SB2016100312 - Multiple vulnerabilities in LibTIFF

Main Vulnerability Database SB2016100312

SB2016100312 - Multiple vulnerabilities in LibTIFF

Published: October 3, 2016 Updated: May 21, 2022

Security Bulletin ID SB2016100312

Severity

High

Patch available

YES

Number of vulnerabilities 8

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2016-9540)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

tools/tiffcp.c in libtiff 4.0.6 has an out-of-bounds write on tiled images with odd tile width versus image width. Reported as MSVR 35103, aka "cpStripToTile heap-buffer-overflow."

2) Buffer overflow (CVE-ID: CVE-2016-9539)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

tools/tiffcrop.c in libtiff 4.0.6 has an out-of-bounds read in readContigTilesIntoBuffer(). Reported as MSVR 35092.

3) Integer overflow (CVE-ID: CVE-2016-9538)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

tools/tiffcrop.c in libtiff 4.0.6 reads an undefined buffer in readContigStripsIntoBuffer() because of a uint16 integer overflow. Reported as MSVR 35100.

4) Buffer overflow (CVE-ID: CVE-2016-9537)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

tools/tiffcrop.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in buffers. Reported as MSVR 35093, MSVR 35096, and MSVR 35097.

5) Buffer overflow (CVE-ID: CVE-2016-9535)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."

6) Buffer overflow (CVE-ID: CVE-2016-9534)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

tif_write.c in libtiff 4.0.6 has an issue in the error code path of TIFFFlushData1() that didn't reset the tif_rawcc and tif_rawcp members. Reported as MSVR 35095, aka "TIFFFlushData1 heap-buffer-overflow."

7) Buffer overflow (CVE-ID: CVE-2016-9533)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

tif_pixarlog.c in libtiff 4.0.6 has out-of-bounds write vulnerabilities in heap allocated buffers. Reported as MSVR 35094, aka "PixarLog horizontalDifference heap-buffer-overflow."

8) Out-of-bounds read (CVE-ID: CVE-2016-3619)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in The DumpModeEncode function in tif_dumpmode.c in the bmp2tiff tool in LibTIFF 4.0.6 and earlier, when the "-c none" option is used,. A remote attacker can perform a denial of service (buffer over-read) via a crafted BMP image.

Remediation

Install update from vendor's website.

References