[security-announce] Security Update: libtiff: multiple CVEs fix

Sona Sarmadi sona.sarmadi at enea.com
Thu Feb 16 10:46:47 CET 2017


		Enea Linux Security Advisory

====================================================================
Product/package: Enea Linux 6.0: (libtiff 4.0.6)
Architecture: all
====================================================================

Following vulnerabilities have been fixed in Enea Linux 6.0 in libtiff
4.0.6:

============================================================
CVE-2016-3945 out-of-bounds write in the tiff2rgba tool
============================================================
Severity: Medium

Affected Versions: <= 4.0.6

Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile
functions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b
mode is enabled, allow remote attackers to cause a denial of service
(crash) or execute arbitrary code via a crafted TIFF image, which
triggers an out-of-bounds write.

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CCVE-2016-3945
Upstream patch:
https://github.com/vadz/libtiff/commit/7c39352ccd9060d311d3dc9a1f1bc00133a160e6

Correction for Enea Linux:
http://git.enea.com/cgit/linux/poky.git/patch/?id=0cd1402261230582460b6a6f36d0a368c6fc1779

============================================================
CVE-2016-3990 out-of-bounds write in horizontalDifference8()
============================================================
Severity: High

Affected Versions: <= 4.0.6

Heap-based buffer overflow in the horizontalDifference8 function in
tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to
cause a denial of service (crash) or execute arbitrary code via a
crafted TIFF image to tiffcp.

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3990
http://bugzilla.maptools.org/show_bug.cgi?id=2544
Upstream patch:
https://github.com/vadz/libtiff/commit/6a4dbb07ccf92836bb4adac7be4575672d0ac5f1

Correction for Enea Linux:
http://git.enea.com/cgit/linux/poky.git/patch/?id=18ee418df8af1a0a83b8262d3f86a8b147044821

============================================================
 CVE-2016-3991 out-of-bounds write in loadImage() function
============================================================
Severity: Medium

Affected Versions: <= 4.0.6

Heap-based buffer overflow in the loadImage function in the tiffcrop
tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a
denial of service (out-of-bounds write) or execute arbitrary code via a
crafted TIFF image with zero tiles.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3991
http://bugzilla.maptools.org/show_bug.cgi?id=2543
Upstream patch:
https://github.com/vadz/libtiff/commit/e596d4e27c5afb7960dc360fdd3afd90ba0fb8ba

Correction for Enea Linux:
http://git.enea.com/cgit/linux/poky.git/patch/?id=b9624e772b25710253655eba111ff95115159158

============================================================
CVE-2016-3623 divide by zero in the rgb2ycybr tool
============================================================
Severity: Medium

Affected Versions: <= 4.0.6

Vulnerability Type: Divide By Zero
Credit: Mei Wang of the Cloud Security Team, Qihoo 360

Division by zero occurs in rgb2ycbcr in libtiff-4.0.6 allows attackers
to cause a denial of service when the param v or param h was set to 0.

References
http://bugzilla.maptools.org/show_bug.cgi?id=2569
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3623
http://bugzilla.maptools.org/show_bug.cgi?id=2569
Upstream patch:
https://github.com/vadz/libtiff/commit/bd024f07019f5d9fea236675607a69f74a66bc7b


Correction for Enea Linux:
http://git.enea.com/cgit/linux/poky.git/patch/?id=c52d4669d132d444d2b30141a9a5d8baa44b429f

============================================================
CVE-2016-3622 Division by zero in fpAcc function
============================================================
Severity: Medium

Affected Versions: <= 4.0.6

The fpAcc function in tif_predict.c in the tiff2rgba tool in LibTIFF
4.0.6 and earlier allows remote attackers to cause a denial of service
(divide-by-zero error) via a crafted TIFF image.

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3622
http://www.openwall.com/lists/oss-security/2016/04/07/4
Upstream patch:
https://github.com/vadz/libtiff/commit/92d966a5fcfbdca67957c8c5c47b467aa650b286


Correction for Enea Linux:
http://git.enea.com/cgit/linux/poky.git/patch/?id=ab1919a3be588013066edcb98e34fef85a6b864d


How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
-u git://git.enea.com/linux/el_manifests-standard.git \ -b krogoth\ -m
<manifest file> $ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/solutions/Enea-Linux/Security/CVEs-list/

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20170216/4cee8217/attachment.sig>


More information about the security-announce mailing list