[security-announce] Security Update: libtiff: multiple CVEs fix

Sona Sarmadi sona.sarmadi at enea.com
Wed Feb 22 08:31:52 CET 2017


		Enea Linux Security Advisory

==============================================================
Product/package: Enea Linux 6.0: (libtiff 4.0.6)
Architecture: all
==============================================================

Following vulnerabilities have been fixed in Enea Linux 6.0 in libtiff
4.0.6:

===============================================================
CVE-2016-9538 Integer overflow leads to reading undefined buffer in
readContigStripsIntoBuffer()
===============================================================
Severity: Medium

Affected Versions: <= 4.0.6

tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in
readContigStripsIntoBuffer() because of a uint16 integer overflow.
Reported as MSVR 35100.

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9538
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9538

Reference to upstream fix:
https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f

Correction for Enea Linux:
http://git.enea.com/cgit/linux/poky.git/patch/?id=dfde5b94e82264ea16a189252d615d67366e3d98

================================================================
 CVE-2016-9535 Predictor heap-buffer-overflow
================================================================
Severity: Medium

Affected Versions: <= 4.0.6

Description
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that
can lead to assertion failures in debug mode, or buffer overflows in
release mode, when dealing with unusual tile size like YCbCr with
subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2016-9535
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9535

Reference to upstream fixes:
https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1

https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33

Correction for Enea Linux:
http://git.enea.com/cgit/linux/poky.git/patch/?id=a7301f1b499a971f6b208865f1241aaffa4b1dde

================================================================
CVE-2016-9539 Out-of-bounds read in readContigTilesIntoBuffer()
================================================================
Severity: Medium

Affected Versions: <= 4.0.6

Description
tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in
readContigTilesIntoBuffer(). Reported as MSVR 35092.

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9539
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9539

Reference to upstream fix:
https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53

Correction for Enea Linux:
http://git.enea.com/cgit/linux/poky.git/patch/?id=6c6fedcb239a188807cdf228a3e0ed116523bf1b

================================================================
CVE-2016-9540 cpStripToTile heap-buffer-overflow
================================================================
Severity: Medium

Affected Versions: <= 4.0.6

Description
tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled
images with odd tile width versus image width. Reported as MSVR 35103,
aka "cpStripToTile heap-buffer-overflow."

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9540
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9540

Reference to upstream fix:
https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3


Correction for Enea Linux:
http://git.enea.com/cgit/linux/poky.git/patch/?id=570f9f9c8ba5c5772152dac6203d317e44d00889

================================================================
 CVE-2016-3632 out-of-bounds write in _TIFFVGetField function
================================================================
Severity: Medium

Affected Versions: <= 4.0.6

Description
The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and
earlier allows remote attackers to cause a denial of service
(out-of-bounds write) or execute arbitrary code via a crafted TIFF image.

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3632
http://bugzilla.maptools.org/show_bug.cgi?id=2549

Reference to upstream fix:
http://git.enea.com/cgit/linux/poky.git/patch/?id=22869bb8c9fe6e8cc9f6ef282f2729b133b98912

Correction for Enea Linux:
https://git.enea.com/cgit/linux/poky.git/patch/?id=22869bb8c9fe6e8cc9f6ef282f2729b133b98912

================================================================
 CVE-2016-3658 out-of-bounds read in the
TIFFWriteDirectoryTagLongLong8Array function
================================================================
Severity: Medium

Affected Versions: <= 4.0.6

Description
The TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in
the tiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to
cause a denial of service (out-of-bounds read) via vectors involving the
ma variable.

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3658
http://bugzilla.maptools.org/show_bug.cgi?id=2546

Reference to upstream fix:
https://github.com/vadz/libtiff/commit/45c68450bef8ad876f310b495165c513cad8b67d

Correction for Enea Linux:
https://git.enea.com/cgit/linux/poky.git/patch/?id=ca6d95959976c2804d82641c5eb55cfc003f09bc

How to get the latest patches
=============================
- If you have already cloned needed repositories, update it to get new
security patches.

cd Enea-Linux-6.0
$ repo sync

- If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

Use repo tool to download the source for the Enea Linux 6.0 standard,
follow the steps below:
1. Make sure that the repo tool is installed. If not, follow the
instructions below:

$ curl https://storage.googleapis.com/git-repo-downloads/repo >
~/bin/repo $ chmod a+x ~/bin/repo

The instruction assumes that ~/bin exists and is included in the PATH
variable.

2.Use the repo tool to download the source:
$ mkdir Enea-Linux-6.0
$ cd Enea-Linux-6.0
$ repo init \
-u git://git.enea.com/linux/el_manifests-standard.git \ -b krogoth\ -m
<manifest file> $ repo sync

The parameter <manifest file> depends on the target:
P2041RDB: p2041rdb/default.xml
LS1021a-IoT: ls1021aiot/default.xml
QEMUARM: qemuarm/default.xml
QEMUPCC: qemuppc/default.xml
QEMUX86: qemux86/default.xml

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

For gerneral security refer to Enea Linux Security page:
http://www.enea.com/solutions/Enea-Linux/Security/

For the CVEs fixed at Enea Linux releases see CVE list:
http://www.enea.com/solutions/Enea-Linux/Security/CVEs-list/

For custom packages/releases please use the Support Channel:
http://www.enea.com/solutions/support.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://mail.lists.enea.com/pipermail/security-announce/attachments/20170222/d4719da3/attachment.sig>


More information about the security-announce mailing list