Huawei EulerOS: Security Advisory for libtiff (EulerOS-SA-2019-2209)

Published: 2020-01-23 12:39:15
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Summary:
The remote host is missing an update for the Huawei EulerOS 'libtiff' Linux Distribution Package(s) announced via the EulerOS-SA-2019-2209 advisory.

Detection Method:
Checks if a vulnerable Linux Distribution Package version is present on the target host.

Technical Details:
The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.The _TIFFFax3fillruns function in libtiff before 4.0.6 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted Tiff image.(CVE-2016-5323) The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the '-v' option to -1.(CVE-2016-3624) The rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (divide-by-zero) by setting the (1) v or (2) h parameter to 0.(CVE-2016-3623) An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in multiply_ms in tools/ppm2tiff.c, which can cause a denial of service (crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17100) An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds writes in cpTags in tools/tiff2bw.c and tools/pal2rgb.c, which can cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image file.(CVE-2018-17101) LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.(CVE-2018-18557) In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.(CVE-2018-8905) tools/tiffcp.c in LibTIFF 4.0.7 allows remote attackers to cause a denial of service (integer underflow and heap-based buffer under-read) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 78490' and libtiff/tif_unix.c:115:23.(CVE-2016-10268) LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 512' and libtiff/tif_unix.c:340:2.(CVE-2016-10269) LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted TIFF image, related to 'READ of size 8' and libtiff/tif_read.c:523:22.(CVE-2016-10270) LibTIFF 4.0.7 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted TIFF image, related to 'WRITE of size 2048' and libtiff/tif_next.c:64:9.(CVE-2016-10272) Heap-based buffer over ... Description truncated. Please see the references for more information.

Affected Versions:
'libtiff' Linux Distribution Package(s) on Huawei EulerOS V2.0SP5.

Recommendations:
Please install the updated Linux Distribution Package(s).

Solution Type:
Vendor Patch

Detection Type:
Linux Distribution Package

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2016-10092
https://nvd.nist.gov/vuln/detail/CVE-2016-10266
https://nvd.nist.gov/vuln/detail/CVE-2016-10267
https://nvd.nist.gov/vuln/detail/CVE-2016-10268
https://nvd.nist.gov/vuln/detail/CVE-2016-10269
https://nvd.nist.gov/vuln/detail/CVE-2016-10270
https://nvd.nist.gov/vuln/detail/CVE-2016-10272
https://nvd.nist.gov/vuln/detail/CVE-2016-10371
https://nvd.nist.gov/vuln/detail/CVE-2016-3622
https://nvd.nist.gov/vuln/detail/CVE-2016-3623
https://nvd.nist.gov/vuln/detail/CVE-2016-3624
https://nvd.nist.gov/vuln/detail/CVE-2016-5102
https://nvd.nist.gov/vuln/detail/CVE-2016-5318
https://nvd.nist.gov/vuln/detail/CVE-2016-5321
https://nvd.nist.gov/vuln/detail/CVE-2016-5323
https://nvd.nist.gov/vuln/detail/CVE-2016-9273
https://nvd.nist.gov/vuln/detail/CVE-2016-9538
https://nvd.nist.gov/vuln/detail/CVE-2016-9539
https://nvd.nist.gov/vuln/detail/CVE-2017-10688
https://nvd.nist.gov/vuln/detail/CVE-2017-12944
https://nvd.nist.gov/vuln/detail/CVE-2017-13726
https://nvd.nist.gov/vuln/detail/CVE-2017-13727
https://nvd.nist.gov/vuln/detail/CVE-2017-7592
https://nvd.nist.gov/vuln/detail/CVE-2017-7593
https://nvd.nist.gov/vuln/detail/CVE-2017-7594
https://nvd.nist.gov/vuln/detail/CVE-2017-7595
https://nvd.nist.gov/vuln/detail/CVE-2017-7596
https://nvd.nist.gov/vuln/detail/CVE-2017-7597
https://nvd.nist.gov/vuln/detail/CVE-2017-7598
https://nvd.nist.gov/vuln/detail/CVE-2017-7599
https://nvd.nist.gov/vuln/detail/CVE-2017-7600
https://nvd.nist.gov/vuln/detail/CVE-2017-7601
https://nvd.nist.gov/vuln/detail/CVE-2017-7602
https://nvd.nist.gov/vuln/detail/CVE-2017-9117
https://nvd.nist.gov/vuln/detail/CVE-2017-9147
https://nvd.nist.gov/vuln/detail/CVE-2017-9403
https://nvd.nist.gov/vuln/detail/CVE-2017-9936
https://nvd.nist.gov/vuln/detail/CVE-2018-10779
https://nvd.nist.gov/vuln/detail/CVE-2018-10963
https://nvd.nist.gov/vuln/detail/CVE-2018-17100
https://nvd.nist.gov/vuln/detail/CVE-2018-17101
https://nvd.nist.gov/vuln/detail/CVE-2018-18557
https://nvd.nist.gov/vuln/detail/CVE-2018-18661
https://nvd.nist.gov/vuln/detail/CVE-2018-7456
https://nvd.nist.gov/vuln/detail/CVE-2018-8905
https://nvd.nist.gov/vuln/detail/CVE-2019-14973

References:

https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2209

Search
Severity
High
CVSS Score
7.5

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.