Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4491
tiff security update
27 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: tiff
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-17546 CVE-2019-6128 CVE-2018-18661
CVE-2018-12900 CVE-2017-17095
Reference: ESB-2019.4464
ESB-2019.4137
ESB-2018.0864
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/11/msg00027.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : tiff
Version : 4.0.3-12.3+deb8u10
CVE ID : CVE-2017-17095 CVE-2018-12900 CVE-2018-18661
CVE-2019-6128 CVE-2019-17546
Several issues have been found in tiff, a Tag Image File Format library.
CVE-2019-17546
The RGBA interface contains an integer overflow that might lead
to heap buffer overflow write.
CVE-2019-6128
A memory leak exists due to missing cleanup code.
CVE-2018-18661
In case of exhausted memory there is a null pointer dereference
in tiff2bw.
CVE-2018-12900
Fix for heap-based buffer overflow, that could be used to crash an
application or even to execute arbitrary code (with the permission
of the user running this application).
CVE-2017-17095
A crafted tiff file could lead to a heap buffer overflow in pal2rgb.
For Debian 8 "Jessie", these problems have been fixed in version
4.0.3-12.3+deb8u10.
We recommend that you upgrade your tiff packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAl3dmCZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEd9LRAAr0Rd9+KqBflydKwo6NKuLGRNHI4G+mFPOMBIN+MSro1LwkZ9TeSyB9C7
62ANXPSZb5Se/ICFsv7GtmvAzsDJep0JF7IEiIoT48FFVCMGmfoNF9Z+Kac8ZnBI
bSN47mJuLQ1Qd/gdxnzftZdIVREpGfAn0nV2koU5hs5dHKe+7Pz5Ol3zikUmmXbj
oB4xRCcpdgDF0YMQd9VJUtZGiBvnzY5ODlOxHPA1c75rdAG76YL3GKdN5BDmkktc
eVjTdU8lRYa7lZFRDDpT7Re6KM6eP11u2N4CDLd9Dzf8daHzELtIV5Dvi3LnYFq2
LK9jH7nMwjr1OQVaGBEfyO1ytSN5yellUYtKAsVJwql+LvXSpxaOBU1VVuoBxeBd
j9sIazEgkQJSXKESuzSRjQsZxxTGobAQh07LKJ6oJgs2C8V6JlXn4ais2V28AOPV
shUE4zeZumShqWDXpXDzipzFyHBYjE6YKARJAK65s7PlvzvjVzIAgbIjuQV7HauJ
MHisL77Yb5lZnkkHu8pFH93FJ5v339N3sirPHMT/khkZnQNiqI8JIKazs0QOi7f7
OiFyjjWuUjVQh87eih3pSdcCRNFTHCiMuYdVmlTnxkg+1nf0Kih+V1PQm+lYNNa8
BpoMiqTGkr7o7evywxp7fAPkRqUVMqtNQMuXd4MnJdgwlsNA14E=
=l51z
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXd4CoWaOgq3Tt24GAQhuQBAAv9MPuLFwoAlkmR4dTHZo/8ywLlYTPxzX
ZFAec1dTSf7bplsY71PW/e7MLGhzwUECFVfc++Jy/TJFrygAii/9UtcBiFZXk/CS
fq3rwE15f+ya3C9M8WfYCKr30JEKlrVc8+a8a8v5m8n+ATLri9ZqNXZoDGJAYlKm
NS2zszAkTHdZnv4AU68QKKFbLc3wlRwkNjTgxA5H0b7sSbYOTlBkw6txsWa5oHVG
VMovwCfvQxDkjbsxJEgKiBqd1fLX14lybaZ4Ej8Wq3K9LUXgNRpfGLE0t4TZlGeI
mnvd2FIyHarVk9q1c1RQGQKrSF9QNV7HKAaAaksnTb+wJBDISSfP+JtQQ+Qj2EDD
6TOTnKheI4j+iS/745WPvUInjwpp08Z7VSVlqGNJvu07cIT+n5ng0ksiiCuL5On3
iE4oHdintk88XD35RDIFEDDnNeZ5dqbrk8sYrWwc98OESxQuMN67XdxZAxKhZrU0
2LoVTO+U/s7MLELOgi4uIajvSvn2qIuGerL/NpCdCGVLVBUK/ZzCrinZCb+siBEd
r5E9Zaqkk523gGxIDG5PP6bFD9gUbc4AbYUu0ixK0h92cLKVMhBqrgVgC8iGi0cd
jtgSifQyWDR5enMkGmQvt9TsX8WgrHvV8CnkrG1jHiR1x5moH6e5/a3eQjE/pjc4
FBtHBoucinA=
=F2pe
-----END PGP SIGNATURE-----