SB2016120301 - Multiple vulnerabilities in LibTIFF

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Memory corruption (CVE-ID: CVE-2016-10268)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to integer underflow and heap-based buffer under-read. A remote attacker can trick the victim into opening a specially crafted TIFF image, related to "READ of size 78490" and libtiff/tif_unix.c:115:23, trigger memory corruption and cause the service to crash.

2) Out-of-bounds write (CVE-ID: CVE-2016-9453)

The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.

The weakness exists in the t2p_readwrite_pdf_image_tile function due to out-of-bounds write. A remote attacker can trick the victim into opening a specially crafted JPEG file with a TIFFTAG_JPEGTABLES of length one and cause the service to rash or execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

3) Out-of-bounds write (CVE-ID: CVE-2016-9536)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in heap allocated buffers in t2p_process_jpeg_strip() in tools/tiff2pdf.c due to out-of-bounds write, aka "t2p_process_jpeg_strip heap-buffer-overflow." A remote attacker can execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

4) Off-by-one error (CVE-ID: CVE-2016-10094)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to off-by-one error in the t2p_readwrite_pdf_image_tile function in tools/tiff2pdf.c when processing malicious input. A remote attacker can send a specially crafted image and cause the service to crash.

5) Memory corruption (CVE-ID: CVE-2016-10093)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to integer overflow in tools/tiffcp.c when processing malicious input. A remote attacker can send a specially crafted image, trigger heap-based buffer overflow and cause the service to crash.

6) Heap-based buffer overflow (CVE-ID: CVE-2016-10092)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to heap-based buffer overflow in the readContigStripsIntoBuffer function in tif_unix.c when processing malicious input. A remote attacker can send a specially crafted image, trigger memory corruption and cause the service to crash.

7) Buffer over-read (CVE-ID: CVE-2017-17942)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read in the function PackBitsEncode in tif_packbits.c. A remote attacker can perform a denial of service attack.

Remediation

Install update from vendor's website.

References

• https://github.com/vadz/libtiff/commit/5397a417e61258c69209904e652a1f409ec3b9df
• http://bugzilla.maptools.org/show_bug.cgi?id=2579
• https://github.com/vadz/libtiff/commit/83a4b92815ea04969d494416eaae3d4c6b338e4a#diff-5173a9b3b48146e...
• https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76
• https://github.com/vadz/libtiff/commit/787c0ee906430b772f33ca50b97b8b5ca070faec
• https://github.com/vadz/libtiff/commit/9657bbe3cdce4aaa90e07d50c1c70ae52da0ba6a
• http://www.securityfocus.com/bid/102312
• http://bugzilla.maptools.org/show_bug.cgi?id=2767