[3.2] tiff: Multiple vulnerabilities (CVE-2016-9273, CVE-2016-9297, CVE-2016-9448, CVE-2016-9453)
CVE-2016-9273: heap-buffer-overflow in cpStrips
Reference:
http://bugzilla.maptools.org/show\_bug.cgi?id=2587
http://libtiff.maptools.org/v4.0.7.html
CVE-2016-9297: segfault in _TIFFPrintField
Reference:
http://bugzilla.maptools.org/show\_bug.cgi?id=2590
CVE-2016-9448: Invalid read of size 1 in TIFFFetchNormalTag
Fix for CVE-2016-9297 introduced this issue.
References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2593
http://seclists.org/oss-sec/2016/q4/464
CVE-2016-9453: out-of-bounds Write Caused by memcpy and no bound check in tiff2pdf
Affected: <=4.0.6
Fixed in: >=4.0.7
References:
http://bugzilla.maptools.org/show\_bug.cgi?id=2579
http://libtiff.maptools.org/v4.0.7.html
(from redmine: issue id 6667, created on 2017-01-10, closed on 2017-01-23)
- Relations:
- parent #6664 (closed)
- Changesets:
- Revision 581c6405 by Sergei Lukin on 2017-01-20T10:21:47Z:
main/tiff: security upgrade to 4.0.7 - fixes #6667
CVE-2016-9273: heap-buffer-overflow in cpStrips
CVE-2016-9297: segfault in _TIFFPrintField
CVE-2016-9448: Invalid read of size 1 in TIFFFetchNormalTag
CVE-2016-9453: out-of-bounds Write Caused by memcpy and no bound check in tiff2pdf
CVE-2016-3186: Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.
CVE-2016-3621: Out-of-bounds Read in the bmp2tiff tool
CVE-2016-3622: Divide By Zero in the tiff2rgba tool
CVE-2016-3623, CVE-2016-3624: Divide By Zero in the rgb2ycbcr tool
CVE-2016-3625: Out-of-bounds Read in the tiff2bw tool
CVE-2016-3658, CVE-2014-8127: Illegal read in TIFFWriteDirectoryTagLongLong8Array function in tiffset / tif_dirwrite.c
CVE-2016-5314, CVE-2016-5315, CVE-2016-5316, CVE-2016-5317: PixarLogDecode() out-of-bound writes
CVE-2016-5320, CVE-2016-5875: Out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c
bugzilla suppose that CVE-2016-5320 is a duplicate of CVE-2016-5314 (https://bugs.alpinelinux.org/issues/6661) which was fixed in tiff 4.0.7 (http://bugzilla.maptools.org/show_bug.cgi?id=2554#c1)
CVE-2016-5321: out-of-bounds read in tiffcrop / DumpModeDecode() function
CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function
CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow