Security update for tiff
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2015:0450-1
Final
1
1
2015-03-01T11:17:59Z
current
2015-03-01T11:17:59Z
2015-03-01T11:17:59Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for tiff
LibTIFF was updated fix various security issues that could lead to crashes of the image decoder.
(CVE-2014-9655, CVE-2014-8127, CVE-2014-8128, CVE-2014-8129, CVE-2014-8130, CVE-2015-1547)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://lists.opensuse.org/opensuse-updates/2015-03/msg00022.html
E-Mail link for openSUSE-SU-2015:0450-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
libtiff-devel-4.0.3-8.4.1
libtiff-devel-32bit-4.0.3-8.4.1
libtiff5-4.0.3-8.4.1
libtiff5-32bit-4.0.3-8.4.1
tiff-4.0.3-8.4.1
LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted TIFF image to the (1) checkInkNamesString function in tif_dir.c in the thumbnail tool, (2) compresscontig function in tiff2bw.c in the tiff2bw tool, (3) putcontig8bitCIELab function in tif_getimage.c in the tiff2rgba tool, LZWPreDecode function in tif_lzw.c in the (4) tiff2ps or (5) tiffdither tool, (6) NeXTDecode function in tif_next.c in the tiffmedian tool, or (7) TIFFWriteDirectoryTagLongLong8Array function in tif_dirwrite.c in the tiffset tool.
CVE-2014-8127
critical
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2015-03/msg00022.html
https://www.suse.com/security/cve/CVE-2014-8127.html
CVE-2014-8127
https://bugzilla.suse.com/914890
SUSE Bug 914890
https://bugzilla.suse.com/916925
SUSE Bug 916925
https://bugzilla.suse.com/942690
SUSE Bug 942690
LibTIFF prior to 4.0.4, as used in Apple iOS before 8.4 and OS X before 10.10.4 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted TIFF image.
CVE-2014-8128
critical
9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2015-03/msg00022.html
https://www.suse.com/security/cve/CVE-2014-8128.html
CVE-2014-8128
https://bugzilla.suse.com/1007276
SUSE Bug 1007276
https://bugzilla.suse.com/1017690
SUSE Bug 1017690
https://bugzilla.suse.com/1040322
SUSE Bug 1040322
https://bugzilla.suse.com/914890
SUSE Bug 914890
https://bugzilla.suse.com/916925
SUSE Bug 916925
https://bugzilla.suse.com/942690
SUSE Bug 942690
https://bugzilla.suse.com/960341
SUSE Bug 960341
https://bugzilla.suse.com/974621
SUSE Bug 974621
https://bugzilla.suse.com/983436
SUSE Bug 983436
LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by failure of tif_next.c to verify that the BitsPerSample value is 2, and the t2p_sample_lab_signed_to_unsigned function in tiff2pdf.c.
CVE-2014-8129
critical
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2015-03/msg00022.html
https://www.suse.com/security/cve/CVE-2014-8129.html
CVE-2014-8129
https://bugzilla.suse.com/914890
SUSE Bug 914890
https://bugzilla.suse.com/916925
SUSE Bug 916925
https://bugzilla.suse.com/942690
SUSE Bug 942690
The _TIFFmalloc function in tif_unix.c in LibTIFF 4.0.3 does not reject a zero size, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image that is mishandled by the TIFFWriteScanline function in tif_write.c, as demonstrated by tiffdither.
CVE-2014-8130
critical
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2015-03/msg00022.html
https://www.suse.com/security/cve/CVE-2014-8130.html
CVE-2014-8130
https://bugzilla.suse.com/914890
SUSE Bug 914890
https://bugzilla.suse.com/916925
SUSE Bug 916925
https://bugzilla.suse.com/942690
SUSE Bug 942690
The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff-cvs-1.tif and libtiff-cvs-2.tif.
CVE-2014-9655
moderate
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2015-03/msg00022.html
https://www.suse.com/security/cve/CVE-2014-9655.html
CVE-2014-9655
https://bugzilla.suse.com/914890
SUSE Bug 914890
https://bugzilla.suse.com/916925
SUSE Bug 916925
https://bugzilla.suse.com/916927
SUSE Bug 916927
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.
CVE-2015-1547
moderate
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2015-03/msg00022.html
https://www.suse.com/security/cve/CVE-2015-1547.html
CVE-2015-1547
https://bugzilla.suse.com/914890
SUSE Bug 914890
https://bugzilla.suse.com/916925
SUSE Bug 916925