Security update for tiff SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1889-1 Final 1 1 2016-07-27T13:29:00Z current 2016-07-27T13:29:00Z 2016-07-27T13:29:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tiff This update for tiff fixes the following issues: Security issues fixed: - CVE-2016-5314: Fixed an out-of-bounds write in PixarLogDecode() function (boo#984831) - CVE-2016-5316: Fixed an out-of-bounds read in PixarLogCleanup() function in tif_pixarlog.c (boo#984837) - CVE-2016-5317: Fixed an out-of-bounds write in PixarLogDecode() function in libtiff.so (boo#984842) - CVE-2016-5320: Fixed an out-of-bounds write in PixarLogDecode() function in tif_pixarlog.c (boo#984808) - CVE-2016-5875: Fixed a heap-based buffer overflow when using the PixarLog compressionformat (boo#987351) Bugs fixed: - boo#964225: Fixed writes for invalid images (upstream bug #2522) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2016-07/msg00087.html E-Mail link for openSUSE-SU-2016:1889-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 libtiff-devel-4.0.6-10.26.1 libtiff-devel-32bit-4.0.6-10.26.1 libtiff5-4.0.6-10.26.1 libtiff5-32bit-4.0.6-10.26.1 libtiff5-debuginfo-4.0.6-10.26.1 libtiff5-debuginfo-32bit-4.0.6-10.26.1 tiff-4.0.6-10.26.1 tiff-debuginfo-4.0.6-10.26.1 tiff-debugsource-4.0.6-10.26.1 libtiff-devel-4.0.6-10.26.1 as a component of openSUSE 13.2 libtiff-devel-32bit-4.0.6-10.26.1 as a component of openSUSE 13.2 libtiff5-4.0.6-10.26.1 as a component of openSUSE 13.2 libtiff5-32bit-4.0.6-10.26.1 as a component of openSUSE 13.2 libtiff5-debuginfo-4.0.6-10.26.1 as a component of openSUSE 13.2 libtiff5-debuginfo-32bit-4.0.6-10.26.1 as a component of openSUSE 13.2 tiff-4.0.6-10.26.1 as a component of openSUSE 13.2 tiff-debuginfo-4.0.6-10.26.1 as a component of openSUSE 13.2 tiff-debugsource-4.0.6-10.26.1 as a component of openSUSE 13.2 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2016-5314 openSUSE 13.2:libtiff-devel-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff-devel-4.0.6-10.26.1 openSUSE 13.2:libtiff5-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff5-4.0.6-10.26.1 openSUSE 13.2:libtiff5-debuginfo-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff5-debuginfo-4.0.6-10.26.1 openSUSE 13.2:tiff-4.0.6-10.26.1 openSUSE 13.2:tiff-debuginfo-4.0.6-10.26.1 openSUSE 13.2:tiff-debugsource-4.0.6-10.26.1 moderate 5.7 AV:N/AC:M/Au:N/C:N/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-07/msg00087.html https://www.suse.com/security/cve/CVE-2016-5314.html CVE-2016-5314 https://bugzilla.suse.com/984831 SUSE Bug 984831 https://bugzilla.suse.com/987351 SUSE Bug 987351 Out-of-bounds read in the PixarLogCleanup function in tif_pixarlog.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool. CVE-2016-5316 openSUSE 13.2:libtiff-devel-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff-devel-4.0.6-10.26.1 openSUSE 13.2:libtiff5-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff5-4.0.6-10.26.1 openSUSE 13.2:libtiff5-debuginfo-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff5-debuginfo-4.0.6-10.26.1 openSUSE 13.2:tiff-4.0.6-10.26.1 openSUSE 13.2:tiff-debuginfo-4.0.6-10.26.1 openSUSE 13.2:tiff-debugsource-4.0.6-10.26.1 moderate 5.7 AV:N/AC:M/Au:N/C:N/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-07/msg00087.html https://www.suse.com/security/cve/CVE-2016-5316.html CVE-2016-5316 https://bugzilla.suse.com/984837 SUSE Bug 984837 Buffer overflow in the PixarLogDecode function in libtiff.so in the PixarLogDecode function in libtiff 4.0.6 and earlier, as used in GNOME nautilus, allows attackers to cause a denial of service attack (crash) via a crafted TIFF file. CVE-2016-5317 openSUSE 13.2:libtiff-devel-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff-devel-4.0.6-10.26.1 openSUSE 13.2:libtiff5-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff5-4.0.6-10.26.1 openSUSE 13.2:libtiff5-debuginfo-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff5-debuginfo-4.0.6-10.26.1 openSUSE 13.2:tiff-4.0.6-10.26.1 openSUSE 13.2:tiff-debuginfo-4.0.6-10.26.1 openSUSE 13.2:tiff-debugsource-4.0.6-10.26.1 moderate 5.7 AV:N/AC:M/Au:N/C:N/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-07/msg00087.html https://www.suse.com/security/cve/CVE-2016-5317.html CVE-2016-5317 https://bugzilla.suse.com/984842 SUSE Bug 984842 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2016-5320 openSUSE 13.2:libtiff-devel-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff-devel-4.0.6-10.26.1 openSUSE 13.2:libtiff5-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff5-4.0.6-10.26.1 openSUSE 13.2:libtiff5-debuginfo-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff5-debuginfo-4.0.6-10.26.1 openSUSE 13.2:tiff-4.0.6-10.26.1 openSUSE 13.2:tiff-debuginfo-4.0.6-10.26.1 openSUSE 13.2:tiff-debugsource-4.0.6-10.26.1 moderate 5.7 AV:N/AC:M/Au:N/C:N/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-07/msg00087.html https://www.suse.com/security/cve/CVE-2016-5320.html CVE-2016-5320 https://bugzilla.suse.com/984808 SUSE Bug 984808 https://bugzilla.suse.com/987351 SUSE Bug 987351 ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. CVE-2016-5875 openSUSE 13.2:libtiff-devel-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff-devel-4.0.6-10.26.1 openSUSE 13.2:libtiff5-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff5-4.0.6-10.26.1 openSUSE 13.2:libtiff5-debuginfo-32bit-4.0.6-10.26.1 openSUSE 13.2:libtiff5-debuginfo-4.0.6-10.26.1 openSUSE 13.2:tiff-4.0.6-10.26.1 openSUSE 13.2:tiff-debuginfo-4.0.6-10.26.1 openSUSE 13.2:tiff-debugsource-4.0.6-10.26.1 moderate 5.7 AV:N/AC:M/Au:N/C:N/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-07/msg00087.html https://www.suse.com/security/cve/CVE-2016-5875.html CVE-2016-5875 https://bugzilla.suse.com/1007284 SUSE Bug 1007284 https://bugzilla.suse.com/984831 SUSE Bug 984831 https://bugzilla.suse.com/987351 SUSE Bug 987351