CVE-2015-7554
published 2016-01-08CVE-2015-7554: The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have…
PriorityP335critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.19%
89.7th percentile
The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tiff | < tiff 4.0.7-7 (bookworm) | tiff 4.0.7-7 (bookworm) |
| libtiff | libtiff | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2017-07-19
CVE-2015-7554 LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.
USN-3212-1 and USN-3212-2 fixed a vulnerabilitiy in LibTIFF. This update provides a subset of
corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2017-02-27
CVE-2015-7554 LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.
It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libtiff: Stack-based buffer overflow in _TIFFVGetField
vendor_redhat·2016-12-04·CVSS 9.8
CVE-2016-10095 [CRITICAL] CWE-121 libtiff: Stack-based buffer overflow in _TIFFVGetField
libtiff: Stack-based buffer overflow in _TIFFVGetField
Stack-based buffer overflow in the _TIFFVGetField function in tif_dir.c in LibTIFF 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7 and 4.0.8 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file.
Statement: This flaw was found to be a duplicate of CVE-2015-7554. Please see https://access.redhat.com/security/cve/CVE-2015-7554 for information about affected products and security errata.
Package: libtiff (Red Hat Enterprise Linux 5) - Not affected
Package: libtiff (Red Hat Enterprise Linux 6) - Not affected
Package: compat-libtiff3 (Red Hat Enterprise Linux 7) - Not affected
Package: libtiff (Red Hat Enterprise Linux 7) - Not affected
Red Hat
libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags
vendor_redhat·2015-12-26·CVSS 9.8
CVE-2015-7554 [CRITICAL] libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags
libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags
The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.
Package: libtiff (Red Hat Enterprise Linux 5) - Affected
Debian
CVE-2015-7554: tiff - The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to ca...
vendor_debian·2015·CVSS 9.8
CVE-2015-7554 [CRITICAL] CVE-2015-7554: tiff - The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to ca...
The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.
Scope: local
bookworm: resolved (fixed in 4.0.7-7)
bullseye: resolved (fixed in 4.0.7-7)
forky: resolved (fixed in 4.0.7-7)
sid: resolved (fixed in 4.0.7-7)
trixie: resolved (fixed in 4.0.7-7)
GHSA
GHSA-r22q-wfrw-q7mx: The _TIFFVGetField function in tif_dir
ghsa_unreviewed·2022-05-14
CVE-2015-7554 [CRITICAL] GHSA-r22q-wfrw-q7mx: The _TIFFVGetField function in tif_dir
The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.
OSV
CVE-2015-7554: The _TIFFVGetField function in tif_dir
osv·2016-01-08·CVSS 9.8
CVE-2015-7554 [CRITICAL] CVE-2015-7554: The _TIFFVGetField function in tif_dir
The _TIFFVGetField function in tif_dir.c in libtiff 4.0.6 allows attackers to cause a denial of service (invalid memory write and crash) or possibly have unspecified other impact via crafted field data in an extension tag in a TIFF image.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-10095 libtiff: Stack-based buffer overflow in _TIFFVGetField
bugzilla·2017-01-04·CVSS 9.8
CVE-2016-10095 [CRITICAL] CVE-2016-10095 libtiff: Stack-based buffer overflow in _TIFFVGetField
CVE-2016-10095 libtiff: Stack-based buffer overflow in _TIFFVGetField
A stack-based buffer overflow vulnerability was found in libtiff when running tiffslpit on crafted tiff file.
Reproducer:
https://github.com/asarubbo/poc/blob/master/00104-libtiff-stackoverflow-_TIFFVGetField
CVE assignment:
http://seclists.org/oss-sec/2017/q1/10
Reference:
https://blogs.gentoo.org/ago/2017/01/01/libtiff-stack-based-buffer-overflow-in-_tiffvgetfield-tif_dir-c/
Discussion:
Created libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1410123]
---
Created mingw-libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1410124]
Affects: epel-7 [bug 1410125]
---
*** This bug has been marked as a duplicate of bug 1294417 ***
---
(In reply to Huzaifa S. Sidhpurwala from comment #
Bugzilla
CVE-2015-7554 libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags
bugzilla·2015-12-28·CVSS 9.8
CVE-2015-7554 [CRITICAL] CVE-2015-7554 libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags
CVE-2015-7554 libtiff: Invalid-write in _TIFFVGetField() when parsing some extension tags
An Invalid memory write flaw was found in libtiff in the way it parsed certain extension tags when reading TIFF format files. An attacker could use this flaw to crash or even execute arbitrary code with the permission of the user running such an application compiled against libtiff.
Reference:
http://seclists.org/bugtraq/2015/Dec/137
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html
---
*** Bug 1410063 has been marked as
http://lists.opensuse.org/opensuse-updates/2016-01/msg00078.htmlhttp://lists.opensuse.org/opensuse-updates/2016-01/msg00081.htmlhttp://lists.opensuse.org/opensuse-updates/2016-01/msg00100.htmlhttp://packetstormsecurity.com/files/135078/libtiff-4.0.6-Invalid-Write.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1546.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1547.htmlhttp://seclists.org/fulldisclosure/2015/Dec/119http://www.openwall.com/lists/oss-security/2015/12/26/7http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.htmlhttp://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.securityfocus.com/archive/1/537205/100/0/threadedhttp://www.securityfocus.com/bid/79699https://security.gentoo.org/glsa/201701-16http://lists.opensuse.org/opensuse-updates/2016-01/msg00078.htmlhttp://lists.opensuse.org/opensuse-updates/2016-01/msg00081.htmlhttp://lists.opensuse.org/opensuse-updates/2016-01/msg00100.htmlhttp://packetstormsecurity.com/files/135078/libtiff-4.0.6-Invalid-Write.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1546.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1547.htmlhttp://seclists.org/fulldisclosure/2015/Dec/119http://www.openwall.com/lists/oss-security/2015/12/26/7http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.htmlhttp://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.securityfocus.com/archive/1/537205/100/0/threadedhttp://www.securityfocus.com/bid/79699https://security.gentoo.org/glsa/201701-16
2016-01-08
Published