Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-221-1 tiff

Debian Security Advisory

DLA-221-1 tiff -- LTS security update

Date Reported:

16 May 2015

Affected Packages:

tiff

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 773987.
In Mitre's CVE dictionary: CVE-2014-8128, CVE-2014-8129, CVE-2014-9330, CVE-2014-9655.

More information:

Several vulnerabilities have been discovered in the LibTIFF library and utilities for the Tag Image File Format. These could lead to a denial of service, information disclosure or privilege escalation.

• CVE-2014-8128

  William Robinet discovered that out-of-bounds writes are triggered in several of the LibTIFF utilities when processing crafted TIFF files. Other applications using LibTIFF are also likely to be affected in the same way.

• CVE-2014-8129

  William Robinet discovered that out-of-bounds reads and writes are triggered in tiff2pdf when processing crafted TIFF files. Other applications using LibTIFF are also likely to be affected in the same way.

• CVE-2014-9330

  Paris Zoumpouloglou discovered that out-of-bounds reads and writes are triggered in bmp2tiff when processing crafted BMP files.

• CVE-2014-9655

  Michal Zalewski discovered that out-of-bounds reads and writes are triggered in LibTIFF when processing crafted TIFF files.

For the oldoldstable distribution (squeeze), these problems have been fixed in version 3.9.4-5+squeeze12.

For the oldstable distribution (wheezy), these problems will be fixed soon.

The stable distribution (jessie) was not affected by these problems as they were fixed before release.