[gentoo-announce] [ GLSA 201709-27 ] LibTIFF: Multiple vulnerabilities - gentoo-announce

From:	Aaron Bauman <bman@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201709-27 ] LibTIFF: Multiple vulnerabilities
Date:	Tue, 26 Sep 2017 22:12:23
Message-Id:	`3559947.cqVStVUssH@localhost.localdomain`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201709-27

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: LibTIFF: Multiple vulnerabilities

9

     Date: September 26, 2017

10

     Bugs: #610330, #614020, #614022, #617996, #617998, #618610, #624602

11

       ID: 201709-27

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in LibTIFF, the worst of which

19

could result in the execution of arbitrary code.

20

21

Background

22

==========

23

24

The TIFF library contains encoding and decoding routines for the Tag

25

Image File Format. It is called by numerous programs, including GNOME

26

and KDE applications, to interpret TIFF images.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  media-libs/tiff              < 4.0.8                    >= 4.0.8 

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in LibTIFF. Please review

40

the referenced CVE identifiers for details.

41

42

Impact

43

======

44

45

A remote attacker, by enticing the user to process a specially crafted

46

TIFF file, could possibly execute arbitrary code with the privileges of

47

the process, cause a Denial of Service condition, obtain sensitive

48

information, or have other unspecified impacts.

49

50

Workaround

51

==========

52

53

There is no known workaround at this time.

54

55

Resolution

56

==========

57

58

All LibTIFF users should upgrade to the latest version:

59

60

  # emerge --sync

61

  # emerge --ask --oneshot --verbose ">=media-libs/tiff-4.0.8"

62

63

Packages which depend on this library may need to be recompiled. Tools

64

such as revdep-rebuild may assist in identifying some of these

65

packages.

66

67

References

68

==========

69

70

[  1 ] CVE-2016-10267

71

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10267

72

[  2 ] CVE-2016-10268

73

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10268

74

[  3 ] CVE-2017-5225

75

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5225

76

[  4 ] CVE-2017-5563

77

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5563

78

[  5 ] CVE-2017-7592

79

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7592

80

[  6 ] CVE-2017-7593

81

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7593

82

[  7 ] CVE-2017-7594

83

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7594

84

[  8 ] CVE-2017-7595

85

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7595

86

[  9 ] CVE-2017-7596

87

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7596

88

[ 10 ] CVE-2017-7597

89

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7597

90

[ 11 ] CVE-2017-7598

91

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7598

92

[ 12 ] CVE-2017-7599

93

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7599

94

[ 13 ] CVE-2017-7600

95

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7600

96

[ 14 ] CVE-2017-7601

97

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7601

98

[ 15 ] CVE-2017-7602

99

       https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7602

100

[ 16 ] CVE-2017-9403

101

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9403

102

103

Availability

104

============

105

106

This GLSA and any updates to it are available for viewing at

107

the Gentoo Security Website:

108

109

 https://security.gentoo.org/glsa/201709-27

110

111

Concerns?

112

=========

113

114

Security is a primary focus of Gentoo Linux and ensuring the

115

confidentiality and security of our users' machines is of utmost

116

importance to us. Any security concerns should be addressed to

117

security@g.o or alternatively, you may file a bug at

118

https://bugs.gentoo.org.

119

120

License

121

=======

122

123

Copyright 2017 Gentoo Foundation, Inc; referenced text

124

belongs to its owner(s).

125

126

The contents of this document are licensed under the

127

Creative Commons - Attribution / Share Alike license.

128

129

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201709-27
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: LibTIFF: Multiple vulnerabilities
9	Date: September 26, 2017
10	Bugs: #610330, #614020, #614022, #617996, #617998, #618610, #624602
11	ID: 201709-27
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in LibTIFF, the worst of which
19	could result in the execution of arbitrary code.
20
21	Background
22	==========
23
24	The TIFF library contains encoding and decoding routines for the Tag
25	Image File Format. It is called by numerous programs, including GNOME
26	and KDE applications, to interpret TIFF images.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 media-libs/tiff < 4.0.8 >= 4.0.8
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in LibTIFF. Please review
40	the referenced CVE identifiers for details.
41
42	Impact
43	======
44
45	A remote attacker, by enticing the user to process a specially crafted
46	TIFF file, could possibly execute arbitrary code with the privileges of
47	the process, cause a Denial of Service condition, obtain sensitive
48	information, or have other unspecified impacts.
49
50	Workaround
51	==========
52
53	There is no known workaround at this time.
54
55	Resolution
56	==========
57
58	All LibTIFF users should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=media-libs/tiff-4.0.8"
62
63	Packages which depend on this library may need to be recompiled. Tools
64	such as revdep-rebuild may assist in identifying some of these
65	packages.
66
67	References
68	==========
69
70	[ 1 ] CVE-2016-10267
71	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10267
72	[ 2 ] CVE-2016-10268
73	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10268
74	[ 3 ] CVE-2017-5225
75	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5225
76	[ 4 ] CVE-2017-5563
77	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5563
78	[ 5 ] CVE-2017-7592
79	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7592
80	[ 6 ] CVE-2017-7593
81	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7593
82	[ 7 ] CVE-2017-7594
83	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7594
84	[ 8 ] CVE-2017-7595
85	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7595
86	[ 9 ] CVE-2017-7596
87	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7596
88	[ 10 ] CVE-2017-7597
89	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7597
90	[ 11 ] CVE-2017-7598
91	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7598
92	[ 12 ] CVE-2017-7599
93	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7599
94	[ 13 ] CVE-2017-7600
95	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7600
96	[ 14 ] CVE-2017-7601
97	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7601
98	[ 15 ] CVE-2017-7602
99	https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7602
100	[ 16 ] CVE-2017-9403
101	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9403
102
103	Availability
104	============
105
106	This GLSA and any updates to it are available for viewing at
107	the Gentoo Security Website:
108
109	https://security.gentoo.org/glsa/201709-27
110
111	Concerns?
112	=========
113
114	Security is a primary focus of Gentoo Linux and ensuring the
115	confidentiality and security of our users' machines is of utmost
116	importance to us. Any security concerns should be addressed to
117	security@g.o or alternatively, you may file a bug at
118	https://bugs.gentoo.org.
119
120	License
121	=======
122
123	Copyright 2017 Gentoo Foundation, Inc; referenced text
124	belongs to its owner(s).
125
126	The contents of this document are licensed under the
127	Creative Commons - Attribution / Share Alike license.
128
129	http://creativecommons.org/licenses/by-sa/2.5