Bug 1033128 – VUL-0: CVE-2017-7594: tiff: The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c possible remote denial of service

Bug 1033128 - (CVE-2017-7594) VUL-0: CVE-2017-7594: tiff: The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c possible remote denial of service

(CVE-2017-7594)
Summary:	VUL-0: CVE-2017-7594: tiff: The OJPEGReadHeaderInfoSecTablesDcTable function ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/183184/
Whiteboard:	CVSSv2:NVD:CVE-2017-7594:4.3:(AV:N/AC...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-04-10 06:48 UTC by Victor Pereira
Modified:	2018-05-16 09:08 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2017-04-10 06:48:33 UTC

CVE-2017-7594

The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in LibTIFF 4.0.7
allows remote attackers to cause a denial of service (memory leak) via a crafted
image.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7594
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7594
http://bugzilla.maptools.org/show_bug.cgi?id=2659

Comment 1 Swamp Workflow Management 2017-09-26 13:13:32 UTC

SUSE-SU-2017:2569-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805
CVE References: CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    tiff-4.0.8-44.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    tiff-4.0.8-44.3.1

Comment 2 Swamp Workflow Management 2017-10-03 19:08:32 UTC

openSUSE-SU-2017:2635-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1033109,1033111,1033112,1033113,1033118,1033120,1033126,1033127,1033128,1033129,1033131,1038438,1042804,1042805
CVE References: CVE-2016-10371,CVE-2017-7592,CVE-2017-7593,CVE-2017-7594,CVE-2017-7595,CVE-2017-7596,CVE-2017-7597,CVE-2017-7598,CVE-2017-7599,CVE-2017-7600,CVE-2017-7601,CVE-2017-7602,CVE-2017-9403,CVE-2017-9404
Sources used:
openSUSE Leap 42.3 (src):    tiff-4.0.8-21.1
openSUSE Leap 42.2 (src):    tiff-4.0.8-17.6.1

Comment 3 Petr Gajdos 2018-05-14 15:38:47 UTC

http://bugzilla.maptools.org/show_bug.cgi?id=2659
https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b
https://github.com/vadz/libtiff/commit/8283e4d1b7e53340684d12932880cbcbaf23a8c1

Comment 4 Petr Gajdos 2018-05-16 08:59:42 UTC

No testcase found.

Comment 5 Petr Gajdos 2018-05-16 09:08:03 UTC

12/tiff: has the fix already in via version update
10sp3,11/tiff: no such code found