SUSE-SU-2016:3301-1: moderate: Security update for tiff

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Dec 29 16:15:32 MST 2016


   SUSE Security Update: Security update for tiff
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:3301-1
Rating:             moderate
References:         #1007280 #1010161 #1010163 #1011103 #1011107 
                    #914890 #974449 #974840 #984813 #984815 #987351 
                    
Cross-References:   CVE-2014-8127 CVE-2016-3622 CVE-2016-3658
                    CVE-2016-5321 CVE-2016-5323 CVE-2016-5652
                    CVE-2016-5875 CVE-2016-9273 CVE-2016-9297
                    CVE-2016-9448 CVE-2016-9453
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 12-SP2
                    SUSE Linux Enterprise Software Development Kit 12-SP1
                    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
                    SUSE Linux Enterprise Server 12-SP2
                    SUSE Linux Enterprise Server 12-SP1
                    SUSE Linux Enterprise Desktop 12-SP2
                    SUSE Linux Enterprise Desktop 12-SP1
______________________________________________________________________________

   An update that fixes 11 vulnerabilities is now available.

Description:


   The tiff library and tools were updated to version 4.0.7 fixing various
   bug and security issues.

   - CVE-2014-8127: out-of-bounds read with malformed TIFF image in multiple
     tools [bnc#914890]
   - CVE-2016-9297: tif_dirread.c read outside buffer in _TIFFPrintField()
     [bnc#1010161]
   - CVE-2016-3658: Illegal read in TIFFWriteDirectoryTagLongLong8Array
     function in tiffset / tif_dirwrite.c [bnc#974840]
   - CVE-2016-9273: heap overflow [bnc#1010163]
   - CVE-2016-3622: divide By Zero in the tiff2rgba tool [bnc#974449]
   - CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow
     [bnc#1007280]
   - CVE-2016-9453: out-of-bounds Write memcpy and less bound check in
     tiff2pdf [bnc#1011107]
   - CVE-2016-5875: heap-based buffer overflow when using the PixarLog
     compressionformat [bnc#987351]
   - CVE-2016-9448: regression introduced by fixing CVE-2016-9297
     [bnc#1011103]
   - CVE-2016-5321: out-of-bounds read in tiffcrop /  DumpModeDecode()
     function [bnc#984813]
   - CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (null ptr
     dereference?) [bnc#984815]


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 12-SP2:

      zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1937=1

   - SUSE Linux Enterprise Software Development Kit 12-SP1:

      zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1937=1

   - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:

      zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1937=1

   - SUSE Linux Enterprise Server 12-SP2:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1937=1

   - SUSE Linux Enterprise Server 12-SP1:

      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1937=1

   - SUSE Linux Enterprise Desktop 12-SP2:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1937=1

   - SUSE Linux Enterprise Desktop 12-SP1:

      zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1937=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):

      libtiff-devel-4.0.7-35.1
      tiff-debuginfo-4.0.7-35.1
      tiff-debugsource-4.0.7-35.1

   - SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64):

      libtiff-devel-4.0.7-35.1
      tiff-debuginfo-4.0.7-35.1
      tiff-debugsource-4.0.7-35.1

   - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):

      libtiff5-4.0.7-35.1
      libtiff5-debuginfo-4.0.7-35.1
      tiff-4.0.7-35.1
      tiff-debuginfo-4.0.7-35.1
      tiff-debugsource-4.0.7-35.1

   - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64):

      libtiff5-4.0.7-35.1
      libtiff5-debuginfo-4.0.7-35.1
      tiff-4.0.7-35.1
      tiff-debuginfo-4.0.7-35.1
      tiff-debugsource-4.0.7-35.1

   - SUSE Linux Enterprise Server 12-SP2 (x86_64):

      libtiff5-32bit-4.0.7-35.1
      libtiff5-debuginfo-32bit-4.0.7-35.1

   - SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64):

      libtiff5-4.0.7-35.1
      libtiff5-debuginfo-4.0.7-35.1
      tiff-4.0.7-35.1
      tiff-debuginfo-4.0.7-35.1
      tiff-debugsource-4.0.7-35.1

   - SUSE Linux Enterprise Server 12-SP1 (s390x x86_64):

      libtiff5-32bit-4.0.7-35.1
      libtiff5-debuginfo-32bit-4.0.7-35.1

   - SUSE Linux Enterprise Desktop 12-SP2 (x86_64):

      libtiff5-32bit-4.0.7-35.1
      libtiff5-4.0.7-35.1
      libtiff5-debuginfo-32bit-4.0.7-35.1
      libtiff5-debuginfo-4.0.7-35.1
      tiff-debuginfo-4.0.7-35.1
      tiff-debugsource-4.0.7-35.1

   - SUSE Linux Enterprise Desktop 12-SP1 (x86_64):

      libtiff5-32bit-4.0.7-35.1
      libtiff5-4.0.7-35.1
      libtiff5-debuginfo-32bit-4.0.7-35.1
      libtiff5-debuginfo-4.0.7-35.1
      tiff-debuginfo-4.0.7-35.1
      tiff-debugsource-4.0.7-35.1


References:

   https://www.suse.com/security/cve/CVE-2014-8127.html
   https://www.suse.com/security/cve/CVE-2016-3622.html
   https://www.suse.com/security/cve/CVE-2016-3658.html
   https://www.suse.com/security/cve/CVE-2016-5321.html
   https://www.suse.com/security/cve/CVE-2016-5323.html
   https://www.suse.com/security/cve/CVE-2016-5652.html
   https://www.suse.com/security/cve/CVE-2016-5875.html
   https://www.suse.com/security/cve/CVE-2016-9273.html
   https://www.suse.com/security/cve/CVE-2016-9297.html
   https://www.suse.com/security/cve/CVE-2016-9448.html
   https://www.suse.com/security/cve/CVE-2016-9453.html
   https://bugzilla.suse.com/1007280
   https://bugzilla.suse.com/1010161
   https://bugzilla.suse.com/1010163
   https://bugzilla.suse.com/1011103
   https://bugzilla.suse.com/1011107
   https://bugzilla.suse.com/914890
   https://bugzilla.suse.com/974449
   https://bugzilla.suse.com/974840
   https://bugzilla.suse.com/984813
   https://bugzilla.suse.com/984815
   https://bugzilla.suse.com/987351



More information about the sle-security-updates mailing list