Security update for tiff

Announcement ID:	SUSE-SU-2018:1179-1
Rating:	moderate
References:	bsc#1007280 bsc#1011107 bsc#1011845 bsc#1017688 bsc#1017690 bsc#1017691 bsc#1017692 bsc#1031255 bsc#1046077 bsc#1048937 bsc#1074318 bsc#960341 bsc#983436
Cross-References:	CVE-2015-7554 CVE-2016-10095 CVE-2016-10268 CVE-2016-3945 CVE-2016-5318 CVE-2016-5652 CVE-2016-9453 CVE-2016-9536 CVE-2017-11335 CVE-2017-17973 CVE-2017-9935
CVSS scores:	CVE-2016-10095 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2016-10268 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-3945 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-5318 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2016-5652 ( NVD ): 7.0 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-9453 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-9453 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-9453 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-9536 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-11335 ( SUSE ): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVE-2017-11335 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-17973 ( SUSE ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2017-17973 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2017-9935 ( SUSE ): 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2017-9935 ( NVD ): 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SLES for SAP Applications 11-SP4 SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Software Development Kit 11 SP4

An update that solves 11 vulnerabilities and has two security fixes can now be installed.

Description:

This update for tiff fixes the following issues:

• CVE-2016-9453: The t2p_readwrite_pdf_image_tile function allowed remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one (bsc#1011107).
• CVE-2016-5652: An exploitable heap-based buffer overflow existed in the handling of TIFF images in the TIFF2PDF tool. A crafted TIFF document can lead to a heap-based buffer overflow resulting in remote code execution. Vulnerability can be triggered via a saved TIFF file delivered by other means (bsc#1007280).
• CVE-2017-11335: There is a heap based buffer overflow in tools/tiff2pdf.c via a PlanarConfig=Contig image, which caused a more than one hundred bytes out-of-bounds write (related to the ZIPDecode function in tif_zip.c). A crafted input may lead to a remote denial of service attack or an arbitrary code execution attack (bsc#1048937).
• CVE-2016-9536: tools/tiff2pdf.c had an out-of-bounds write vulnerabilities in heap allocated buffers in t2p_process_jpeg_strip(). Reported as MSVR 35098, aka "t2p_process_jpeg_strip heap-buffer-overflow." (bsc#1011845)
• CVE-2017-9935: In LibTIFF, there was a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution (bsc#1046077).
• CVE-2017-17973: There is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. (bsc#1074318)
• CVE-2015-7554: The _TIFFVGetField function in tif_dir.c allowed attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image (bsc#960341).
• CVE-2016-5318: Stack-based buffer overflow in the _TIFFVGetField function allowed remote attackers to crash the application via a crafted tiff (bsc#983436).
• CVE-2016-10095: Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c allowed remote attackers to cause a denial of service (crash) via a crafted TIFF file (bsc#1017690,).
• CVE-2016-10268: tools/tiffcp.c allowed remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 78490" and libtiff/tif_unix.c:115:23 (bsc#1031255)
• An overlapping of memcpy parameters was fixed which could lead to content corruption (bsc#1017691).
• Fixed an invalid memory read which could lead to a crash (bsc#1017692).
• Fixed a NULL pointer dereference in TIFFReadRawData (tiffinfo.c) that could crash the decoder (bsc#1017688).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Software Development Kit 11 SP4
  zypper in -t patch sdksp4-tiff-13594=1
• SUSE Linux Enterprise Server 11 SP4
  zypper in -t patch slessp4-tiff-13594=1
• SLES for SAP Applications 11-SP4
  zypper in -t patch slessp4-tiff-13594=1

Package List:

• SUSE Linux Enterprise Software Development Kit 11 SP4 (s390x x86_64 i586 ppc64 ia64)
  • libtiff-devel-3.8.2-141.169.3.1
• SUSE Linux Enterprise Software Development Kit 11 SP4 (ppc64 s390x x86_64)
  • libtiff-devel-32bit-3.8.2-141.169.3.1
• SUSE Linux Enterprise Server 11 SP4 (s390x x86_64 i586 ppc64 ia64)
  • libtiff3-3.8.2-141.169.3.1
  • tiff-3.8.2-141.169.3.1
• SUSE Linux Enterprise Server 11 SP4 (ia64)
  • libtiff3-x86-3.8.2-141.169.3.1
• SUSE Linux Enterprise Server 11 SP4 (ppc64 s390x x86_64)
  • libtiff3-32bit-3.8.2-141.169.3.1
• SLES for SAP Applications 11-SP4 (ppc64 x86_64)
  • libtiff3-3.8.2-141.169.3.1
  • tiff-3.8.2-141.169.3.1
  • libtiff3-32bit-3.8.2-141.169.3.1

References:

• https://www.suse.com/security/cve/CVE-2015-7554.html
• https://www.suse.com/security/cve/CVE-2016-10095.html
• https://www.suse.com/security/cve/CVE-2016-10268.html
• https://www.suse.com/security/cve/CVE-2016-3945.html
• https://www.suse.com/security/cve/CVE-2016-5318.html
• https://www.suse.com/security/cve/CVE-2016-5652.html
• https://www.suse.com/security/cve/CVE-2016-9453.html
• https://www.suse.com/security/cve/CVE-2016-9536.html
• https://www.suse.com/security/cve/CVE-2017-11335.html
• https://www.suse.com/security/cve/CVE-2017-17973.html
• https://www.suse.com/security/cve/CVE-2017-9935.html
• https://bugzilla.suse.com/show_bug.cgi?id=1007280
• https://bugzilla.suse.com/show_bug.cgi?id=1011107
• https://bugzilla.suse.com/show_bug.cgi?id=1011845
• https://bugzilla.suse.com/show_bug.cgi?id=1017688
• https://bugzilla.suse.com/show_bug.cgi?id=1017690
• https://bugzilla.suse.com/show_bug.cgi?id=1017691
• https://bugzilla.suse.com/show_bug.cgi?id=1017692
• https://bugzilla.suse.com/show_bug.cgi?id=1031255
• https://bugzilla.suse.com/show_bug.cgi?id=1046077
• https://bugzilla.suse.com/show_bug.cgi?id=1048937
• https://bugzilla.suse.com/show_bug.cgi?id=1074318
• https://bugzilla.suse.com/show_bug.cgi?id=960341
• https://bugzilla.suse.com/show_bug.cgi?id=983436