libtiff-devel-32bit-4.6.0-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13381-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libtiff-devel-32bit-4.6.0-2.1 on GA media These are all security issues fixed in the libtiff-devel-32bit-4.6.0-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13381 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2016-10092/ SUSE CVE CVE-2016-10092 page https://www.suse.com/security/cve/CVE-2016-6223/ SUSE CVE CVE-2016-6223 page https://www.suse.com/security/cve/CVE-2017-12944/ SUSE CVE CVE-2017-12944 page https://www.suse.com/security/cve/CVE-2017-17095/ SUSE CVE CVE-2017-17095 page https://www.suse.com/security/cve/CVE-2019-14973/ SUSE CVE CVE-2019-14973 page https://www.suse.com/security/cve/CVE-2019-17546/ SUSE CVE CVE-2019-17546 page https://www.suse.com/security/cve/CVE-2020-19131/ SUSE CVE CVE-2020-19131 page https://www.suse.com/security/cve/CVE-2020-35521/ SUSE CVE CVE-2020-35521 page https://www.suse.com/security/cve/CVE-2020-35522/ SUSE CVE CVE-2020-35522 page https://www.suse.com/security/cve/CVE-2020-35523/ SUSE CVE CVE-2020-35523 page https://www.suse.com/security/cve/CVE-2020-35524/ SUSE CVE CVE-2020-35524 page https://www.suse.com/security/cve/CVE-2022-22844/ SUSE CVE CVE-2022-22844 page https://www.suse.com/security/cve/CVE-2022-2867/ SUSE CVE CVE-2022-2867 page https://www.suse.com/security/cve/CVE-2022-2868/ SUSE CVE CVE-2022-2868 page https://www.suse.com/security/cve/CVE-2022-2869/ SUSE CVE CVE-2022-2869 page https://www.suse.com/security/cve/CVE-2022-34266/ SUSE CVE CVE-2022-34266 page openSUSE Tumbleweed libtiff-devel-4.6.0-2.1 libtiff-devel-32bit-4.6.0-2.1 libtiff6-4.6.0-2.1 libtiff6-32bit-4.6.0-2.1 tiff-4.6.0-2.1 libtiff-devel-4.6.0-2.1 as a component of openSUSE Tumbleweed libtiff-devel-32bit-4.6.0-2.1 as a component of openSUSE Tumbleweed libtiff6-4.6.0-2.1 as a component of openSUSE Tumbleweed libtiff6-32bit-4.6.0-2.1 as a component of openSUSE Tumbleweed tiff-4.6.0-2.1 as a component of openSUSE Tumbleweed Heap-based buffer overflow in the readContigStripsIntoBuffer function in tif_unix.c in LibTIFF 4.0.7, 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5 and 4.0.6 allows remote attackers to have unspecified impact via a crafted image. CVE-2016-10092 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-10092.html CVE-2016-10092 https://bugzilla.suse.com/1017693 SUSE Bug 1017693 https://bugzilla.suse.com/1122679 SUSE Bug 1122679 The TIFFReadRawStrip1 and TIFFReadRawTile1 functions in tif_read.c in libtiff before 4.0.7 allows remote attackers to cause a denial of service (crash) or possibly obtain sensitive information via a negative index in a file-content buffer. CVE-2016-6223 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-6223.html CVE-2016-6223 https://bugzilla.suse.com/990460 SUSE Bug 990460 The TIFFReadDirEntryArray function in tif_read.c in LibTIFF 4.0.8 mishandles memory allocation for short files, which allows remote attackers to cause a denial of service (allocation failure and application crash) in the TIFFFetchStripThing function in tif_dirread.c during a tiff2pdf invocation. CVE-2017-12944 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-12944.html CVE-2017-12944 https://bugzilla.suse.com/1003874 SUSE Bug 1003874 https://bugzilla.suse.com/1054594 SUSE Bug 1054594 tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (TIFFSetupStrips heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file. CVE-2017-17095 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-17095.html CVE-2017-17095 https://bugzilla.suse.com/1071031 SUSE Bug 1071031 _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behavior that is undefined by the applicable C standards. This can, for example, lead to an application crash. CVE-2019-14973 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-14973.html CVE-2019-14973 https://bugzilla.suse.com/1146608 SUSE Bug 1146608 tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition. CVE-2019-17546 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-17546.html CVE-2019-17546 https://bugzilla.suse.com/1154365 SUSE Bug 1154365 Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the "invertImage()" function in the component "tiffcrop". CVE-2020-19131 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-19131.html CVE-2020-19131 https://bugzilla.suse.com/1190312 SUSE Bug 1190312 A flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service. CVE-2020-35521 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35521.html CVE-2020-35521 https://bugzilla.suse.com/1182808 SUSE Bug 1182808 https://bugzilla.suse.com/1200195 SUSE Bug 1200195 In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack. CVE-2020-35522 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35522.html CVE-2020-35522 https://bugzilla.suse.com/1182809 SUSE Bug 1182809 https://bugzilla.suse.com/1200195 SUSE Bug 1200195 An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2020-35523 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35523.html CVE-2020-35523 https://bugzilla.suse.com/1182811 SUSE Bug 1182811 https://bugzilla.suse.com/1200195 SUSE Bug 1200195 A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2020-35524 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-35524.html CVE-2020-35524 https://bugzilla.suse.com/1182812 SUSE Bug 1182812 https://bugzilla.suse.com/1200195 SUSE Bug 1200195 LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field. CVE-2022-22844 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-22844.html CVE-2022-22844 https://bugzilla.suse.com/1194539 SUSE Bug 1194539 libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation. CVE-2022-2867 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-2867.html CVE-2022-2867 https://bugzilla.suse.com/1202466 SUSE Bug 1202466 libtiff's tiffcrop utility has a improper input validation flaw that can lead to out of bounds read and ultimately cause a crash if an attacker is able to supply a crafted file to tiffcrop. CVE-2022-2868 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-2868.html CVE-2022-2868 https://bugzilla.suse.com/1202467 SUSE Bug 1202467 libtiff's tiffcrop tool has a uint32_t underflow which leads to out of bounds read and write in the extractContigSamples8bits routine. An attacker who supplies a crafted file to tiffcrop could trigger this flaw, most likely by tricking a user into opening the crafted file with tiffcrop. Triggering this flaw could cause a crash or potentially further exploitation. CVE-2022-2869 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-2869.html CVE-2022-2869 https://bugzilla.suse.com/1202468 SUSE Bug 1202468 The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource. CVE-2022-34266 openSUSE Tumbleweed:libtiff-devel-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff-devel-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-32bit-4.6.0-2.1 openSUSE Tumbleweed:libtiff6-4.6.0-2.1 openSUSE Tumbleweed:tiff-4.6.0-2.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-34266.html CVE-2022-34266 https://bugzilla.suse.com/1201723 SUSE Bug 1201723 https://bugzilla.suse.com/1208311 SUSE Bug 1208311