CVE-2016-9535
Description
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow."
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-9535
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-9535.html
Vendor advisory: cve@mitre.org — https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
Vendor advisory: cve@mitre.org — https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
Vendor advisory: arch — https://security.archlinux.org/ASA-201611-26
Vendor advisory: arch — https://security.archlinux.org/ASA-201611-27
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 4.0.7-1 | |
| sles | affected | | |
| debian | bookworm | fixed | 4.0.7-1 |
| debian | bullseye | fixed | 4.0.7-1 |
| debian | forky | fixed | 4.0.7-1 |
| debian | sid | fixed | 4.0.7-1 |
| debian | trixie | fixed | 4.0.7-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| libtiff | libtiff | 4.0.6 | |
References
- https://security.archlinux.org/ASA-201611-27
- https://security.archlinux.org/ASA-201611-26
- http://rhn.redhat.com/errata/RHSA-2017-0225.html
- http://www.debian.org/security/2017/dsa-3844
- http://www.securityfocus.com/bid/94484
- http://www.securityfocus.com/bid/94744
- https://github.com/vadz/libtiff/commit/3ca657a8793dd011bf869695d72ad31c779c3cc1
- https://github.com/vadz/libtiff/commit/6a984bf7905c6621281588431f384e79d11a2e33
- https://www.suse.com/security/cve/CVE-2016-9535.html
- https://security-tracker.debian.org/tracker/CVE-2016-9535
CWEs
CWE-119
Verify integrity in audit chain (admin only). AS-IS.