{"id":"MGASA-2017-0199","summary":"Updated libtiff packages fix security vulnerability","details":"Heap-based buffer overflow in the readContigStripsIntoBuffer function in\ntif_unix.c in LibTIFF 4.0.7 allows remote attackers to have unspecified\nimpact via a crafted image. (CVE-2016-10092)\n\nInteger overflow in tools/tiffcp.c in LibTIFF 4.0.7 allows remote\nattackers to have unspecified impact via a crafted image, which triggers a\nheap-based buffer overflow.  (CVE-2016-10093)\n\nOff-by-one error in the t2p_readwrite_pdf_image_tile function in\ntools/tiff2pdf.c in LibTIFF 4.0.7 allows remote attackers to have\nunspecified impact via a crafted image. (CVE-2016-10094)\n\nStack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in\nLibTIFF 4.0.7 allows remote attackers to cause a denial of service (crash)\nvia a crafted TIFF file. (CVE-2016-10095)\n\nLibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the\ntools/tiffcp resulting in DoS or code execution via a crafted\nBitsPerSample value. (CVE-2017-5225)\n\nLibTIFF 4.0.7 allows remote attackers to cause a denial of service\n(divide-by-zero error and application crash) via a crafted TIFF image,\nrelated to libtiff/tif_read.c:351:22. (CVE-2016-10266)\n\nLibTIFF 4.0.7 allows remote attackers to cause a denial of service\n(divide-by-zero error and application crash) via a crafted TIFF image,\nrelated to libtiff/tif_ojpeg.c:816:8. (CVE-2016-10267)\n\ntools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial\nof service (integer underflow and heap-based buffer under-read) or\npossibly have unspecified other impact via a crafted TIFF image, related\nto \"READ of size 78490\" and libtiff/tif_unix.c:115:23. (CVE-2016-10268)\n\nLibTIFF 4.0.7 allows remote attackers to cause a denial of service\n(heap-based buffer over-read) or possibly have unspecified other impact\nvia a crafted TIFF image, related to \"READ of size 512\" and\nlibtiff/tif_unix.c:340:2. (CVE-2016-10269)\n\nLibTIFF 4.0.7 allows remote attackers to cause a denial of service\n(heap-based buffer over-read) or possibly have unspecified other impact\nvia a crafted TIFF image, related to \"READ of size 8\" and\nlibtiff/tif_read.c:523:22. (CVE-2016-10270)\n\ntools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a\ndenial of service (heap-based buffer over-read and buffer overflow) or\npossibly have unspecified other impact via a crafted TIFF image, related\nto \"READ of size 1\" and libtiff/tif_fax3.c:413:13. (CVE-2016-10271)\n\nLibTIFF 4.0.7 allows remote attackers to cause a denial of service\n(heap-based buffer overflow) or possibly have unspecified other impact via\na crafted TIFF image, related to \"WRITE of size 2048\" and\nlibtiff/tif_next.c:64:9. (CVE-2016-10272)\n\nThe putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a\nleft-shift undefined behavior issue, which might allow remote attackers to\ncause a denial of service (application crash) or possibly have unspecified\nother impact via a crafted image. (CVE-2017-7592)\n\ntif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is properly\ninitialized, which might allow remote attackers to obtain sensitive\ninformation from process memory via a crafted image. (CVE-2017-7593)\n\nThe OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF\n4.0.7 allows remote attackers to cause a denial of service (memory leak)\nvia a crafted image. (CVE-2017-7594)\n\nThe JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows remote\nattackers to cause a denial of service (divide-by-zero error and\napplication crash) via a crafted image. (CVE-2017-7595)\n\nLibTIFF 4.0.7 has an \"outside the range of representable values of type\nfloat\" undefined behavior issue, which might allow remote attackers to\ncause a denial of service (application crash) or possibly have unspecified\nother impact via a crafted image. (CVE-2017-7596)\n\ntif_dirread.c in LibTIFF 4.0.7 has an \"outside the range of representable\nvalues of type float\" undefined behavior issue, which might allow remote\nattackers to cause a denial of service (application crash) or possibly\nhave unspecified other impact via a crafted image. (CVE-2017-7597)\n\ntif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a\ndenial of service (divide-by-zero error and application crash) via a\ncrafted image. (CVE-2017-7598)\n\nLibTIFF 4.0.7 has an \"outside the range of representable values of type\nshort\" undefined behavior issue, which might allow remote attackers to\ncause a denial of service (application crash) or possibly have unspecified\nother impact via a crafted image. (CVE-2017-7599)\n\nLibTIFF 4.0.7 has an \"outside the range of representable values of type\nunsigned char\" undefined behavior issue, which might allow remote\nattackers to cause a denial of service (application crash) or possibly\nhave unspecified other impact via a crafted image. (CVE-2017-7600)\n\nLibTIFF 4.0.7 has a \"shift exponent too large for 64-bit type long\"\nundefined behavior issue, which might allow remote attackers to cause a\ndenial of service (application crash) or possibly have unspecified other\nimpact via a crafted image. (CVE-2017-7601)\n\nLibTIFF 4.0.7 has a signed integer overflow, which might allow remote\nattackers to cause a denial of service (application crash) or possibly\nhave unspecified other impact via a crafted image. (CVE-2017-7602)\n\nThe TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the\ntiffset tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause\na denial of service (out-of-bounds read) via vectors involving the ma\nvariable. (CVE-2016-3658)\n\ntif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can\nlead to assertion failures in debug mode, or buffer overflows in release\nmode, when dealing with unusual tile size like YCbCr with subsampling.\nReported as MSVR 35105, aka \"Predictor heap-buffer-overflow.\"\n(CVE-2016-9535)\n\nlibtiff: out-of-bounds write in multiple tools. (CVE-2014-8128)\n","modified":"2026-02-04T03:16:58.693993Z","published":"2017-07-01T07:04:05Z","related":["CVE-2014-8128","CVE-2016-10092","CVE-2016-10093","CVE-2016-10094","CVE-2016-10095","CVE-2016-10266","CVE-2016-10267","CVE-2016-10268","CVE-2016-10269","CVE-2016-10270","CVE-2016-10271","CVE-2016-10272","CVE-2016-3658","CVE-2016-9535","CVE-2017-5225","CVE-2017-7592","CVE-2017-7593","CVE-2017-7594","CVE-2017-7595","CVE-2017-7596","CVE-2017-7597","CVE-2017-7598","CVE-2017-7599","CVE-2017-7600","CVE-2017-7601","CVE-2017-7602"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0199.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=20057"}],"affected":[{"package":{"name":"libtiff","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/libtiff?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.8-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0199.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}