CVE-2016-3991: Buffer Overflow
First published: Tue Apr 12 2016(Updated: )
An Out-of-bounds write vulnerability caused by heap overflow when using tiffcrop tool was found in the libtiff library. The vulnerability is in loadImage() function in tiffcrop.c. loadImage() will read the numbers of tiles by calling TIFFNumberOfTiles(). However, if the numbers of tiles is 0, loadImage() will still read tile data by calling readContigTilesIntoBuffer() from the image, regardless of the numbers. In that case, loadImage() will allocate 3 bytes in the heap to store a tile data. This creates a potential attack vector via crafted tiff tiles, which may result in DoS or code execution. Upstream bug report: <a href="http://bugzilla.maptools.org/show_bug.cgi?id=2543">http://bugzilla.maptools.org/show_bug.cgi?id=2543</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/tiff | 4.1.0+git191117-2~deb10u4 4.1.0+git191117-2~deb10u8 4.2.0-1+deb11u4 4.5.0-6 4.5.1+git230720-1 | |
| Oracle VM Server | =3.3 | |
| Oracle VM Server | =3.4 | |
| libtiff | <=4.0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bugzilla.maptools.org/show_bug.cgi?id=2543
- https://rhn.redhat.com/errata/RHSA-2016-1547.html
- https://rhn.redhat.com/errata/RHSA-2016-1546.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1346683
- https://bugzilla.redhat.com/show_bug.cgi?id=1326249
- http://bugs.fi/media/afl/libtiff/CVE-2016-3991.tif
- https://security-tracker.debian.org/tracker/CVE-2016-3991
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00039.html
- http://rhn.redhat.com/errata/RHSA-2016-1546.html
- http://rhn.redhat.com/errata/RHSA-2016-1547.html
- http://www.debian.org/security/2017/dsa-3762
- http://www.openwall.com/lists/oss-security/2016/04/12/3
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.securityfocus.com/bid/85996
- https://security.gentoo.org/glsa/201701-16
Frequently Asked Questions
What is the severity of CVE-2016-3991?
CVE-2016-3991 is considered to have a medium severity due to the potential for exploitation through out-of-bounds write vulnerabilities.
How do I fix CVE-2016-3991?
To fix CVE-2016-3991, upgrade the libtiff library to a version greater than 4.0.6 or apply any available patches from your distribution.
What software is affected by CVE-2016-3991?
CVE-2016-3991 affects the libtiff library, particularly versions up to and including 4.0.6.
What could happen if CVE-2016-3991 is exploited?
Exploitation of CVE-2016-3991 could lead to arbitrary code execution or crashes of the application using libtiff.
Is CVE-2016-3991 specific to certain operating systems?
CVE-2016-3991 is present in various systems, including Debian and Oracle VM Server, depending on the version of the libtiff library in use.
- collector/security-tracker-debian
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-3991
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/oracle
- canonical/oracle vm server
- version/oracle vm server/3.3
- version/oracle vm server/3.4
- vendor/libtiff
- canonical/libtiff
- version/libtiff/4.0.6