n + Fix weight computation that could result of color value\n overflow (no security implication). Fix\n <a rel=\"nofollow\" href=\"http://bugzilla.maptools.org/show_bug.cgi?id=2550\">http://bugzilla.maptools.org/show_bug.cgi?id=2550</a>.\n * tools/tiff2pdf.c\n + Avoid undefined behaviour related to overlapping of source and\n destination buffer in memcpy() call in t2p_sample_rgbaa_to_rgb()\n (<a rel=\"nofollow\" href=\"http://bugzilla.maptools.org/show_bug.cgi?id=2577\">http://bugzilla.maptools.org/show_bug.cgi?id=2577</a>)\n + Fix out-of-bounds write vulnerabilities in heap allocate buffer in\n t2p_process_jpeg_strip(). Reported as MSVR 35098.\n + Fix potential integer overflows on 32 bit builds in\n t2p_read_tiff_size()\n (<a rel=\"nofollow\" href=\"http://bugzilla.maptools.org/show_bug.cgi?id=2576\">http://bugzilla.maptools.org/show_bug.cgi?id=2576</a>)\n + Fix read -largely- outsize of buffer in\n t2p_readwrite_pdf_image_tile(), causing crash, when reading a JPEG\n compressed image with TIFFTAG_JPEGTABLES length being one.\n (CVE-2016-9453, boo#1011107)\n + Fix write buffer overflow of 2 bytes on JPEG compressed images. Also\n prevents writing 2 extra uninitialized bytes to the file stream.\n (TALOS-CAN-0187, CVE-2016-5652, boo#1007280)\n * tools/tiffcp.c\n + Fix out-of-bounds write on tiled images with odd tile width vs image\n width. Reported as MSVR 35103.\n + Fix read of undefined variable in case of missing required tags.\n Found on test case of MSVR 35100.\n * tools/tiffcrop.c\n + Avoid access outside of stack allocated array on a tiled separate\n TIFF with more than 8 samples per pixel. (CVE-2016-5321,\n CVE-2016-5323, boo#984813, boo#984815)\n + Fix memory leak in (recent) error code path.\n + Fix multiple uint32 overflows in writeBufferToSeparateStrips(),\n writeBufferToContigTiles() and writeBufferToSeparateTiles() that\n could cause heap buffer overflows.\n (<a rel=\"nofollow\" href=\"http://bugzilla.maptools.org/show_bug.cgi?id=2592\">http://bugzilla.maptools.org/show_bug.cgi?id=2592</a>)\n + Fix out-of-bound read of up to 3 bytes in\n readContigTilesIntoBuffer(). Reported as MSVR 35092.\n + Fix read of undefined buffer in readContigStripsIntoBuffer() due to\n uint16 overflow. Reported as MSVR 35100.\n + Fix various out-of-bounds write vulnerabilities in heap or stack\n allocated buffers. Reported as MSVR 35093, MSVR 35096 and MSVR 35097.\n + readContigTilesIntoBuffer: Fix signed/unsigned comparison warning.\n * tools/tiffdump.c\n + Fix a few misaligned 64-bit reads warned by -fsanitize\n + ReadDirectory: Remove uint32 cast to_TIFFmalloc() argument which\n resulted in Coverity report. Added more mutiplication\n overflow checks\n * tools/tiffinfo.c\n + Fix out-of-bound read on some tiled images.\n (<a rel=\"nofollow\" href=\"http://bugzilla.maptools.org/show_bug.cgi?id=2517\">http://bugzilla.maptools.org/show_bug.cgi?id=2517</a>)\n + TIFFReadContigTileData: Fix signed/unsigned comparison warning.\n + TIFFReadSeparateTileData: Fix signed/unsigned comparison warning.\n\n", "published": "2016-12-07T15:08:51", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-12/msg00017.html", "cvelist": ["CVE-2016-9453", "CVE-2016-3622", "CVE-2016-9448", "CVE-2014-8127", "CVE-2016-3658", "CVE-2016-9297", "CVE-2015-8683", "CVE-2016-5323", "CVE-2016-5652", "CVE-2015-7554", "CVE-2015-8665", "CVE-2016-5321", "CVE-2016-5875", "CVE-2016-9273"], "lastseen": "2016-12-07T17:30:03"}], "archlinux": [{"id": "ASA-201611-26", "type": "archlinux", "title": "libtiff: multiple issues", "description": "- CVE-2010-2596 (denial of service)\n\nThe OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2,\nas used in tiff2ps, allows remote attackers to cause a denial of\nservice (assertion failure and application exit) via a crafted TIFF\nimage, related to "downsampled OJPEG input."\n\n- CVE-2014-8127 (information disclosure)\n\nLibTIFF provides support for the Tag Image File Format (TIFF), a widely\nused format for storing image data. It is composed of a library for\nworking with TIFF files along with a small collection of tools for\ndoing simple manipulations of TIFF images.\nMultiple out-of-bounds reads can be triggered with malformed TIFF\nimages in the following LibTIFF tools: thumbnail, tiff2bw, tiff2rgba,\ntiff2ps, tiffdither, tiffmedian, tiffset\n\n- CVE-2014-8130 (denial of service)\n\nA floating point exception due to a division by zero in the tiffdither\ntool can be triggered with a malformed TIFF file leading to denial of\nservice.\n\n- CVE-2015-7313 (denial of service)\n\nA denial of service flaw was found in the way libtiff parsed certain\ntiff files. An attacker could use this flaw to create a specially\ncrafted TIFF file that would cause an application using libtiff to\nexhaust all available memory on the system.\n\n- CVE-2015-8665 (denial of service)\n\ntif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a\ndenial of service (out-of-bounds read) via the SamplesPerPixel tag in a\nTIFF image.\n\n- CVE-2015-8668 (arbitrary code execution)\n\nHeap-based buffer overflow in the PackBitsPreEncode function in\ntif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote\nattackers to execute arbitrary code or cause a denial of service via a\nlarge width field in a BMP image.\n\n- CVE-2015-8683 (denial of service)\n\nAn out-bounds-read flaw was found in the way libtiff processed CIE Lab\nimage format files. A attacker could create a specially-crafted CIE Lab\nimage format files which could cause libtiff to crash.\n\n- CVE-2016-3186 (denial of service)\n\nA buffer overflow vulnerability was reported in libtiff library, in the\nreadextension function in the gif2tiff component. A maliciously crafted\nGIF file could cause the application to crash resulting in denial of\nservice.\n\n- CVE-2016-3619 (denial of service)\n\nAn out-of-bounds read vulnerability has been discovered in the\nDumpModeEncode function when handling maliciously crafted BMP files,\nwhile doing operation _TIFFmemcpy. An attacker could exploit this issue\nto cause a denial of service.\n\n- CVE-2016-3620 (denial of service)\n\nAn out-of-bounds read vulnerability has been discovered in ZIPEncode\nfunction in tif_zip.c. Running bmp2tiff on a specially crafted BMP file\nresults in an application crash.\n\n- CVE-2016-3621 (denial of service)\n\nThe LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF\n4.0.6 and earlier, when the "-c lzw" option is used, allows remote\nattackers to cause a denial of service (buffer over-read) via a crafted\nBMP image.\n\n- CVE-2016-3622 (denial of service)\n\nDivision by zero vulnerability was found in fpAcc function in\ntif_predict.c in tiff2rgba, allowing attacker to cause a denial of\nservice via a crafted TIFF image.\n\n- CVE-2016-3623 (denial of service)\n\nDivision by zero vulnerability was found in cvtRaster function in\nrgb2ycybr.c, allowing attacker to cause a denial of service via a\ncrafted TIFF image.\n\n- CVE-2016-3624 (arbitrary code execution)\n\nAn out-of-bounds write vulnerability was found in cvtClump function in\nrgb2ycybr.c, allowing attacker to cause a denial of service or possibly\nexecute arbitrary code via a crafted TIFF image.\n\n- CVE-2016-3625 (denial of service)\n\nAn out-of-bounds read vulnerability was found in tif_read.c in tiff2bw,\nallowing attacker to cause a denial of service via a crafted TIFF\nimage.\n\n- CVE-2016-3631 (denial of service)\n\nThe (1) cpStrips and (2) cpTiles functions in the thumbnail tool in\nLibTIFF 4.0.6 and earlier allow remote attackers to cause a denial of\nservice (out-of-bounds read) via vectors related to the bytecounts[]\narray variable.\n\n- CVE-2016-3632 (arbitrary code execution)\n\nAn out-of-bounds write vulnerability was found in _TIFFVGetField\nfunction in tif_dirinfo.c, allowing attacker to cause a denial of\nservice or code execution via a crafted TIFF image.\n\n- CVE-2016-3633 (denial of service)\n\nAn out-of-bounds read vulnerability was found in the _setrow function\nin the libtiff library. Using a thumbnail command on a maliciously\ncrafted image could cause the application to crash.\n\n- CVE-2016-3634 (denial of service)\n\nA vulnerability was found in the libtiff library. Using the tagCompare\nfunction with the thumbnail command on a maliciously crafted tiff file\ncould cause an out-of-bounds read leading to application crash.\n\n- CVE-2016-3658 (denial of service)\n\nAn out-of-bounds read vulnerability was found in the\nTIFFWriteDirectoryTagLongLong8Array function in the libtiff library.\nUsing a tiffset command on a maliciously crafted image could result in\na denial-of-service.\n\n- CVE-2016-3945 (arbitrary code execution)\n\nWhen libtiff's tiff2rgba handles a maliciously-crafted tiff file(width=\n8388640, height=31) an illegal write happens. This vulnerability exists\nin the function cvt_by_strip (and cvt_by_tile ) due to an improper\nbuffer allocation. An attacker may control the write address and/or\nvalue to result in denial-of-service or arbitrary code execution.\n\n- CVE-2016-3990 (arbitrary code execution)\n\nAn out-of-bounds write flaw was found in libtiff v4.0.6 when using\ntiffcp command to handle malicious tiff file. The vulnerability exists\nin the function horizontalDifference8(). An attacker could control the\nhead data of next heap which contains pre_size field and size filed to\nresult in denial of service or arbitrary code execution.\n\n- CVE-2016-3991 (arbitrary code execution)\n\nAn out-of-bounds write caused by a heap overflow when using tiffcrop\ntool. The vulnerability is located in the loadImage() function of\ntiffcrop.c. loadImage() will read the numbers of tiles by calling\nTIFFNumberOfTiles(). However, if the numbers of tiles is 0, loadImage()\nwill still read tile data by calling readContigTilesIntoBuffer() from\nthe image, regardless of the numbers. In that case, loadImage() will\nallocate 3 bytes of heap to store a tile data, and a heap overflow\noccurs if a tile data is beyond 3 bytes. This will cause denial of\nservice or arbitrary code execution upon freeing the buffer.\n\n- CVE-2016-5102 (denial of service)\n\nA vulnerability was found in libtiff. A maliciously crafted file could\ncause the application to crash via buffer overflow in gif2tiff tool.\n\n- CVE-2016-5314 (arbitrary code execution)\n\nA vulnerability was found in libtiff. A maliciously crafted TIFF file\ncould cause the application to crash when using rgb2ycbcr command via\nan out-of-bounds write in the PixarLogDecode() function.\n\n- CVE-2016-5315 (denial of service)\n\nAn out-of-bounds read vulnerability was found in in the setByteArray()\nfunction inlibtiff. A maliciously crafted TIFF file could cause the\napplication to crash when using rgb2ycbcr.\n\n- CVE-2016-5316 (denial of service)\n\nAn out-of-bounds read vulnerability was found in the PixarLogCleanup()\nfunction in libtiff. A maliciously crafted TIFF file could cause the\napplication to crash when using rgb2ycbcr.\n\n- CVE-2016-5317 (arbitrary code execution)\n\nAn out-of-bounds write vulnerability was found in the PixarLogDecode()\nfunction in libtiff. A maliciously crafted TIFF file could cause the\napplication to crash or possibly execute arbitrary code when generating\na thumbnail for it.\n\n- CVE-2016-5318 (arbitrary code execution)\n\nA stack-based buffer overflow vulnerability was reported in thumbnail's\n_TIFFVGetField() function. Memory corruption can be triggered when\nhandling maliciously crafted tiff file causing application to crash or\npossibly execute arbitrary code.\n\n- CVE-2016-5319 (arbitrary code execution)\n\nHeap-based buffer overflow vulnerability was found in tif_packbits.c in\nPackBitsEncode function. Memory corruption can be triggered when\nbmp2tiff is handling maliciously crafted bmp file causing application\nto crash or possibly execute arbitrary code.\n\n- CVE-2016-5320 (arbitrary code execution)\n\nAn out-of-bounds write vulnerability was found in the PixarLogDecode()\nfunction in libtiff. A maliciously crafted TIFF file could cause the\napplication to crash or even execute arbitrary code on a vulnerable\nmachine when using the rgb2ycbcr command.\n\n- CVE-2016-5321 (denial of service)\n\nAn out-of-bounds read vulnerability was found in the DumpModeDecode()\nfunction in libtiff. A maliciously crafted TIFF file could cause the\napplication to crash when using tiffcrop command.\n\n- CVE-2016-5322 (denial of service)\n\nAn out-of-bounds read vulnerability was found in the\nextractContigSamplesBytes() function in libtiff. A maliciously crafted\nTIFF file could cause the application to crash when using the tiffcrop\ncommand.\n\n- CVE-2016-5323 (denial of service)\n\nWhen using the tiffcrop command and a crafted TIFF image, the function\n_TIFFFax3fill() runs without checking the value of the divisor and\ncauses a divide by zero flaw. Attackers can exploit this issue to cause\na denial of service.\n\n- CVE-2016-5652 (arbitrary code execution)\n\nAn exploitable heap based buffer overflow exists in the handling of\nTIFF images in LibTIFF’s TIFF2PDF tool. A crafted TIFF document can\nlead to a heap based buffer overflow via JPEG Compression Tables\nresulting in remote code execution. This vulnerability can be triggered\nvia a saved TIFF file delivered by other means.\n\n- CVE-2016-5875 (arbitrary code execution)\n\nThere is a heap-based buffer overflow on libtiff/tif_pixarlog.c. The\nvulnerability allows an attacker to control the size of the allocated\nheap-buffer while independently controlling the data to be written to\nthe buffer with no restrictions on the size of the written data.\n\n- CVE-2016-6223 (information disclosure)\n\nAn out-of-bounds read vulnerability on memory-mapped files in\nTIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond\ntmsize_t max value was found. The vulnerability allows an attacker to\nspecify a negative index into the file-content buffer and copy data\nfrom that position until the end of the buffer. This will allow an\nattacker to crash the process by accessing unmapped memory and\n(depending on how LibTIFF is used) might also allow an attacker to leak\nsensitive information.\n\n- CVE-2016-9273 (denial of service)\n\nA heap buffer overflow has been discovered resulting in a read outside\nof the array boundaries leading to an application crash.\n\n- CVE-2016-9297 (denial of service)\n\nA buffer read overflow has been discovered in libtiff. The function\nTIFFFetchNormalTag() in libtiff/tif_dirread.c did not make sure that\nvalues of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII\naccess are null terminated leading to potential read outside the buffer\nin _TIFFPrintField().\n\n- CVE-2016-9448 (denial of service)\n\nA null pointer dereference vulnerability in TIFFFetchNormalTag() occurs\nwhen values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII\naccess are 0-byte arrays leading to denial of service.\n\n- CVE-2016-9453 (arbitrary code execution)\n\nAn out-of-bounds write vulnerability has been discovered caused by a\nmemcpy call without proper bounds checks. A malicious tiff file handled\nby tiff2pdf will cause an illegal write to a potentially attacker\ncontrolled target address.\n\n- CVE-2016-9532 (arbitrary code execution)\n\nMultiple uint32 overflows have been discovered that are leading to a\nheap buffer overflow in writeBufferToSeparateStrips(). A maliciously\ncrafted TIFF file could cause the application to crash or even execute\narbitrary code on a vulnerable machine.\n\n- CVE-2016-9533 (arbitrary code execution)\n\ntif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities\nin heap allocated buffers. Reported as MSVR 35094, aka "PixarLog\nhorizontalDifference heap-buffer-overflow."\n\n- CVE-2016-9534 (arbitrary code execution)\n\ntif_write.c in libtiff 4.0.6 has an issue in the error code path of\nTIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members.\nReported as MSVR 35095, aka "TIFFFlushData1 heap-buffer-overflow."\n\n- CVE-2016-9535 (arbitrary code execution)\n\ntif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that\ncan lead to assertion failures in debug mode, or buffer overflows in\nrelease mode, when dealing with unusual tile size like YCbCr with\nsubsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-\noverflow."\n\n- CVE-2016-9536 (arbitrary code execution)\n\nIt was found that tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds\nwrite vulnerabilities in heap allocated buffers in\nt2p_process_jpeg_strip().\n\n- CVE-2016-9537 (arbitrary code execution)\n\nIt was found that tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds\nwrite vulnerabilities in heap allocated buffers.\n\n- CVE-2016-9538 (denial of service)\n\nIt was found that tools/tiffcrop.c in libtiff 4.0.6 reads an undefined\nbuffer in readContigStripsIntoBuffer() because of a uint16 integer\noverflow.\n\n- CVE-2016-9539 (information disclosure)\n\nIt was found that tools/tiffcrop.c in libtiff 4.0.6 has an out-of-\nbounds read in readContigTilesIntoBuffer() leading to possible\ninformation disclosure.\n\n- CVE-2016-9540 (arbitrary code execution)\n\nIt was found that tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds\nheap write on tiled images with odd tile width versus image width. This\nhas also been reported as MSVR 35103, aka "cpStripToTile heap-buffer-\noverflow."", "published": "2016-11-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-November/000773.html", "cvelist": ["CVE-2016-9453", "CVE-2016-3622", "CVE-2016-9536", "CVE-2016-5314", "CVE-2016-9448", "CVE-2016-3623", "CVE-2016-5319", "CVE-2016-3631", "CVE-2015-8668", "CVE-2016-3625", "CVE-2016-3619", "CVE-2016-5322", "CVE-2016-5318", "CVE-2016-9540", "CVE-2014-8127", "CVE-2016-3621", "CVE-2016-3658", "CVE-2016-9297", "CVE-2016-3632", "CVE-2010-2596", "CVE-2016-9539", "CVE-2016-3620", "CVE-2015-8683", "CVE-2016-5316", "CVE-2016-9534", "CVE-2016-5320", "CVE-2015-7313", "CVE-2016-9535", "CVE-2016-3186", "CVE-2016-5323", "CVE-2016-5652", "CVE-2016-5315", "CVE-2014-8130", "CVE-2016-9537", "CVE-2016-9538", "CVE-2016-3990", "CVE-2016-3633", "CVE-2016-6223", "CVE-2016-5317", "CVE-2016-3624", "CVE-2016-9532", "CVE-2015-8665", "CVE-2016-5102", "CVE-2016-5321", "CVE-2016-3634", "CVE-2016-3945", "CVE-2016-3991", "CVE-2016-5875", "CVE-2016-9533", "CVE-2016-9273"], "lastseen": "2016-11-26T01:23:04"}, {"id": "ASA-201611-27", "type": "archlinux", "title": "lib32-libtiff: multiple issues", "description": "- CVE-2010-2596 (denial of service)\n\nThe OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2,\nas used in tiff2ps, allows remote attackers to cause a denial of\nservice (assertion failure and application exit) via a crafted TIFF\nimage, related to "downsampled OJPEG input."\n\n- CVE-2014-8127 (information disclosure)\n\nLibTIFF provides support for the Tag Image File Format (TIFF), a widely\nused format for storing image data. It is composed of a library for\nworking with TIFF files along with a small collection of tools for\ndoing simple manipulations of TIFF images.\nMultiple out-of-bounds reads can be triggered with malformed TIFF\nimages in the following LibTIFF tools: thumbnail, tiff2bw, tiff2rgba,\ntiff2ps, tiffdither, tiffmedian, tiffset\n\n- CVE-2014-8130 (denial of service)\n\nA floating point exception due to a division by zero in the tiffdither\ntool can be triggered with a malformed TIFF file leading to denial of\nservice.\n\n- CVE-2015-7313 (denial of service)\n\nA denial of service flaw was found in the way libtiff parsed certain\ntiff files. An attacker could use this flaw to create a specially\ncrafted TIFF file that would cause an application using libtiff to\nexhaust all available memory on the system.\n\n- CVE-2015-8665 (denial of service)\n\ntif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a\ndenial of service (out-of-bounds read) via the SamplesPerPixel tag in a\nTIFF image.\n\n- CVE-2015-8668 (arbitrary code execution)\n\nHeap-based buffer overflow in the PackBitsPreEncode function in\ntif_packbits.c in bmp2tiff in libtiff 4.0.6 and earlier allows remote\nattackers to execute arbitrary code or cause a denial of service via a\nlarge width field in a BMP image.\n\n- CVE-2015-8683 (denial of service)\n\nAn out-bounds-read flaw was found in the way libtiff processed CIE Lab\nimage format files. A attacker could create a specially-crafted CIE Lab\nimage format files which could cause libtiff to crash.\n\n- CVE-2016-3186 (denial of service)\n\nA buffer overflow vulnerability was reported in libtiff library, in the\nreadextension function in the gif2tiff component. A maliciously crafted\nGIF file could cause the application to crash resulting in denial of\nservice.\n\n- CVE-2016-3619 (denial of service)\n\nAn out-of-bounds read vulnerability has been discovered in the\nDumpModeEncode function when handling maliciously crafted BMP files,\nwhile doing operation _TIFFmemcpy. An attacker could exploit this issue\nto cause a denial of service.\n\n- CVE-2016-3620 (denial of service)\n\nAn out-of-bounds read vulnerability has been discovered in ZIPEncode\nfunction in tif_zip.c. Running bmp2tiff on a specially crafted BMP file\nresults in an application crash.\n\n- CVE-2016-3621 (denial of service)\n\nThe LZWEncode function in tif_lzw.c in the bmp2tiff tool in LibTIFF\n4.0.6 and earlier, when the "-c lzw" option is used, allows remote\nattackers to cause a denial of service (buffer over-read) via a crafted\nBMP image.\n\n- CVE-2016-3622 (denial of service)\n\nDivision by zero vulnerability was found in fpAcc function in\ntif_predict.c in tiff2rgba, allowing attacker to cause a denial of\nservice via a crafted TIFF image.\n\n- CVE-2016-3623 (denial of service)\n\nDivision by zero vulnerability was found in cvtRaster function in\nrgb2ycybr.c, allowing attacker to cause a denial of service via a\ncrafted TIFF image.\n\n- CVE-2016-3624 (arbitrary code execution)\n\nAn out-of-bounds write vulnerability was found in cvtClump function in\nrgb2ycybr.c, allowing attacker to cause a denial of service or possibly\nexecute arbitrary code via a crafted TIFF image.\n\n- CVE-2016-3625 (denial of service)\n\nAn out-of-bounds read vulnerability was found in tif_read.c in tiff2bw,\nallowing attacker to cause a denial of service via a crafted TIFF\nimage.\n\n- CVE-2016-3631 (denial of service)\n\nThe (1) cpStrips and (2) cpTiles functions in the thumbnail tool in\nLibTIFF 4.0.6 and earlier allow remote attackers to cause a denial of\nservice (out-of-bounds read) via vectors related to the bytecounts[]\narray variable.\n\n- CVE-2016-3632 (arbitrary code execution)\n\nAn out-of-bounds write vulnerability was found in _TIFFVGetField\nfunction in tif_dirinfo.c, allowing attacker to cause a denial of\nservice or code execution via a crafted TIFF image.\n\n- CVE-2016-3633 (denial of service)\n\nAn out-of-bounds read vulnerability was found in the _setrow function\nin the libtiff library. Using a thumbnail command on a maliciously\ncrafted image could cause the application to crash.\n\n- CVE-2016-3634 (denial of service)\n\nA vulnerability was found in the libtiff library. Using the tagCompare\nfunction with the thumbnail command on a maliciously crafted tiff file\ncould cause an out-of-bounds read leading to application crash.\n\n- CVE-2016-3658 (denial of service)\n\nAn out-of-bounds read vulnerability was found in the\nTIFFWriteDirectoryTagLongLong8Array function in the libtiff library.\nUsing a tiffset command on a maliciously crafted image could result in\na denial-of-service.\n\n- CVE-2016-3945 (arbitrary code execution)\n\nWhen libtiff's tiff2rgba handles a maliciously-crafted tiff file(width=\n8388640, height=31) an illegal write happens. This vulnerability exists\nin the function cvt_by_strip (and cvt_by_tile ) due to an improper\nbuffer allocation. An attacker may control the write address and/or\nvalue to result in denial-of-service or arbitrary code execution.\n\n- CVE-2016-3990 (arbitrary code execution)\n\nAn out-of-bounds write flaw was found in libtiff v4.0.6 when using\ntiffcp command to handle malicious tiff file. The vulnerability exists\nin the function horizontalDifference8(). An attacker could control the\nhead data of next heap which contains pre_size field and size filed to\nresult in denial of service or arbitrary code execution.\n\n- CVE-2016-3991 (arbitrary code execution)\n\nAn out-of-bounds write caused by a heap overflow when using tiffcrop\ntool. The vulnerability is located in the loadImage() function of\ntiffcrop.c. loadImage() will read the numbers of tiles by calling\nTIFFNumberOfTiles(). However, if the numbers of tiles is 0, loadImage()\nwill still read tile data by calling readContigTilesIntoBuffer() from\nthe image, regardless of the numbers. In that case, loadImage() will\nallocate 3 bytes of heap to store a tile data, and a heap overflow\noccurs if a tile data is beyond 3 bytes. This will cause denial of\nservice or arbitrary code execution upon freeing the buffer.\n\n- CVE-2016-5102 (denial of service)\n\nA vulnerability was found in libtiff. A maliciously crafted file could\ncause the application to crash via buffer overflow in gif2tiff tool.\n\n- CVE-2016-5314 (arbitrary code execution)\n\nA vulnerability was found in libtiff. A maliciously crafted TIFF file\ncould cause the application to crash when using rgb2ycbcr command via\nan out-of-bounds write in the PixarLogDecode() function.\n\n- CVE-2016-5315 (denial of service)\n\nAn out-of-bounds read vulnerability was found in in the setByteArray()\nfunction inlibtiff. A maliciously crafted TIFF file could cause the\napplication to crash when using rgb2ycbcr.\n\n- CVE-2016-5316 (denial of service)\n\nAn out-of-bounds read vulnerability was found in the PixarLogCleanup()\nfunction in libtiff. A maliciously crafted TIFF file could cause the\napplication to crash when using rgb2ycbcr.\n\n- CVE-2016-5317 (arbitrary code execution)\n\nAn out-of-bounds write vulnerability was found in the PixarLogDecode()\nfunction in libtiff. A maliciously crafted TIFF file could cause the\napplication to crash or possibly execute arbitrary code when generating\na thumbnail for it.\n\n- CVE-2016-5318 (arbitrary code execution)\n\nA stack-based buffer overflow vulnerability was reported in thumbnail's\n_TIFFVGetField() function. Memory corruption can be triggered when\nhandling maliciously crafted tiff file causing application to crash or\npossibly execute arbitrary code.\n\n- CVE-2016-5319 (arbitrary code execution)\n\nHeap-based buffer overflow vulnerability was found in tif_packbits.c in\nPackBitsEncode function. Memory corruption can be triggered when\nbmp2tiff is handling maliciously crafted bmp file causing application\nto crash or possibly execute arbitrary code.\n\n- CVE-2016-5320 (arbitrary code execution)\n\nAn out-of-bounds write vulnerability was found in the PixarLogDecode()\nfunction in libtiff. A maliciously crafted TIFF file could cause the\napplication to crash or even execute arbitrary code on a vulnerable\nmachine when using the rgb2ycbcr command.\n\n- CVE-2016-5321 (denial of service)\n\nAn out-of-bounds read vulnerability was found in the DumpModeDecode()\nfunction in libtiff. A maliciously crafted TIFF file could cause the\napplication to crash when using tiffcrop command.\n\n- CVE-2016-5322 (denial of service)\n\nAn out-of-bounds read vulnerability was found in the\nextractContigSamplesBytes() function in libtiff. A maliciously crafted\nTIFF file could cause the application to crash when using the tiffcrop\ncommand.\n\n- CVE-2016-5323 (denial of service)\n\nWhen using the tiffcrop command and a crafted TIFF image, the function\n_TIFFFax3fill() runs without checking the value of the divisor and\ncauses a divide by zero flaw. Attackers can exploit this issue to cause\na denial of service.\n\n- CVE-2016-5652 (arbitrary code execution)\n\nAn exploitable heap based buffer overflow exists in the handling of\nTIFF images in LibTIFF’s TIFF2PDF tool. A crafted TIFF document can\nlead to a heap based buffer overflow via JPEG Compression Tables\nresulting in remote code execution. This vulnerability can be triggered\nvia a saved TIFF file delivered by other means.\n\n- CVE-2016-5875 (arbitrary code execution)\n\nThere is a heap-based buffer overflow on libtiff/tif_pixarlog.c. The\nvulnerability allows an attacker to control the size of the allocated\nheap-buffer while independently controlling the data to be written to\nthe buffer with no restrictions on the size of the written data.\n\n- CVE-2016-6223 (information disclosure)\n\nAn out-of-bounds read vulnerability on memory-mapped files in\nTIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond\ntmsize_t max value was found. The vulnerability allows an attacker to\nspecify a negative index into the file-content buffer and copy data\nfrom that position until the end of the buffer. This will allow an\nattacker to crash the process by accessing unmapped memory and\n(depending on how LibTIFF is used) might also allow an attacker to leak\nsensitive information.\n\n- CVE-2016-9273 (denial of service)\n\nA heap buffer overflow has been discovered resulting in a read outside\nof the array boundaries leading to an application crash.\n\n- CVE-2016-9297 (denial of service)\n\nA buffer read overflow has been discovered in libtiff. The function\nTIFFFetchNormalTag() in libtiff/tif_dirread.c did not make sure that\nvalues of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII\naccess are null terminated leading to potential read outside the buffer\nin _TIFFPrintField().\n\n- CVE-2016-9448 (denial of service)\n\nA null pointer dereference vulnerability in TIFFFetchNormalTag() occurs\nwhen values of tags with TIFF_SETGET_C16_ASCII / TIFF_SETGET_C32_ASCII\naccess are 0-byte arrays leading to denial of service.\n\n- CVE-2016-9453 (arbitrary code execution)\n\nAn out-of-bounds write vulnerability has been discovered caused by a\nmemcpy call without proper bounds checks. A malicious tiff file handled\nby tiff2pdf will cause an illegal write to a potentially attacker\ncontrolled target address.\n\n- CVE-2016-9532 (arbitrary code execution)\n\nMultiple uint32 overflows have been discovered that are leading to a\nheap buffer overflow in writeBufferToSeparateStrips(). A maliciously\ncrafted TIFF file could cause the application to crash or even execute\narbitrary code on a vulnerable machine.\n\n- CVE-2016-9533 (arbitrary code execution)\n\ntif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities\nin heap allocated buffers. Reported as MSVR 35094, aka "PixarLog\nhorizontalDifference heap-buffer-overflow."\n\n- CVE-2016-9534 (arbitrary code execution)\n\ntif_write.c in libtiff 4.0.6 has an issue in the error code path of\nTIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members.\nReported as MSVR 35095, aka "TIFFFlushData1 heap-buffer-overflow."\n\n- CVE-2016-9535 (arbitrary code execution)\n\ntif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that\ncan lead to assertion failures in debug mode, or buffer overflows in\nrelease mode, when dealing with unusual tile size like YCbCr with\nsubsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-\noverflow."\n\n- CVE-2016-9536 (arbitrary code execution)\n\nIt was found that tools/tiff2pdf.c in libtiff 4.0.6 has out-of-bounds\nwrite vulnerabilities in heap allocated buffers in\nt2p_process_jpeg_strip().\n\n- CVE-2016-9537 (arbitrary code execution)\n\nIt was found that tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds\nwrite vulnerabilities in heap allocated buffers.\n\n- CVE-2016-9538 (denial of service)\n\nIt was found that tools/tiffcrop.c in libtiff 4.0.6 reads an undefined\nbuffer in readContigStripsIntoBuffer() because of a uint16 integer\noverflow.\n\n- CVE-2016-9539 (information disclosure)\n\nIt was found that tools/tiffcrop.c in libtiff 4.0.6 has an out-of-\nbounds read in readContigTilesIntoBuffer() leading to possible\ninformation disclosure.\n\n- CVE-2016-9540 (arbitrary code execution)\n\nIt was found that tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds\nheap write on tiled images with odd tile width versus image width. This\nhas also been reported as MSVR 35103, aka "cpStripToTile heap-buffer-\noverflow."", "published": "2016-11-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2016-November/000774.html", "cvelist": ["CVE-2016-9453", "CVE-2016-3622", "CVE-2016-9536", "CVE-2016-5314", "CVE-2016-9448", "CVE-2016-3623", "CVE-2016-5319", "CVE-2016-3631", "CVE-2015-8668", "CVE-2016-3625", "CVE-2016-3619", "CVE-2016-5322", "CVE-2016-5318", "CVE-2016-9540", "CVE-2014-8127", "CVE-2016-3621", "CVE-2016-3658", "CVE-2016-9297", "CVE-2016-3632", "CVE-2010-2596", "CVE-2016-9539", "CVE-2016-3620", "CVE-2015-8683", "CVE-2016-5316", "CVE-2016-9534", "CVE-2016-5320", "CVE-2015-7313", "CVE-2016-9535", "CVE-2016-3186", "CVE-2016-5323", "CVE-2016-5652", "CVE-2016-5315", "CVE-2014-8130", "CVE-2016-9537", "CVE-2016-9538", "CVE-2016-3990", "CVE-2016-3633", "CVE-2016-6223", "CVE-2016-5317", "CVE-2016-3624", "CVE-2016-9532", "CVE-2015-8665", "CVE-2016-5102", "CVE-2016-5321", "CVE-2016-3634", "CVE-2016-3945", "CVE-2016-3991", "CVE-2016-5875", "CVE-2016-9533", "CVE-2016-9273"], "lastseen": "2016-11-26T01:23:04"}]}}
