SB2017070614 - Debian update for tiff

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017070614

SB2017070614 - Debian update for tiff

Published: July 6, 2017 Updated: July 11, 2017

Security Bulletin ID SB2017070614
CSH Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Partial DoS

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 vulnerabilities.


1) Stack-based buffer overflow (CVE-ID: CVE-2016-10095)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause DoS condition.

The weakness exits due to stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c. A remote attacker can send specially crafted TIFF file and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

2) Improper input validation (CVE-ID: CVE-2017-9147)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear


The vulnerability allows a remote attacker to cause DoS condition.

The weakness exits due to invalid read in the _TIFFVGetField function in tif_dir.c. A remote attacker can send specially crafted TIFF file and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

3) Memory leak (CVE-ID: CVE-2017-9403)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause DoS condition.

The weakness exits due to memory leak in the function TIFFReadDirEntryLong8Array in tif_dirread.c. A remote attacker can send specially crafted TIFF file and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

4) Memory leak (CVE-ID: CVE-2017-9404)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause DoS condition.

The weakness exits due to memory leak in the function OJPEGReadHeaderInfoSecTablesQTable in tif_ojpeg.c. A remote attacker can send specially crafted TIFF file and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

5) Memory leak (CVE-ID: CVE-2017-9936)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear


The vulnerability allows a remote attacker to cause DoS condition.

The weakness exits due to memory leak in tif_jbig.c. A remote attacker can send specially crafted TIFF file and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

6) Denial of service (CVE-ID: CVE-2017-10688)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear


The vulnerability allows a remote attacker to cause DoS condition.

The weakness exits due to assertion abort in the TIFFWriteDirectoryTagCheckedLong8Array function in tif_dirwrite.c. A remote attacker can send specially crafted TIFF file and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

References