Security update for tiff SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1108-1 Final 1 1 2017-04-26T12:11:41Z current 2017-04-26T12:11:41Z 2017-04-26T12:11:41Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tiff This update for tiff fixes the following issues: Security issues fixed: - CVE-2016-10272: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to 'WRITE of size 2048' and libtiff/tif_next.c:64:9 (bsc#1031247). - CVE-2016-10271: tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 1' and libtiff/tif_fax3.c:413:13 (bsc#1031249). - CVE-2016-10270: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 8' and libtiff/tif_read.c:523:22 (bsc#1031250). - CVE-2016-10269: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 512' and libtiff/tif_unix.c:340:2 (bsc#1031254). - CVE-2016-10268: tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 78490' and libtiff/tif_unix.c:115:23 (bsc#1031255). - CVE-2016-10267: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8 (bsc#1031262). - CVE-2016-10266: LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. (bsc#1031263). This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00032.html E-Mail link for openSUSE-SU-2017:1108-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 libtiff-devel-4.0.7-17.3.1 libtiff-devel-32bit-4.0.7-17.3.1 libtiff5-4.0.7-17.3.1 libtiff5-32bit-4.0.7-17.3.1 tiff-4.0.7-17.3.1 libtiff-devel-4.0.7-17.3.1 as a component of openSUSE Leap 42.1 libtiff-devel-32bit-4.0.7-17.3.1 as a component of openSUSE Leap 42.1 libtiff5-4.0.7-17.3.1 as a component of openSUSE Leap 42.1 libtiff5-32bit-4.0.7-17.3.1 as a component of openSUSE Leap 42.1 tiff-4.0.7-17.3.1 as a component of openSUSE Leap 42.1 libtiff-devel-4.0.7-17.3.1 as a component of openSUSE Leap 42.2 libtiff-devel-32bit-4.0.7-17.3.1 as a component of openSUSE Leap 42.2 libtiff5-4.0.7-17.3.1 as a component of openSUSE Leap 42.2 libtiff5-32bit-4.0.7-17.3.1 as a component of openSUSE Leap 42.2 tiff-4.0.7-17.3.1 as a component of openSUSE Leap 42.2 LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_read.c:351:22. CVE-2016-10266 openSUSE Leap 42.1:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.1:tiff-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.2:tiff-4.0.7-17.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00032.html https://www.suse.com/security/cve/CVE-2016-10266.html CVE-2016-10266 https://bugzilla.suse.com/1017694 SUSE Bug 1017694 https://bugzilla.suse.com/1031263 SUSE Bug 1031263 LibTIFF 4.0.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted TIFF image, related to libtiff/tif_ojpeg.c:816:8. CVE-2016-10267 openSUSE Leap 42.1:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.1:tiff-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.2:tiff-4.0.7-17.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00032.html https://www.suse.com/security/cve/CVE-2016-10267.html CVE-2016-10267 https://bugzilla.suse.com/1017694 SUSE Bug 1017694 https://bugzilla.suse.com/1031262 SUSE Bug 1031262 tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 78490" and libtiff/tif_unix.c:115:23. CVE-2016-10268 openSUSE Leap 42.1:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.1:tiff-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.2:tiff-4.0.7-17.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00032.html https://www.suse.com/security/cve/CVE-2016-10268.html CVE-2016-10268 https://bugzilla.suse.com/1017693 SUSE Bug 1017693 https://bugzilla.suse.com/1031255 SUSE Bug 1031255 LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6 and 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 512" and libtiff/tif_unix.c:340:2. CVE-2016-10269 openSUSE Leap 42.1:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.1:tiff-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.2:tiff-4.0.7-17.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00032.html https://www.suse.com/security/cve/CVE-2016-10269.html CVE-2016-10269 https://bugzilla.suse.com/1017693 SUSE Bug 1017693 https://bugzilla.suse.com/1031254 SUSE Bug 1031254 LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 8" and libtiff/tif_read.c:523:22. CVE-2016-10270 openSUSE Leap 42.1:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.1:tiff-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.2:tiff-4.0.7-17.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00032.html https://www.suse.com/security/cve/CVE-2016-10270.html CVE-2016-10270 https://bugzilla.suse.com/1031250 SUSE Bug 1031250 tools/tiffcrop.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read and buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to "READ of size 1" and libtiff/tif_fax3.c:413:13. CVE-2016-10271 openSUSE Leap 42.1:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.1:tiff-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.2:tiff-4.0.7-17.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00032.html https://www.suse.com/security/cve/CVE-2016-10271.html CVE-2016-10271 https://bugzilla.suse.com/1031249 SUSE Bug 1031249 LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to "WRITE of size 2048" and libtiff/tif_next.c:64:9. CVE-2016-10272 openSUSE Leap 42.1:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.1:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.1:tiff-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff-devel-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-32bit-4.0.7-17.3.1 openSUSE Leap 42.2:libtiff5-4.0.7-17.3.1 openSUSE Leap 42.2:tiff-4.0.7-17.3.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-04/msg00032.html https://www.suse.com/security/cve/CVE-2016-10272.html CVE-2016-10272 https://bugzilla.suse.com/1031247 SUSE Bug 1031247