Test ID:	1.3.6.1.4.1.25623.1.1.12.2023.5841.1
Category:	Ubuntu Local Security Checks
Title:	Ubuntu: Security Advisory (USN-5841-1)
Summary:	The remote host is missing an update for the 'tiff' package(s) announced via the USN-5841-1 advisory.
Description:	Summary: The remote host is missing an update for the 'tiff' package(s) announced via the USN-5841-1 advisory. Vulnerability Insight: It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. This issue was only fixed in Ubuntu 14.04 ESM. (CVE-2019-14973, CVE-2019-17546, CVE-2020-35523, CVE-2020-35524, CVE-2022-3970) It was discovered that LibTIFF was incorrectly acessing a data structure when processing data with the tiffcrop tool, which could lead to a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-48281) Affected Software/OS: 'tiff' package(s) on Ubuntu 14.04, Ubuntu 16.04. Solution: Please install the updated package(s). CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2019-14973 Bugtraq: 20191104 [slackware-security] libtiff (SSA:2019-308-01) (Google Search) https://seclists.org/bugtraq/2019/Nov/5 Bugtraq: 20200121 [SECURITY] [DSA 4608-1] tiff security update (Google Search) https://seclists.org/bugtraq/2020/Jan/32 Debian Security Information: DSA-4608 (Google Search) https://www.debian.org/security/2020/dsa-4608 Debian Security Information: DSA-4670 (Google Search) https://www.debian.org/security/2020/dsa-4670 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADNPG7JJTRRK22GUVTAFH3GJ6WGKUZJB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/63BVT6N5KQPHWOWM4B3I7Z3ODBXUVNPS/ http://packetstormsecurity.com/files/155095/Slackware-Security-Advisory-libtiff-Updates.html https://lists.debian.org/debian-lts-announce/2019/08/msg00031.html SuSE Security Announcement: openSUSE-SU-2020:1561 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00102.html SuSE Security Announcement: openSUSE-SU-2020:1840 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00023.html Common Vulnerability Exposure (CVE) ID: CVE-2019-17546 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LM5ZW7E3IEW7LT2BPJP7D3RN6OUOE3MX/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3S4WNIMZ7XSLY2LD5FPRPZMGNUBVKOG/ https://security.gentoo.org/glsa/202003-25 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16443 https://github.com/OSGeo/gdal/commit/21674033ee246f698887604c7af7ba1962a40ddf https://gitlab.com/libtiff/libtiff/commit/4bb584a35f87af42d6cf09d15e9ce8909a839145 https://lists.debian.org/debian-lts-announce/2019/11/msg00027.html https://lists.debian.org/debian-lts-announce/2020/03/msg00020.html Common Vulnerability Exposure (CVE) ID: CVE-2020-35523 Debian Security Information: DSA-4869 (Google Search) https://www.debian.org/security/2021/dsa-4869 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMHBYFMX3D5VGR6Y3RXTTH3Q4NF4E6IG/ https://security.gentoo.org/glsa/202104-06 https://bugzilla.redhat.com/show_bug.cgi?id=1932040 https://gitlab.com/libtiff/libtiff/-/commit/c8d613ef497058fe653c467fc84c70a62a4a71b2 https://gitlab.com/libtiff/libtiff/-/merge_requests/160 https://lists.debian.org/debian-lts-announce/2021/06/msg00023.html Common Vulnerability Exposure (CVE) ID: CVE-2020-35524 https://security.netapp.com/advisory/ntap-20210521-0009/ https://bugzilla.redhat.com/show_bug.cgi?id=1932044 https://gitlab.com/libtiff/libtiff/-/merge_requests/159 https://gitlab.com/rzkn/libtiff/-/commit/7be2e452ddcf6d7abca88f41d3761e6edab72b22 Common Vulnerability Exposure (CVE) ID: CVE-2022-3970 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be https://oss-fuzz.com/download?testcase_id=5738253143900160 https://vuldb.com/?id.213549 https://lists.debian.org/debian-lts-announce/2023/01/msg00018.html Common Vulnerability Exposure (CVE) ID: CVE-2022-48281 Debian Security Information: DSA-5333 (Google Search) https://www.debian.org/security/2023/dsa-5333 https://security.gentoo.org/glsa/202305-31 https://gitlab.com/libtiff/libtiff/-/commit/d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5 https://gitlab.com/libtiff/libtiff/-/issues/488 https://lists.debian.org/debian-lts-announce/2023/01/msg00037.html
Copyright	Copyright (C) 2023 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.