tiff: Multiple vulnerabilities (CVE-2017-9935, CVE-2017-11613, CVE-2018-10963)
CVE-2017-9935: In LibTIFF 4.0.8, there is a heap-based buffer
overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap
overflow
could lead to different damages. For example, a crafted TIFF document
can lead to an out-of-bounds read in TIFFCleanup, an invalid free in
TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image,
or a double free in t2p_free.
Given these possibilities, it probably could cause arbitrary code
execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-9935
http://bugzilla.maptools.org/show\_bug.cgi?id=2704
CVE-2017-11613: In LibTIFF 4.0.8, there is a denial of service
vulnerability in the TIFFOpen function. A crafted input will lead to a
denial of
service attack. During the TIFFOpen process, td_imagelength is not
checked. The value of td_imagelength can be directly controlled by an
input file.
In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc
function is called based on td_imagelength. If we set the value of
td_imagelength close to the amount of system memory, it will hang the
system or trigger the OOM killer.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11613
CVE-2018-10963: A flaw was found in LibTIFF through 4.0.9.
TIFFWriteDirectorySec() function in tif_dirwrite.c allows remote
attackers
to cause a denial of service (assertion failure and application crash)
via a crafted file.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-10963
Patch:
https://gitlab.com/libtiff/libtiff/commit/de144fd228e4be8aa484c3caf3d814b6fa88c6d9
(from redmine: issue id 9162, created on 2018-07-31, closed on 2018-08-02)
- Relations:
- copied_to #9163 (closed)
- copied_to #9164 (closed)
- copied_to #9165 (closed)
- copied_to #9166 (closed)
- child #9163 (closed)
- child #9164 (closed)
- child #9165 (closed)
- child #9166 (closed)