Security update for tiff

SUSE Security Update: Security update for tiff
Announcement ID: SUSE-SU-2016:3301-1
Rating: moderate
References: #1007280 #1010161 #1010163 #1011103 #1011107 #914890 #974449 #974840 #984813 #984815 #987351
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 12-SP2
  • SUSE Linux Enterprise Software Development Kit 12-SP1
  • SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
  • SUSE Linux Enterprise Server 12-SP2
  • SUSE Linux Enterprise Server 12-SP1
  • SUSE Linux Enterprise Desktop 12-SP2
  • SUSE Linux Enterprise Desktop 12-SP1

  • An update that fixes 11 vulnerabilities is now available.

    Description:


    The tiff library and tools were updated to version 4.0.7 fixing various
    bug and security issues.

    - CVE-2014-8127: out-of-bounds read with malformed TIFF image in multiple
    tools [bnc#914890]
    - CVE-2016-9297: tif_dirread.c read outside buffer in _TIFFPrintField()
    [bnc#1010161]
    - CVE-2016-3658: Illegal read in TIFFWriteDirectoryTagLongLong8Array
    function in tiffset / tif_dirwrite.c [bnc#974840]
    - CVE-2016-9273: heap overflow [bnc#1010163]
    - CVE-2016-3622: divide By Zero in the tiff2rgba tool [bnc#974449]
    - CVE-2016-5652: tiff2pdf JPEG Compression Tables Heap Buffer Overflow
    [bnc#1007280]
    - CVE-2016-9453: out-of-bounds Write memcpy and less bound check in
    tiff2pdf [bnc#1011107]
    - CVE-2016-5875: heap-based buffer overflow when using the PixarLog
    compressionformat [bnc#987351]
    - CVE-2016-9448: regression introduced by fixing CVE-2016-9297
    [bnc#1011103]
    - CVE-2016-5321: out-of-bounds read in tiffcrop / DumpModeDecode()
    function [bnc#984813]
    - CVE-2016-5323: Divide-by-zero in _TIFFFax3fillruns() function (null ptr
    dereference?) [bnc#984815]

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 12-SP2:
      zypper in -t patch SUSE-SLE-SDK-12-SP2-2016-1937=1
    • SUSE Linux Enterprise Software Development Kit 12-SP1:
      zypper in -t patch SUSE-SLE-SDK-12-SP1-2016-1937=1
    • SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:
      zypper in -t patch SUSE-SLE-RPI-12-SP2-2016-1937=1
    • SUSE Linux Enterprise Server 12-SP2:
      zypper in -t patch SUSE-SLE-SERVER-12-SP2-2016-1937=1
    • SUSE Linux Enterprise Server 12-SP1:
      zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1937=1
    • SUSE Linux Enterprise Desktop 12-SP2:
      zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2016-1937=1
    • SUSE Linux Enterprise Desktop 12-SP1:
      zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-1937=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):
      • libtiff-devel-4.0.7-35.1
      • tiff-debuginfo-4.0.7-35.1
      • tiff-debugsource-4.0.7-35.1
    • SUSE Linux Enterprise Software Development Kit 12-SP1 (ppc64le s390x x86_64):
      • libtiff-devel-4.0.7-35.1
      • tiff-debuginfo-4.0.7-35.1
      • tiff-debugsource-4.0.7-35.1
    • SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):
      • libtiff5-4.0.7-35.1
      • libtiff5-debuginfo-4.0.7-35.1
      • tiff-4.0.7-35.1
      • tiff-debuginfo-4.0.7-35.1
      • tiff-debugsource-4.0.7-35.1
    • SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le x86_64):
      • libtiff5-4.0.7-35.1
      • libtiff5-debuginfo-4.0.7-35.1
      • tiff-4.0.7-35.1
      • tiff-debuginfo-4.0.7-35.1
      • tiff-debugsource-4.0.7-35.1
    • SUSE Linux Enterprise Server 12-SP2 (x86_64):
      • libtiff5-32bit-4.0.7-35.1
      • libtiff5-debuginfo-32bit-4.0.7-35.1
    • SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64):
      • libtiff5-4.0.7-35.1
      • libtiff5-debuginfo-4.0.7-35.1
      • tiff-4.0.7-35.1
      • tiff-debuginfo-4.0.7-35.1
      • tiff-debugsource-4.0.7-35.1
    • SUSE Linux Enterprise Server 12-SP1 (s390x x86_64):
      • libtiff5-32bit-4.0.7-35.1
      • libtiff5-debuginfo-32bit-4.0.7-35.1
    • SUSE Linux Enterprise Desktop 12-SP2 (x86_64):
      • libtiff5-32bit-4.0.7-35.1
      • libtiff5-4.0.7-35.1
      • libtiff5-debuginfo-32bit-4.0.7-35.1
      • libtiff5-debuginfo-4.0.7-35.1
      • tiff-debuginfo-4.0.7-35.1
      • tiff-debugsource-4.0.7-35.1
    • SUSE Linux Enterprise Desktop 12-SP1 (x86_64):
      • libtiff5-32bit-4.0.7-35.1
      • libtiff5-4.0.7-35.1
      • libtiff5-debuginfo-32bit-4.0.7-35.1
      • libtiff5-debuginfo-4.0.7-35.1
      • tiff-debuginfo-4.0.7-35.1
      • tiff-debugsource-4.0.7-35.1

    References: