1. Ubuntu Security Notices
  2. USN-5619-1

USN-5619-1: LibTIFF vulnerabilities

Publication date

20 September 2022

Overview

Several security issues were fixed in LibTIFF.

Releases

Packages

  • tiff - Tag Image File Format (TIFF) library

Details

It was discovered that LibTIFF was not properly performing the calculation
of data that would eventually be used as a reference for bound-checking
operations. An attacker could possibly use this issue to cause a denial of
service or to expose sensitive information. This issue only affected Ubuntu
18.04 LTS. (CVE-2020-19131)

It was discovered that LibTIFF was not properly terminating a function
execution when processing incorrect data. An attacker could possibly use
this issue to cause a denial of service or to expose sensitive information.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-19144)

It was discovered that LibTIFF did not properly manage memory under certain
circumstances. If a user were tricked into opening a specially crafted TIFF
file using tiffinfo tool, an attacker could possibly use this issue to
cause a denial of service. This...

It was discovered that LibTIFF was not properly performing the calculation
of data that would eventually be used as a reference for bound-checking
operations. An attacker could possibly use this issue to cause a denial of
service or to expose sensitive information. This issue only affected Ubuntu
18.04 LTS. (CVE-2020-19131)

It was discovered that LibTIFF was not properly terminating a function
execution when processing incorrect data. An attacker could possibly use
this issue to cause a denial of service or to expose sensitive information.
This issue only affected Ubuntu 18.04 LTS. (CVE-2020-19144)

It was discovered that LibTIFF did not properly manage memory under certain
circumstances. If a user were tricked into opening a specially crafted TIFF
file using tiffinfo tool, an attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2022-1354)

It was discovered that LibTIFF did not properly manage memory under certain
circumstances. If a user were tricked into opening a specially crafted TIFF
file using tiffcp tool, an attacker could possibly use this issue to
cause a denial of service. (CVE-2022-1355)

It was discovered that LibTIFF was not properly performing checks to avoid
division calculations where the denominator value was zero, which could
lead to an undefined behaviour situation via a specially crafted file. An
attacker could possibly use this issue to cause a denial of service.
(CVE-2022-2056, CVE-2022-2057, CVE-2022-2058)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
22.04 jammy libtiff-opengl –  4.3.0-6ubuntu0.1
libtiffxx5 –  4.3.0-6ubuntu0.1
libtiff5 –  4.3.0-6ubuntu0.1
libtiff-tools –  4.3.0-6ubuntu0.1
20.04 focal libtiff-opengl –  4.1.0+git191117-2ubuntu0.20.04.5
libtiffxx5 –  4.1.0+git191117-2ubuntu0.20.04.5
libtiff5 –  4.1.0+git191117-2ubuntu0.20.04.5
libtiff-tools –  4.1.0+git191117-2ubuntu0.20.04.5
18.04 bionic libtiff-opengl –  4.0.9-5ubuntu0.7
libtiffxx5 –  4.0.9-5ubuntu0.7
libtiff5 –  4.0.9-5ubuntu0.7
libtiff-tools –  4.0.9-5ubuntu0.7
16.04 xenial libtiff-opengl –  4.0.6-1ubuntu0.8+esm4  
libtiffxx5 –  4.0.6-1ubuntu0.8+esm4  
libtiff5 –  4.0.6-1ubuntu0.8+esm4  
libtiff-tools –  4.0.6-1ubuntu0.8+esm4  
14.04 trusty libtiff-opengl –  4.0.3-7ubuntu0.11+esm4  
libtiffxx5 –  4.0.3-7ubuntu0.11+esm4  
libtiff5 –  4.0.3-7ubuntu0.11+esm4  
libtiff-tools –  4.0.3-7ubuntu0.11+esm4  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›