Ubuntu Security Notice 5523-1 - It was discovered that LibTIFF was not properly performing checks to guarantee that allocated memory space existed, which could lead to a NULL pointer dereference via a specially crafted file. An attacker could possibly use this issue to cause a denial of service. It was discovered that LibTIFF was not properly performing checks to avoid division calculations where the denominator value was zero, which could lead to an undefined behavior situation via a specially crafted file. An attacker could possibly use this issue to cause a denial of service.
5a59e47169abf47600d89ed49be7fdb00d3a42d34c3e046b30db89c940dc1bea
==========================================================================
Ubuntu Security Notice USN-5523-1
July 19, 2022
tiff vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in LibTIFF.
Software Description:
- tiff: Tag Image File Format (TIFF) library
Details:
It was discovered that LibTIFF was not properly performing checks to
guarantee that allocated memory space existed, which could lead to a
NULL pointer dereference via a specially crafted file. An attacker
could possibly use this issue to cause a denial of service.
(CVE-2022-0907, CVE-2022-0908)
It was discovered that LibTIFF was not properly performing checks to
avoid division calculations where the denominator value was zero,
which could lead to an undefined behavior situation via a specially
crafted file. An attacker could possibly use this issue to cause a
denial of service. (CVE-2022-0909)
It was discovered that LibTIFF was not properly performing bounds
checks, which could lead to an out-of-bounds read via a specially
crafted file. An attacker could possibly use this issue to cause a
denial of service or to expose sensitive information. (CVE-2022-0924)
It was discovered that LibTIFF was not properly performing the
calculation of data that would eventually be used as a reference for
bounds checking operations, which could lead to an out-of-bounds
read via a specially crafted file. An attacker could possibly use
this issue to cause a denial of service or to expose sensitive
information. (CVE-2020-19131)
It was discovered that LibTIFF was not properly terminating a
function execution when processing incorrect data, which could lead
to an out-of-bounds read via a specially crafted file. An attacker
could possibly use this issue to cause a denial of service or to
expose sensitive information. (CVE-2020-19144)
It was discovered that LibTIFF was not properly performing checks
when setting the value for data later used as reference during memory
access, which could lead to an out-of-bounds read via a specially
crafted file. An attacker could possibly use this issue to cause a
denial of service or to expose sensitive information.
(CVE-2022-22844)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.04 ESM:
libtiff-opengl 4.0.6-1ubuntu0.8+esm2
libtiff-tools 4.0.6-1ubuntu0.8+esm2
libtiff5 4.0.6-1ubuntu0.8+esm2
libtiffxx5 4.0.6-1ubuntu0.8+esm2
Ubuntu 14.04 ESM:
libtiff-opengl 4.0.3-7ubuntu0.11+esm2
libtiff-tools 4.0.3-7ubuntu0.11+esm2
libtiff5 4.0.3-7ubuntu0.11+esm2
libtiffxx5 4.0.3-7ubuntu0.11+esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5523-1
CVE-2020-19131, CVE-2020-19144, CVE-2022-0907, CVE-2022-0908,
CVE-2022-0909, CVE-2022-0924, CVE-2022-22844