copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0309 - [Win][UNIX/Linux][Debian] tiff: Denial of service - Remote with user interaction

Date: 08 February 2016
References: ASB-2016.0017  ESB-2016.1873  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0309
                           tiff security update
                              8 February 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tiff
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   Debian GNU/Linux 8
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-8784 CVE-2015-8783 CVE-2015-8782
                   CVE-2015-8781 CVE-2015-8683 CVE-2015-8665

Original Bulletin: 
   http://www.debian.org/security/2016/dsa-3467

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running tiff check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3467-1                   security@debian.org
https://www.debian.org/security/                 Laszlo Boszormenyi (GCS)
February 06, 2016                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : tiff
CVE ID         : CVE-2015-8665 CVE-2015-8683 CVE-2015-8781 CVE-2015-8782
                 CVE-2015-8783 CVE-2015-8784
Debian Bug     : 808968 809021

Several vulnerabilities have been found in tiff, a Tag Image File Format
library. Multiple out-of-bounds read and write flaws could cause an
application using the tiff library to crash.

For the oldstable distribution (wheezy), these problems have been fixed
in version 4.0.2-6+deb7u5.

For the stable distribution (jessie), these problems have been fixed in
version 4.0.3-12.3+deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 4.0.6-1.

For the unstable distribution (sid), these problems have been fixed in
version 4.0.6-1.

We recommend that you upgrade your tiff packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWtaEWAAoJEAVMuPMTQ89EJ34QAIQqFXQdO1cKIuNFhhdTRtSD
UokOnbpcG7XKOR/bSl7odkIF4lH09algNwaoRaH6kgVVa5f5BDr0Id6dt/sAsfGo
DKKm9WSRmAAOyN+/Igoog0wnsIUFaBuoPQH8fFd9DUYZ2bIICrBgEZkZBKDiK+70
+B/TMaISOIYLH+PuKqr0ToREemM3BdybgJZ0gdsC5ZNyJHt55IE2Z1XHXAPKBduh
cbrXdbhOQmIdPUAC7EIvA9lH7UymEdBq+failscLFmwwintJoljrPIeGFlYrRHi2
Zr/hunPbOrJYxK43Hz2sAKto4fq417+14plACU/uhymaEL0BSrMOSzg/uzV14Bfc
9I32fnXVUBJmGY5Xvg7+dIHsJodnIsumzBNwLc/wtEW1YqCHwFl4Os6NUH+lYTvk
a5ta7KNOtDWl2W5G0cR/THun4AYqQSMVpAR7PTNum+tB66+L3n6uns21vAYlA4da
XDG/7jTkYk90tbEBAg/8U2PuMtZPbzdXvlFVf1/XJhv/dE7muuor3yzIeql2b5Qi
j3PsP30FYE0PUpNteQyolCTffUnslRfjic/F6lowwra0rNGMDORoz7iAtDTiinU3
Xu/D5uUEVW6AqeEGPnjvTfW5LmeNAmRXI4uo5ByI9p2yXKrn5Mhlt5KewqZ28fcd
QJXhYGu/Wdeik9s0Z3U4
=s9MP
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVrffbX6ZAP0PgtI9AQLG/A/+PVRsnC4OIa2GbAxvt/yGrx2Zh595yQE4
/ofVWbdgL2tsMZ6wxbYhWsjI1BJVtHA0aAKZPh9YAXD7DBHDVmCg26gy3+BjgDoz
aGv1L0UTIhiJtVskMzQFnStsdmwGEJDpCaDb1v58c87ayb/h3JK9ABCx7iZfpMhf
5579N/MGXvF9oZzt3Hkk+lmg5ALjj1n98Yi4OKcWmCnt0RFeSNmCmxXWrB1OeYYd
Qzmfc1klI8R6S4VbFLrlYNHqDpbmpM58sq+eeyMkSqdfspfiOOUsqTv8mTiwSk+i
/0YJ58vD3xcSai1hBZO0awRkefBX8x4BM32/KbSrZf/JMXSh4tbNG9irRf4MjD8d
04/Mj5JcPjHVJ6WiukWjvOBomqFyFe56eDnHDHWDgpzSRRfOM1G7Je6XOO6KXh1R
y3QKed6Ee4AjY/nHsuRxZy5wTWSt2cnNx48Q871NgkH62DqsVcEF+zKEAzU7sDP6
cwiA/OyDS1/il69WgJKHWswkx6XcraJoMR19g6lMOH4D0i1/dM26mdgrWoC7ZEbq
pLsQijj0EhQNOAT4EZGL/tf+sciEjik4sPeXOKOiMHsZOPZY5+/jTsin/eJnseVK
EBHP2QxUoVRYFMkz323ZBBMR8APklh0mehJM3TM7bvb0B0xTehuaLFKVDH7AzDq0
UWypRqEPthk=
=JOis
-----END PGP SIGNATURE-----