CVE-2016-3991: Buffer Overflow
First published: Tue Apr 12 2016(Updated: )
An Out-of-bounds write vulnerability caused by heap overflow when using tiffcrop tool was found in the libtiff library. The vulnerability is in loadImage() function in tiffcrop.c. loadImage() will read the numbers of tiles by calling TIFFNumberOfTiles(). However, if the numbers of tiles is 0, loadImage() will still read tile data by calling readContigTilesIntoBuffer() from the image, regardless of the numbers. In that case, loadImage() will allocate 3 bytes in the heap to store a tile data. This creates a potential attack vector via crafted tiff tiles, which may result in DoS or code execution. Upstream bug report: <a href="http://bugzilla.maptools.org/show_bug.cgi?id=2543">http://bugzilla.maptools.org/show_bug.cgi?id=2543</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/tiff | 4.1.0+git191117-2~deb10u4 4.1.0+git191117-2~deb10u8 4.2.0-1+deb11u4 4.5.0-6 4.5.1+git230720-1 | |
| Oracle VM Server | =3.3 | |
| Oracle VM Server | =3.4 | |
| Libtiff Libtiff | <=4.0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bugzilla.maptools.org/show_bug.cgi?id=2543
- https://rhn.redhat.com/errata/RHSA-2016-1547.html
- https://rhn.redhat.com/errata/RHSA-2016-1546.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1346683
- https://bugzilla.redhat.com/show_bug.cgi?id=1326249
- http://bugs.fi/media/afl/libtiff/CVE-2016-3991.tif
- https://security-tracker.debian.org/tracker/CVE-2016-3991
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00039.html
- http://rhn.redhat.com/errata/RHSA-2016-1546.html
- http://rhn.redhat.com/errata/RHSA-2016-1547.html
- http://www.debian.org/security/2017/dsa-3762
- http://www.openwall.com/lists/oss-security/2016/04/12/3
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.securityfocus.com/bid/85996
- https://security.gentoo.org/glsa/201701-16
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/event
- agent/tags
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-3991
- package-manager/debian
- vendor/oracle
- canonical/oracle vm server
- version/oracle vm server/3.3
- version/oracle vm server/3.4
- vendor/libtiff
- canonical/libtiff libtiff
- version/libtiff libtiff/4.0.6