Security update for tiff SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:14888-1 Final 1 1 2022-02-18T09:43:57Z current 2022-02-18T09:43:57Z 2022-02-18T09:43:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tiff This update for tiff fixes the following issues: - CVE-2015-8683: Fixed out-of-bounds when reading CIE Lab image format files (bsc#1156754). - CVE-2015-8665: Fixed out-of-bounds read in tif_getimage.c (bsc#1156749). - CVE-2020-35521: Fixed memory allocation failure in tif_read.c (bsc#1182808). - CVE-2020-35522: Fixed memory allocation failure in tif_pixarlog.c (bsc#1182809). - CVE-2020-35523: Fixed integer overflow in tif_getimage.c (bsc#1182811). - CVE-2020-35524: Fixed heap-based buffer overflow in TIFF2PDF tool (bsc#1182812). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleposp3-tiff-14888,slessp4-tiff-14888 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/ Link for SUSE-SU-2022:14888-1 https://lists.suse.com/pipermail/sle-security-updates/2022-February/010250.html E-Mail link for SUSE-SU-2022:14888-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1156749 SUSE Bug 1156749 https://bugzilla.suse.com/1156754 SUSE Bug 1156754 https://bugzilla.suse.com/1182808 SUSE Bug 1182808 https://bugzilla.suse.com/1182809 SUSE Bug 1182809 https://bugzilla.suse.com/1182811 SUSE Bug 1182811 https://bugzilla.suse.com/1182812 SUSE Bug 1182812 https://www.suse.com/security/cve/CVE-2015-8665/ SUSE CVE CVE-2015-8665 page https://www.suse.com/security/cve/CVE-2015-8683/ SUSE CVE CVE-2015-8683 page https://www.suse.com/security/cve/CVE-2020-35521/ SUSE CVE CVE-2020-35521 page https://www.suse.com/security/cve/CVE-2020-35522/ SUSE CVE CVE-2020-35522 page https://www.suse.com/security/cve/CVE-2020-35523/ SUSE CVE CVE-2020-35523 page https://www.suse.com/security/cve/CVE-2020-35524/ SUSE CVE CVE-2020-35524 page SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Server 11 SP4-LTSS libtiff3-3.8.2-141.169.34.1 tiff-3.8.2-141.169.34.1 libtiff3-32bit-3.8.2-141.169.34.1 libtiff3-3.8.2-141.169.34.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 tiff-3.8.2-141.169.34.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 libtiff3-3.8.2-141.169.34.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS libtiff3-32bit-3.8.2-141.169.34.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS tiff-3.8.2-141.169.34.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via the SamplesPerPixel tag in a TIFF image. CVE-2015-8665 SUSE Linux Enterprise Point of Sale 11 SP3:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Point of Sale 11 SP3:tiff-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-32bit-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:tiff-3.8.2-141.169.34.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/ https://www.suse.com/security/cve/CVE-2015-8665.html CVE-2015-8665 https://bugzilla.suse.com/1156749 SUSE Bug 1156749 https://bugzilla.suse.com/1156754 SUSE Bug 1156754 https://bugzilla.suse.com/1200195 SUSE Bug 1200195 The putcontig8bitCIELab function in tif_getimage.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) via a packed TIFF image. CVE-2015-8683 SUSE Linux Enterprise Point of Sale 11 SP3:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Point of Sale 11 SP3:tiff-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-32bit-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:tiff-3.8.2-141.169.34.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/ https://www.suse.com/security/cve/CVE-2015-8683.html CVE-2015-8683 https://bugzilla.suse.com/1156749 SUSE Bug 1156749 https://bugzilla.suse.com/1156754 SUSE Bug 1156754 https://bugzilla.suse.com/1200195 SUSE Bug 1200195 A flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service. CVE-2020-35521 SUSE Linux Enterprise Point of Sale 11 SP3:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Point of Sale 11 SP3:tiff-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-32bit-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:tiff-3.8.2-141.169.34.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/ https://www.suse.com/security/cve/CVE-2020-35521.html CVE-2020-35521 https://bugzilla.suse.com/1182808 SUSE Bug 1182808 https://bugzilla.suse.com/1200195 SUSE Bug 1200195 In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack. CVE-2020-35522 SUSE Linux Enterprise Point of Sale 11 SP3:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Point of Sale 11 SP3:tiff-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-32bit-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:tiff-3.8.2-141.169.34.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/ https://www.suse.com/security/cve/CVE-2020-35522.html CVE-2020-35522 https://bugzilla.suse.com/1182809 SUSE Bug 1182809 https://bugzilla.suse.com/1200195 SUSE Bug 1200195 An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2020-35523 SUSE Linux Enterprise Point of Sale 11 SP3:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Point of Sale 11 SP3:tiff-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-32bit-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:tiff-3.8.2-141.169.34.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/ https://www.suse.com/security/cve/CVE-2020-35523.html CVE-2020-35523 https://bugzilla.suse.com/1182811 SUSE Bug 1182811 https://bugzilla.suse.com/1200195 SUSE Bug 1200195 A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2020-35524 SUSE Linux Enterprise Point of Sale 11 SP3:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Point of Sale 11 SP3:tiff-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libtiff3-32bit-3.8.2-141.169.34.1 SUSE Linux Enterprise Server 11 SP4-LTSS:tiff-3.8.2-141.169.34.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-202214888-1/ https://www.suse.com/security/cve/CVE-2020-35524.html CVE-2020-35524 https://bugzilla.suse.com/1182812 SUSE Bug 1182812 https://bugzilla.suse.com/1200195 SUSE Bug 1200195