ESB-2018.1159.2 - UPDATE [Win][UNIX/Linux][BSD][Debian] tiff and tiff3: Denial of service - Remote with user interaction 2018-04-17

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.1159.2
                      tiff and tiff3 security updates
                               17 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tiff
                   tiff3
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   BSD variants
                   Windows
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-7456  

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/04/msg00010.html
   https://lists.debian.org/debian-lts-announce/2018/04/msg00011.html

Comment: This bulletin contains two (2) Debian security advisories.
         
         This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running tiff check for an updated version of the software for their
         operating system.

Revision History:  April 17 2018: Updated product tag
                   April 16 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : tiff
Version        : 4.0.2-6+deb7u19
CVE ID         : CVE-2018-7456
Debian Bug     : 891288 

A NULL Pointer Dereference was discovered in the TIFFPrintDirectory
function (tif_print.c) when using the tiffinfo tool to print crafted
TIFF information. This vulnerability could be leveraged by remote
attackers to cause a crash of the application.

For Debian 7 "Wheezy", these problems have been fixed in version
4.0.2-6+deb7u19.

We recommend that you upgrade your tiff packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlrUC10ACgkQLVy48vb3
khmXmwf7Bfz6v8Lle0D5CA8pae67570bO31pJpcbdcC9JMpdWVB9Pci8FAULtaE5
kJPGjy/nonKy5nSSctEEzydoVqQ6hkiknpWU+eKd7gZu+pcaC0lXtULrKsvQ6g1W
j1KBaZV4XGhnRrKVixtTwMphUlTaJa/pv5/WZeJp5pMAKEwv93zBCStf1efx1XYu
/+4Ey+glVtpS+rLRjzLJtFULQfCcPIZb9hTCLlQcErWxAJm6Xxw+ZNedzirQe2Im
+q9o/toDIJHzb6ZpG+PW5/wdTCQ5pqoov/k5bZI8Q+7LbqLKBifBrOUefGm8HkJd
ov//MNlueQRseHr4JhJH1tGvKwf+8w==
=0znQ
- -----END PGP SIGNATURE-----

=========================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : tiff3
Version        : 3.9.6-11+deb7u10
CVE ID         : CVE-2018-7456
Debian Bug     : 891288 

A NULL Pointer Dereference was discovered in the TIFFPrintDirectory
function (tif_print.c) when using the tiffinfo tool to print crafted
TIFF information. This vulnerability could be leveraged by remote
attackers to cause a crash of the application.

For Debian 7 "Wheezy", these problems have been fixed in version
3.9.6-11+deb7u10.

We recommend that you upgrade your tiff3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE5LpPtQuYJzvmooL3LVy48vb3khkFAlrUC9cACgkQLVy48vb3
khkpqQf/T8mlN9ec5Gx0EmkS9RCC/06VJ7t4GzptVRjuNKnuPCNXgb4Zw7ZxNzoi
sSfcJ4GMoy+Ytwe5CCF6FdbQ+WFGMLUjm5ywBOHzkZ6Si/1jSKpyWHAIqnn9e/41
+JYLm1hoC1fHh/zro1kIdPOsUJD4fnKsTo+EV30vwij0wiF5te+ByOghLCK2V13R
rxc+w8OWTtCKeSzcjtlC5zDHXLIFHMZGg2v6041ETB7vbYSaWAOj2XCKMhbN8kHz
PLy56vtiS54jTYfyC51nVNi39c2LfUTcoMi6usnJn44eauMAoKJz6iDEeW5CnxER
85mfKtUy/RwV9F2L/RtNWqHlQCjHdQ==
=j1X4
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWtV+8Ix+lLeg9Ub1AQiwoRAAoWpRofY0J9m4h9ut327l42Ub1DzWB/ah
fX7n8W8q4e2L43MyrYZqYcBSqwvhnhJNR2mfMcwVsuP46PR7UMpjTszvuMXogSWF
psxCDir4c/kWI8WlD7W30sn2hLGCXFKUxBJZVMPvJ3NtfqLmIwQ3yXhJp4cQHUzL
FbMAjiKhezx8JgFnACIreqivo4OEgFM7opHNrmRcJMhbZQpv0BINVNgJSnPzNYbn
YG46CQ97iyL/ODsLUGbQtvbzOqHVbpDmxMSjAhyBWYj7UtEMVWBzQgaQqaBc+2OO
VF4S1H53oaJjYgeOmj7V1FWioUI7yHrQO4+MVvHLc5i29nIOBAeZu55wdndUZH0t
bmxJFOUfK44k/Y+plmFXyNsfxnzbJ7MF7n3uQHm8rfc0gBzzjM3Xsb6JzVgy9Rtn
ecwuiN9VBhytylb5fS9M3C9ctFj1zvDhTp7ysTs6F24niw6whZpzn98m5E+6km3R
+KYPrchpKpFaOA6Re+cy8uaSBI7Ji6arqvoAq3gHhPair5CYnpY3UV42DwTLHCup
utHqVMvo2ct5sMv4IYhsY6LOqRqRn5NctLqO+SG/pwNFq7OsUHAC4R9Kzu2eobJ2
3AuUZLQf9tdjU+/3tEaZTW9SgsjyZeV3nsarYzcWHPDSHOv9cY+WQZG936nawLt9
aYwYYfhxKrs=
=VbFC
-----END PGP SIGNATURE-----

« Back to bulletins