Security update for tiff

Announcement ID:	SUSE-SU-2017:1044-1
Rating:	important
References:	bsc#1031247 bsc#1031249 bsc#1031250 bsc#1031254 bsc#1031255 bsc#1031262 bsc#1031263
Cross-References:	CVE-2016-10266 CVE-2016-10267 CVE-2016-10268 CVE-2016-10269 CVE-2016-10270 CVE-2016-10271 CVE-2016-10272
CVSS scores:	CVE-2016-10266 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2016-10267 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2016-10268 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-10269 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-10270 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-10271 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-10272 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 SUSE Linux Enterprise Software Development Kit 12 12-SP2 SUSE Linux Enterprise Software Development Kit 12 SP1

An update that solves seven vulnerabilities can now be installed.

Description:

This update for tiff fixes the following issues:

Security issues fixed: - CVE-2016-10272: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to "WRITE of size 2048" and libtiff/tif_next.c:64:9 (bsc#1031247). - CVE-2016-10271: tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 1" and libtiff/tif_fax3.c:413:13 (bsc#1031249). - CVE-2016-10270: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22 (bsc#1031250). - CVE-2016-10269: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2 (bsc#1031254). - CVE-2016-10268: tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 78490" and libtiff/tif_unix.c:115:23 (bsc#1031255). - CVE-2016-10267: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8 (bsc#1031262). - CVE-2016-10266: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. (bsc#1031263).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12 SP1
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2017-610=1
• SUSE Linux Enterprise Desktop 12 SP2
  zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2017-610=1
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2
  zypper in -t patch SUSE-SLE-RPI-12-SP2-2017-610=1
• SUSE Linux Enterprise Software Development Kit 12 SP1
  zypper in -t patch SUSE-SLE-SDK-12-SP1-2017-610=1
• SUSE Linux Enterprise Software Development Kit 12 12-SP2
  zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-610=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-610=1
• SUSE Linux Enterprise Server 12 SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2017-610=1
• SUSE Linux Enterprise High Performance Computing 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-610=1
• SUSE Linux Enterprise Server 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-610=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2
  zypper in -t patch SUSE-SLE-SERVER-12-SP2-2017-610=1

Package List:

• SUSE Linux Enterprise Desktop 12 SP1 (x86_64)
  • libtiff5-debuginfo-4.0.7-43.1
  • tiff-debuginfo-4.0.7-43.1
  • libtiff5-32bit-4.0.7-43.1
  • tiff-debugsource-4.0.7-43.1
  • libtiff5-4.0.7-43.1
  • libtiff5-debuginfo-32bit-4.0.7-43.1
• SUSE Linux Enterprise Desktop 12 SP2 (x86_64)
  • libtiff5-debuginfo-4.0.7-43.1
  • tiff-debuginfo-4.0.7-43.1
  • libtiff5-32bit-4.0.7-43.1
  • tiff-debugsource-4.0.7-43.1
  • libtiff5-4.0.7-43.1
  • libtiff5-debuginfo-32bit-4.0.7-43.1
• SUSE Linux Enterprise Server for the Raspberry Pi 12-SP2 (aarch64)
  • libtiff5-debuginfo-4.0.7-43.1
  • tiff-debuginfo-4.0.7-43.1
  • tiff-4.0.7-43.1
  • tiff-debugsource-4.0.7-43.1
  • libtiff5-4.0.7-43.1
• SUSE Linux Enterprise Software Development Kit 12 SP1 (ppc64le s390x x86_64)
  • libtiff-devel-4.0.7-43.1
  • tiff-debuginfo-4.0.7-43.1
  • tiff-debugsource-4.0.7-43.1
• SUSE Linux Enterprise Software Development Kit 12 12-SP2 (aarch64 ppc64le s390x x86_64)
  • libtiff-devel-4.0.7-43.1
  • tiff-debuginfo-4.0.7-43.1
  • tiff-debugsource-4.0.7-43.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
  • libtiff5-debuginfo-4.0.7-43.1
  • tiff-debuginfo-4.0.7-43.1
  • tiff-4.0.7-43.1
  • tiff-debugsource-4.0.7-43.1
  • libtiff5-4.0.7-43.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (x86_64)
  • libtiff5-debuginfo-32bit-4.0.7-43.1
  • libtiff5-32bit-4.0.7-43.1
• SUSE Linux Enterprise Server 12 SP1 (ppc64le s390x x86_64)
  • libtiff5-debuginfo-4.0.7-43.1
  • tiff-debuginfo-4.0.7-43.1
  • tiff-4.0.7-43.1
  • tiff-debugsource-4.0.7-43.1
  • libtiff5-4.0.7-43.1
• SUSE Linux Enterprise Server 12 SP1 (s390x x86_64)
  • libtiff5-debuginfo-32bit-4.0.7-43.1
  • libtiff5-32bit-4.0.7-43.1
• SUSE Linux Enterprise High Performance Computing 12 SP2 (aarch64 x86_64)
  • libtiff5-debuginfo-4.0.7-43.1
  • tiff-debuginfo-4.0.7-43.1
  • tiff-4.0.7-43.1
  • tiff-debugsource-4.0.7-43.1
  • libtiff5-4.0.7-43.1
• SUSE Linux Enterprise High Performance Computing 12 SP2 (x86_64)
  • libtiff5-debuginfo-32bit-4.0.7-43.1
  • libtiff5-32bit-4.0.7-43.1
• SUSE Linux Enterprise Server 12 SP2 (aarch64 ppc64le s390x x86_64)
  • libtiff5-debuginfo-4.0.7-43.1
  • tiff-debuginfo-4.0.7-43.1
  • tiff-4.0.7-43.1
  • tiff-debugsource-4.0.7-43.1
  • libtiff5-4.0.7-43.1
• SUSE Linux Enterprise Server 12 SP2 (s390x x86_64)
  • libtiff5-debuginfo-32bit-4.0.7-43.1
  • libtiff5-32bit-4.0.7-43.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (ppc64le x86_64)
  • libtiff5-debuginfo-4.0.7-43.1
  • tiff-debuginfo-4.0.7-43.1
  • tiff-4.0.7-43.1
  • tiff-debugsource-4.0.7-43.1
  • libtiff5-4.0.7-43.1
• SUSE Linux Enterprise Server for SAP Applications 12 SP2 (x86_64)
  • libtiff5-debuginfo-32bit-4.0.7-43.1
  • libtiff5-32bit-4.0.7-43.1

References:

• https://www.suse.com/security/cve/CVE-2016-10266.html
• https://www.suse.com/security/cve/CVE-2016-10267.html
• https://www.suse.com/security/cve/CVE-2016-10268.html
• https://www.suse.com/security/cve/CVE-2016-10269.html
• https://www.suse.com/security/cve/CVE-2016-10270.html
• https://www.suse.com/security/cve/CVE-2016-10271.html
• https://www.suse.com/security/cve/CVE-2016-10272.html
• https://bugzilla.suse.com/show_bug.cgi?id=1031247
• https://bugzilla.suse.com/show_bug.cgi?id=1031249
• https://bugzilla.suse.com/show_bug.cgi?id=1031250
• https://bugzilla.suse.com/show_bug.cgi?id=1031254
• https://bugzilla.suse.com/show_bug.cgi?id=1031255
• https://bugzilla.suse.com/show_bug.cgi?id=1031262
• https://bugzilla.suse.com/show_bug.cgi?id=1031263