[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1680-1] tiff security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : tiff
Version        : 4.0.3-12.3+deb8u8
CVE ID         : CVE-2018-17000 CVE-2018-19210 CVE-2019-7663


Brief introduction 

CVE-2018-17000

    A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c
    (called from TIFFWriteDirectoryTagTransferfunction) allows an
    attacker to cause a denial-of-service through a crafted tiff file. This
    vulnerability can be triggered by the executable tiffcp.

CVE-2018-19210

    There is a NULL pointer dereference in the TIFFWriteDirectorySec function
    in tif_dirwrite.c that will lead to a denial of service attack, as
    demonstrated by tiffset.

CVE-2019-7663

    An Invalid Address dereference was discovered in
    TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c,
    affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote
    attackers could leverage this vulnerability to cause a denial-of-service
    via a crafted tiff file.

    We believe this is the same as CVE-2018-17000 (above).

For Debian 8 "Jessie", these problems have been fixed in version
4.0.3-12.3+deb8u8.

We recommend that you upgrade your tiff packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlxqUl8ACgkQKpJZkldk
Svp6Rg//WyvFJG2F/3814EV8T61Vc2MvnaYHDAQzaH14SdN4USX/X6h0ylvLwD0y
PSZ2OgcT2i86SZcjF3Fpd0n3mPkIYxNlF2fwimmKNoniBIDiZSIGFCFo3F55Y132
tS8OBMrzLt6DU4V83EDjM/fKbVZLFezDzTiUsVH2tdFCgpxcK+e4eppSAqHXobKH
uymEQDC9+/fBs6UWReFOB+AY16JA6QBzW7U0VyENpQWHFbyteamqF3Y8K+4Gm3RB
NW+Jn31cdO0NUZtwfcE6epDazvq/TJ4epADOtBLGUc7rLRvrxIENjMyOiPwC7R8N
yJbHM5mmz0Z5GswDtohhFoWg0EpcXlXMkW38moDSwEEJ5EE0TYF2aXrLg6aJw4Eb
o7zOlQbLIvuaJkvAUInBhPHiuHq2iCVZV8Mlyp7TjB46dokwGpXzetf2/qSF5Mp8
uJKQ2B5vYfDs6681AMJmcOLbWSEXNr8K75tOZfdWPEDPST0XhYUHprjEVGQ3Y823
NxCOk+M+WQ4cZDXHNVFH/9pSpJyzsKYdBAiw7rVJO/20lXPMBuEvCrXqDvGW1WgA
TqPrPj9TOlyWAsN0cBSRy9yVsD66jKJBo/f0qzu50/WWpRAQdo3NbqE9wQPdZdl6
8R6HbU69byxURIM+IS0H9dfqAIxW3sKy+WgKZYgDDzW7ERGA1hU=
=wy9I
-----END PGP SIGNATURE-----


Reply to: