CVE-2015-1547
published 2016-04-13CVE-2015-1547: The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image…
PriorityP428medium6.5CVSS 3.0
AVNACLPRNUIRSUCNINAH
EPSS
3.34%
87.1th percentile
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | tiff | < tiff 4.0.3-12.1 (bookworm) | tiff 4.0.3-12.1 (bookworm) |
| libtiff | libtiff | <= 4.0.6 | — |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-63xc-994f-r5qr: The NeXTDecode function in tif_next
ghsa_unreviewed·2022-05-14
CVE-2015-1547 [MEDIUM] CWE-119 GHSA-63xc-994f-r5qr: The NeXTDecode function in tif_next
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.
OSV
CVE-2015-1547: The NeXTDecode function in tif_next
osv·2016-04-13·CVSS 6.5
CVE-2015-1547 [MEDIUM] CVE-2015-1547: The NeXTDecode function in tif_next
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.
Debian
CVE-2015-1547: tiff - The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to caus...
vendor_debian·2015·CVSS 6.5
CVE-2015-1547 [MEDIUM] CVE-2015-1547: tiff - The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to caus...
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.
Scope: local
bookworm: resolved (fixed in 4.0.3-12.1)
bullseye: resolved (fixed in 4.0.3-12.1)
forky: resolved (fixed in 4.0.3-12.1)
sid: resolved (fixed in 4.0.3-12.1)
trixie: resolved (fixed in 4.0.3-12.1)
Red Hat
libtiff: use of uninitialized memory in NeXTDecode
vendor_redhat·2014-12-29·CVSS 6.5
CVE-2015-1547 [MEDIUM] libtiff: use of uninitialized memory in NeXTDecode
libtiff: use of uninitialized memory in NeXTDecode
The NeXTDecode function in tif_next.c in LibTIFF allows remote attackers to cause a denial of service (uninitialized memory access) via a crafted TIFF image, as demonstrated by libtiff5.tif.
Statement: Red Hat Product Security has rated this issue as having moderate security impact, a future update may address this flaw in libtiff.
Package: libtiff (Red Hat Enterprise Linux 5) - Will not fix
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-4953 ntp: bad authentication demobilizes ephemeral associations
bugzilla·2016-05-30·CVSS 7.5
CVE-2016-4953 [HIGH] CVE-2016-4953 ntp: bad authentication demobilizes ephemeral associations
CVE-2016-4953 ntp: bad authentication demobilizes ephemeral associations
It was found that the fixes for CVE-2015-7979 and CVE-2016-1547 were incomplete: An attacker can send a spoofed packet that contains an invalid MAC to a client/peer and demobilize its ephemeral association.
Discussion:
Acknowledgments:
Name: Miroslav Lichvar (Red Hat)
---
Statement:
This issue did not affect the versions of ntp as shipped with any Red Hat Enterprise Linux version as they already included a fix for this issue in the patch provided to fix the CVE-2015-7979 issue. The fix for this issue (developed by Red Hat) was different from the one provided by upstream, and thus ntp versions in RHEL are not affected by CVE-2016-4953.
---
Upstream bug:
http://support.ntp.org/bin/view/Main/NtpBug3045
Externa
Bugzilla
CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode()
bugzilla·2016-01-25·CVSS 6.5
CVE-2015-8784 [MEDIUM] CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode()
CVE-2015-8784 libtiff: out-of-bound write in NeXTDecode()
A flaw was discovered in a way libtiff decodes special data. A potential out-of-bounds write could occur for specifically crafted images.
External bug report:
http://bugzilla.maptools.org/show_bug.cgi?id=2508
CVE assignment:
http://seclists.org/oss-sec/2016/q1/191
Upstream fix:
https://github.com/vadz/libtiff/commit/b18012dae552f85dcc5c57d3bf4e997a15b1cc1c
Discussion:
Created libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1301653]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1546 https://r
Bugzilla
CVE-2015-8665 libtiff: Out-of-bounds read in tif_getimage.c
bugzilla·2015-12-28·CVSS 5.5
CVE-2015-8665 [MEDIUM] CVE-2015-8665 libtiff: Out-of-bounds read in tif_getimage.c
CVE-2015-8665 libtiff: Out-of-bounds read in tif_getimage.c
An Out-of-bounds read flaw was found in libtiff. An attacker could create a specially-crafted TIFF file, which could cause libtiff to crash.
Reference:
http://www.openwall.com/lists/oss-security/2015/12/24/4
Discussion:
Please inform me when you will have a patch or at least a reference for the bugzilla.
Greetings
Petr
---
Patch for this and bug#1294427:
https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1546 https://rhn.redhat.com/
Bugzilla
CVE-2015-8668 libtiff: OOB read in bmp2tiff
bugzilla·2015-12-28·CVSS 9.8
CVE-2015-8668 [CRITICAL] CVE-2015-8668 libtiff: OOB read in bmp2tiff
CVE-2015-8668 libtiff: OOB read in bmp2tiff
A heap-buffer oveflow was found in bmp2tiff, A tool used to created TIFF format files from BMP format image files. An attacker could provide a specially-crafted BMP format file, which when converted to TIFF format, using the bmp2tiff tool, could lead to bmp2tiff executable to crash.
Reference:
http://seclists.org/bugtraq/2015/Dec/138
Discussion:
I haven't completed my analysis yet, but for now I tend to say that this is only OOB read.
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-
Bugzilla
CVE-2015-8683 libtiff: Out-of-bounds when reading CIE Lab image format files
bugzilla·2015-12-28·CVSS 5.5
CVE-2015-8683 [MEDIUM] CVE-2015-8683 libtiff: Out-of-bounds when reading CIE Lab image format files
CVE-2015-8683 libtiff: Out-of-bounds when reading CIE Lab image format files
An out-bounds-read flaw was found in the way libtiff processed CIE Lab image format files. A attacker could create a specially-crafted CIE Lab image format files which could cause libtiff to crash.
Reference:
http://seclists.org/oss-sec/2015/q4/583
Discussion:
Patch for this and bug#1294444:
https://github.com/vadz/libtiff/commit/f94a29a822f5528d2334592760fbb7938f15eb55
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html
Bugzilla
CVE-2015-7554 libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags
bugzilla·2015-12-28·CVSS 9.8
CVE-2015-7554 [CRITICAL] CVE-2015-7554 libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags
CVE-2015-7554 libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags
An Invalid memory write flaw was found in libtiff in the way it parsed certain extension tags when reading TIFF format files. An attacker could use this flaw to crash or even execute arbitrary code with the permission of the user running such an application compiled against libtiff.
Reference:
http://seclists.org/bugtraq/2015/Dec/137
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html
---
*** Bug 1410063 has been marked as
Bugzilla
CVE-2015-1547 CVE-2014-9655 mingw-libtiff: various flaws [epel-7]
bugzilla·2015-02-09·CVSS 6.5
CVE-2015-1547 [MEDIUM] CVE-2015-1547 CVE-2014-9655 mingw-libtiff: various flaws [epel-7]
CVE-2015-1547 CVE-2014-9655 mingw-libtiff: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for mingw-libtiff: see blocks bug list for
Bugzilla
CVE-2015-1547 CVE-2014-9655 libtiff: various flaws [fedora-all]
bugzilla·2015-02-09·CVSS 6.5
CVE-2015-1547 [MEDIUM] CVE-2015-1547 CVE-2014-9655 libtiff: various flaws [fedora-all]
CVE-2015-1547 CVE-2014-9655 libtiff: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While
Bugzilla
CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode
bugzilla·2015-02-09·CVSS 6.5
CVE-2015-1547 [MEDIUM] CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode
CVE-2015-1547 libtiff: use of uninitialized memory in NeXTDecode
Use of uninitialized memory was reported [1] in NeXTDecode in libtiff.
The example TIFF file that triggers this behavious can be found here:
http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
[1]: http://seclists.org/oss-sec/2015/q1/454
Discussion:
Created libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1190710]
---
Created mingw-libtiff tracking bugs for this issue:
Affects: epel-7 [bug 1190712]
---
Patch
There is no proper information of fixing this flaw anywhere according to
http://seclists.org/oss-sec/2015/q1/454
- uninitialized memory in NeXTDecode
Fixed in:
2014-12-29 Even Rouault
* libtiff/tif_next.c: add new tests to check that we don't read outside of
the compressed input stream buffer.
I
http://openwall.com/lists/oss-security/2015/01/24/16http://openwall.com/lists/oss-security/2015/02/07/5http://rhn.redhat.com/errata/RHSA-2016-1546.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1547.htmlhttp://www.debian.org/security/2016/dsa-3467http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.htmlhttp://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.securityfocus.com/bid/73438https://security.gentoo.org/glsa/201701-16http://openwall.com/lists/oss-security/2015/01/24/16http://openwall.com/lists/oss-security/2015/02/07/5http://rhn.redhat.com/errata/RHSA-2016-1546.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1547.htmlhttp://www.debian.org/security/2016/dsa-3467http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.htmlhttp://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.securityfocus.com/bid/73438https://security.gentoo.org/glsa/201701-16
2016-04-13
Published