Amazon Linux AMI update for libtiff

Published: 2019-10-10
Severity High
Patch available YES
Number of vulnerabilities 12
CVE ID CVE-2018-12900
CVE-2018-10963
CVE-2018-18661
CVE-2018-7456
CVE-2018-10779
CVE-2018-8905
CVE-2018-18557
CVE-2016-3186
CVE-2018-17100
CVE-2018-17101
CVE-2017-13726
CVE-2017-18013
CWE ID CWE-122
CWE-20
CWE-476
CWE-125
CWE-787
CWE-120
CWE-119
CWE-617
Exploitation vector Network
Public exploit Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #4 is available.
Public exploit code for vulnerability #5 is available.
Public exploit code for vulnerability #6 is available.
Public exploit code for vulnerability #7 is available.
Vulnerable software Amazon Linux AMI Subscribe
Vendor Amazon Web Services, Inc.

Security Advisory

1) Heap-based buffer overflow

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12900

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c. A remote unauthenticated attacker can trick the victim into opening a specially crafted TIFF file that can trigger memory corruption and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

Severity: Low

CVSSv3: 5.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-10963

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote attacker to cause denial of service conditions.

The vulnerability exists due to insufficient validation of user-supplied input processed by the TIFFWriteDirectorySec() function, as defined in the tif_dirwrite.c source code file. A remote attacker can trick the victim into opening a specially crafted file, trigger assertion failure and cause the application to crash.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Null pointer dereference

Severity: Low

CVSSv3: 3.4 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-18661

CWE-ID: CWE-476 - NULL Pointer Dereference

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to NULL pointer dereference in the function LZWDecode in the file tif_lzw.c. A remote attacker can trick the victim into opening a specially crafted input, trigger NULL pointer dereference and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) NULL pointer dereference

Severity: Low

CVSSv3: 5.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-7456

CWE-ID: CWE-476 - NULL Pointer Dereference

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The vulnerability exists in the TIFFPrintDirectory function that is defined in the tif_print.c source code file due to NULL pointer dereference. A remote attacker can create a specially crafted TIFF file, trick the victim into opening it and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Heap-based buffer over-read

Severity: Low

CVSSv3: 2.9 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:U]

CVE-ID: CVE-2018-10779

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a local attacker to cause DoS condition on the target system.

The weakness exists in the TIFFWriteScanline function in the tif_write.csource code file due to insufficient validation of user-supplied input. A local attacker can use the .bmp2tiff command to execute a specially crafted file, trigger heap-based buffer over-read and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

6) Heap-based buffer overflow

Severity: High

CVSSv3: 8.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:U] [PCI]

CVE-ID: CVE-2018-8905

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition or execute arbitrary code on the target system.

The weakness exists in the LZWDecodeCompat function due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted TIFF file, cause the service to crash or execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

7) Out-of-bounds write

Severity: High

CVSSv3: 9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-18557

CWE-ID: CWE-787 - Out-of-bounds Write

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to decoding of arbitrarily-sized JBIG into a buffer, ignoring the buffer size. A remote unauthenticated attacker can supply specially crafted input, trigger a tif_jbig.c JBIGDecode out-of-bounds write and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

8) Buffer overflow

Severity: Low

CVSSv3: 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-3186

CWE-ID: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Description

The vulnerability allows a remote attacker can cause DoS condition on the target system.

The weakness exists in the gif2tiff.c due to buffer overflow. A remote attacker can submit a specially crafted GIF file and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Integer overflow

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-17100

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to int32 overflow when insufficient validation of user-supplied input processed by the multiply_ms() function, as defined in the tools/ppm2tiff.c source code file. A remote unauthenticated attacker can trick the victim into opening or executing an image file that submits malicious input to the targeted system. A successful exploit could trigger memory corruption and cause the affected software to crash, resulting in a DoS condition.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Out-of-bounds read

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-17101

CWE-ID: CWE-125 - Out-of-bounds Read

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to out-of-bounds read during insufficient validation of user-supplied input processed by the cpTags function, as defined in the tools/tiff2bw.c and tools/pal2rgb.c source code files. A remote unauthenticated attacker can trick the victim into opening or executing an image file that submits malicious input to the targeted system. A successful exploit could trigger memory corruption and cause the affected software to crash, resulting in a DoS condition.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Assertion failure

Severity: Low

CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-13726

CWE-ID: CWE-617 - Reachable Assertion

Description

The vulnerability allows a remote attacker to cause DoS condition.

The vulnerability exists due to a reachable assertion abort in the function TIFFWriteDirectorySec(), related to tif_dirwrite.c and a SubIFD tag when processing malicious input. A remote attacker can send specially crafted input, trigger assertion failure and cause the service to crash.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) NULL pointer dereference

Severity: Low

CVSSv3: 5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-18013

CWE-ID: CWE-476 - NULL Pointer Dereference

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference error in tif_print.c within TIFFPrintDirectory() function. A remote attacker can trigger a NULL pointer dereference error and crash the affected application.

Mitigation

Update the affected packages:

i686:
    libtiff-4.0.3-32.34.amzn1.i686
    libtiff-devel-4.0.3-32.34.amzn1.i686
    libtiff-debuginfo-4.0.3-32.34.amzn1.i686
    libtiff-static-4.0.3-32.34.amzn1.i686

src:
    libtiff-4.0.3-32.34.amzn1.src

x86_64:
    libtiff-static-4.0.3-32.34.amzn1.x86_64
    libtiff-debuginfo-4.0.3-32.34.amzn1.x86_64
    libtiff-4.0.3-32.34.amzn1.x86_64
    libtiff-devel-4.0.3-32.34.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: 2017.03

CPE External links

https://alas.aws.amazon.com/ALAS-2019-1306.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.