Support Content Notification - Support Portal

USN-6644-2: LibTIFF vulnerabilities

Product/Component

Isolation Segment

1 more products

Notification Id

24838

Last Updated

25 July 2024

Initial Publication Date

25 July 2024

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

CVE-2023-52356;CVE-2023-6228;CVE-2023-6277

Severity

medium

Vendor

VMware Tanzu

Versions Affected

Canonical Ubuntu 22.04

USN-6644-1 fixed vulnerabilities in LibTIFF. This update provides the corresponding updates for Ubuntu 22.04 LTS. Original advisory details: It was discovered that LibTIFF incorrectly handled certain files. If a user were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause the application to crash, resulting in a denial of service. (CVE-2023-52356) It was discovered that LibTIFF incorrectly handled certain image files with the tiffcp utility. If a user were tricked into opening a specially crafted image file, an attacker could possibly use this issue to cause tiffcp to crash, resulting in a denial of service. (CVE-2023-6228) It was discovered that LibTIFF incorrectly handled certain files. If a user were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause the application to consume resources, resulting in a denial of service. (CVE-2023-6277) Update Instructions: Run `sudo pro fix USN-6644-2` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtiff-opengl - 4.3.0-6ubuntu0.8 libtiffxx5 - 4.3.0-6ubuntu0.8 libtiff5-dev - 4.3.0-6ubuntu0.8 libtiff-dev - 4.3.0-6ubuntu0.8 libtiff5 - 4.3.0-6ubuntu0.8 libtiff-tools - 4.3.0-6ubuntu0.8 libtiff-doc - 4.3.0-6ubuntu0.8 No subscription required.

Fixed and Unaffected VMware Products and Versions

Cflinixfs4

1.78.0 or greater

CF Deployment

39.3.0 or greater

Isolation Segment

4.0.19+LTS-T or greater
5.0.9 or greater
6.0.x unaffected

VMware Tanzu Applications Service for VMs

4.0.19+LTS-T or greater
5.0.9 or greater
6.0.x unaffected

References

https://ubuntu.com/security/notices/USN-6644-2

https://www.cloudfoundry.org/blog/usn-6644-2

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6644-2

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24838

History

2024-02-27: Initial vulnerability report published.