Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-877-1 tiff

Debian Security Advisory

DLA-877-1 tiff -- LTS security update

Date Reported:

28 Mar 2017

Affected Packages:

tiff

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-10266, CVE-2016-10267, CVE-2016-10268, CVE-2016-10269.

More information:

libtiff is vulnerable to multiple buffer overflows and integer overflows that can lead to application crashes (denial of service) or worse.

• CVE-2016-10266

  Integer overflow that can lead to divide-by-zero in TIFFReadEncodedStrip (tif_read.c).

• CVE-2016-10267

  Divide-by-zero error in OJPEGDecodeRaw (tif_ojpeg.c). CVE-2016-10268

  Heap-based buffer overflow in TIFFReverseBits (tif_swab.c).

• CVE-2016-10269

  Heap-based buffer overflow in _TIFFmemcpy (tif_unix.c).

For Debian 7 Wheezy, these problems have been fixed in version 4.0.2-6+deb7u11.

We recommend that you upgrade your tiff packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS