| Errata ID | 305 |
|---|---|
| Date | 2016-10-20 |
| Source package | tiff3 |
| Fixed in version | 3.9.6-11.5.201610131701 |
| Description | This update addresses the following issues: * The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to "downsampled OJPEG input." (CVE-2010-2596) * Stack-based buffer overflow in the t2p_write_pdf_page function in tiff2pdf in libtiff before 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted image length and resolution in a TIFF image file (CVE-2013-1961) * out-of-bound write (CVE-2014-8128) * out-of-bound read and write (CVE-2014-8129) * The (1) putcontig8bitYCbCr21tile function in tif_getimage.c or (2) NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image (CVE-2014-9655) * uninitialized memory in NeXTDecode (CVE-2015-1547) * Out-of-bounds read in CIE Lab image format (CVE-2015-8683) * Out-of-bounds read in TIFFRGBAImage interface (CVE-2015-8665) * Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. (CVE-2016-3186) * Divide By Zero in the rgb2ycbcr tool (CVE-2016-3623) * Out-of-bounds Write in the tiff2rgba tool (CVE-2016-3945) * tiffcp: out-of-bounds write in horizontalDifference8() (CVE-2016-3990) * tiffcrop: out-of-bounds write in loadImage() (CVE-2016-3991) * PixarLogDecode() out-of-bound writes (CVE-2016-5314) * tif_dir.c: setByteArray() Read access violation (CVE-2016-5315) * tif_pixarlog.c: PixarLogCleanup() Segmentation fault (CVE-2016-5316) * GNOME nautilus: crash occurs when generating a thumbnail for a crafted TIFF image (CVE-2016-5317) * rgb2ycbcr: command execution (CVE-2016-5320) * DumpModeDecode(): Ddos (CVE-2016-5321) * extractContigSamplesBytes: out-of-bounds read (CVE-2016-5322) * tiffcrop _TIFFFax3fillruns(): NULL pointer dereference (CVE-2016-5323) * tiff: heap-based buffer overflow when using the PixarLog compression format (CVE-2016-5875) * tiff: information leak in libtiff/tif_read.c (CVE-2016-6223) |
| Additional notes | |
| CVE ID | CVE-2010-2596 CVE-2013-1961 CVE-2014-8128 CVE-2014-8129 CVE-2014-9655 CVE-2015-1547 CVE-2015-8665 CVE-2015-8683 CVE-2016-3186 CVE-2016-3623 CVE-2016-3945 CVE-2016-3990 CVE-2016-3991 CVE-2016-5314 CVE-2016-5315 CVE-2016-5316 CVE-2016-5317 CVE-2016-5320 CVE-2016-5321 CVE-2016-5322 CVE-2016-5323 CVE-2016-5875 CVE-2016-6223 |
| UCS Bug number | #42312 |
