SUSE update for tiff
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2015-8665 CVE-2015-8683 CVE-2020-35521 CVE-2020-35522 CVE-2020-35523 CVE-2020-35524 |
| CWE-ID | CWE-119 CWE-190 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
SUSE Linux Enterprise Server Operating systems & Components / Operating system SUSE Linux Enterprise Point of Sale Operating systems & Components / Operating system SUSE Linux Enterprise Debuginfo Operating systems & Components / Operating system tiff-debugsource Operating systems & Components / Operating system package or component tiff-debuginfo Operating systems & Components / Operating system package or component libtiff3-32bit Operating systems & Components / Operating system package or component tiff Operating systems & Components / Operating system package or component libtiff3 Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU32276
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-8665
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.
tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image.
MitigationUpdate the affected package tiff to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 11-SP4-LTSS-EXTREME-CORE
SUSE Linux Enterprise Point of Sale: 11-SP3
SUSE Linux Enterprise Debuginfo: 11-SP3 - 11-SP4
tiff-debugsource: before 3.8.2-141.169.34.1
tiff-debuginfo: before 3.8.2-141.169.34.1
libtiff3-32bit: before 3.8.2-141.169.34.1
tiff: before 3.8.2-141.169.34.1
libtiff3: before 3.8.2-141.169.34.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU32278
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-8683
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.
The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image.
MitigationUpdate the affected package tiff to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 11-SP4-LTSS-EXTREME-CORE
SUSE Linux Enterprise Point of Sale: 11-SP3
SUSE Linux Enterprise Debuginfo: 11-SP3 - 11-SP4
tiff-debugsource: before 3.8.2-141.169.34.1
tiff-debuginfo: before 3.8.2-141.169.34.1
libtiff3-32bit: before 3.8.2-141.169.34.1
tiff: before 3.8.2-141.169.34.1
libtiff3: before 3.8.2-141.169.34.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU51448
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-35521
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing TIFF images in tif_read.c. A remote attacker can create a specially crafted TIFF, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package tiff to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 11-SP4-LTSS-EXTREME-CORE
SUSE Linux Enterprise Point of Sale: 11-SP3
SUSE Linux Enterprise Debuginfo: 11-SP3 - 11-SP4
tiff-debugsource: before 3.8.2-141.169.34.1
tiff-debuginfo: before 3.8.2-141.169.34.1
libtiff3-32bit: before 3.8.2-141.169.34.1
tiff: before 3.8.2-141.169.34.1
libtiff3: before 3.8.2-141.169.34.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU51447
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-35522
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing TIFF images in tif_pixarlog.c. A remote attacker can create a specially crafted TIFF image, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package tiff to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 11-SP4-LTSS-EXTREME-CORE
SUSE Linux Enterprise Point of Sale: 11-SP3
SUSE Linux Enterprise Debuginfo: 11-SP3 - 11-SP4
tiff-debugsource: before 3.8.2-141.169.34.1
tiff-debuginfo: before 3.8.2-141.169.34.1
libtiff3-32bit: before 3.8.2-141.169.34.1
tiff: before 3.8.2-141.169.34.1
libtiff3: before 3.8.2-141.169.34.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Integer overflow
EUVDB-ID: #VU51445
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-35523
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the the tif_getimage.c file in libtiff. A remote attacker can pass specially crafted file to the application, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package tiff to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 11-SP4-LTSS-EXTREME-CORE
SUSE Linux Enterprise Point of Sale: 11-SP3
SUSE Linux Enterprise Debuginfo: 11-SP3 - 11-SP4
tiff-debugsource: before 3.8.2-141.169.34.1
tiff-debuginfo: before 3.8.2-141.169.34.1
libtiff3-32bit: before 3.8.2-141.169.34.1
tiff: before 3.8.2-141.169.34.1
libtiff3: before 3.8.2-141.169.34.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Buffer overflow
EUVDB-ID: #VU51446
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-35524
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing TIFF images in libtiff's TIFF2PDF tool. A remote attacker can create a specially crafted TIFF image, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package tiff to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 11-SP4-LTSS-EXTREME-CORE
SUSE Linux Enterprise Point of Sale: 11-SP3
SUSE Linux Enterprise Debuginfo: 11-SP3 - 11-SP4
tiff-debugsource: before 3.8.2-141.169.34.1
tiff-debuginfo: before 3.8.2-141.169.34.1
libtiff3-32bit: before 3.8.2-141.169.34.1
tiff: before 3.8.2-141.169.34.1
libtiff3: before 3.8.2-141.169.34.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
