Gentoo Archives: gentoo-announce

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201701-16 ] libTIFF: Multiple vulnerabilities
Date: Mon, 09 Jan 2017 17:01:56
Message-Id: 472b7015-d2b7-a8ee-b964-d64efc7ca4b3@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201701-16
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: libTIFF: Multiple vulnerabilities
9 Date: January 09, 2017
10 Bugs: #484542, #534108, #538318, #561880, #572876, #585274,
11 #585508, #599746
12 ID: 201701-16
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities have been found in libTIFF, the worst of which
20 may allow execution of arbitrary code.
21
22 Background
23 ==========
24
25 The TIFF library contains encoding and decoding routines for the Tag
26 Image File Format. It is called by numerous programs, including GNOME
27 and KDE applications, to interpret TIFF images.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 media-libs/tiff < 4.0.7 >= 4.0.7
36
37 Description
38 ===========
39
40 Multiple vulnerabilities have been discovered in libTIFF. Please review
41 the CVE identifier and bug reports referenced for details.
42
43 Impact
44 ======
45
46 A remote attacker could entice a user to process a specially crafted
47 image file, possibly resulting in execution of arbitrary code with the
48 privileges of the process or a Denial of Service condition.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All libTIFF users should upgrade to the latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=media-libs/tiff-4.0.7"
62
63 References
64 ==========
65
66 [ 1 ] CVE-2013-4243
67 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4243
68 [ 2 ] CVE-2014-8127
69 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8127
70 [ 3 ] CVE-2014-8128
71 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8128
72 [ 4 ] CVE-2014-8129
73 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8129
74 [ 5 ] CVE-2014-8130
75 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8130
76 [ 6 ] CVE-2014-9330
77 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9330
78 [ 7 ] CVE-2014-9655
79 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9655
80 [ 8 ] CVE-2015-1547
81 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1547
82 [ 9 ] CVE-2015-7313
83 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7313
84 [ 10 ] CVE-2015-7554
85 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7554
86 [ 11 ] CVE-2015-8665
87 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8665
88 [ 12 ] CVE-2015-8668
89 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8668
90 [ 13 ] CVE-2015-8683
91 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8683
92 [ 14 ] CVE-2015-8781
93 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8781
94 [ 15 ] CVE-2015-8782
95 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8782
96 [ 16 ] CVE-2015-8783
97 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8783
98 [ 17 ] CVE-2015-8784
99 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8784
100 [ 18 ] CVE-2016-3186
101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3186
102 [ 19 ] CVE-2016-3619
103 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3619
104 [ 20 ] CVE-2016-3620
105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3620
106 [ 21 ] CVE-2016-3621
107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3621
108 [ 22 ] CVE-2016-3622
109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3622
110 [ 23 ] CVE-2016-3623
111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3623
112 [ 24 ] CVE-2016-3624
113 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3624
114 [ 25 ] CVE-2016-3625
115 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3625
116 [ 26 ] CVE-2016-3631
117 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3631
118 [ 27 ] CVE-2016-3632
119 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3632
120 [ 28 ] CVE-2016-3633
121 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3633
122 [ 29 ] CVE-2016-3634
123 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3634
124 [ 30 ] CVE-2016-3658
125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3658
126 [ 31 ] CVE-2016-3945
127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3945
128 [ 32 ] CVE-2016-3990
129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3990
130 [ 33 ] CVE-2016-3991
131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3991
132 [ 34 ] CVE-2016-5102
133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5102
134 [ 35 ] CVE-2016-5314
135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5314
136 [ 36 ] CVE-2016-5315
137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5315
138 [ 37 ] CVE-2016-5316
139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5316
140 [ 38 ] CVE-2016-5317
141 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5317
142 [ 39 ] CVE-2016-5318
143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5318
144 [ 40 ] CVE-2016-5319
145 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5319
146 [ 41 ] CVE-2016-5320
147 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5320
148 [ 42 ] CVE-2016-5321
149 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5321
150 [ 43 ] CVE-2016-5322
151 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5322
152 [ 44 ] CVE-2016-5323
153 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5323
154 [ 45 ] CVE-2016-5652
155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5652
156 [ 46 ] CVE-2016-5875
157 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5875
158 [ 47 ] CVE-2016-6223
159 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6223
160 [ 48 ] CVE-2016-8331
161 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8331
162 [ 49 ] CVE-2016-9273
163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9273
164 [ 50 ] CVE-2016-9297
165 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9297
166 [ 51 ] CVE-2016-9318
167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9318
168 [ 52 ] CVE-2016-9448
169 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9448
170 [ 53 ] CVE-2016-9453
171 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9453
172 [ 54 ] CVE-2016-9532
173 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9532
174
175 Availability
176 ============
177
178 This GLSA and any updates to it are available for viewing at
179 the Gentoo Security Website:
180
181 https://security.gentoo.org/glsa/201701-16
182
183 Concerns?
184 =========
185
186 Security is a primary focus of Gentoo Linux and ensuring the
187 confidentiality and security of our users' machines is of utmost
188 importance to us. Any security concerns should be addressed to
189 security@g.o or alternatively, you may file a bug at
190 https://bugs.gentoo.org.
191
192 License
193 =======
194
195 Copyright 2017 Gentoo Foundation, Inc; referenced text
196 belongs to its owner(s).
197
198 The contents of this document are licensed under the
199 Creative Commons - Attribution / Share Alike license.
200
201 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature