Lucene search

K
debianDebianDEBIAN:DLA-1206-1:26213
HistoryDec 13, 2017 - 6:00 a.m.

[SECURITY] [DLA 1206-1] tiff security update

2017-12-1306:00:09
lists.debian.org
17

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.004

Percentile

75.1%

Package : tiff
Version : 4.0.2-6+deb7u17
CVE ID : CVE-2017-9935
Debian Bug : 866109

In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf
function in tools/tiff2pdf.c. This heap overflow could lead to different
damages. For example, a crafted TIFF document can lead to an out-of-bounds read
in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in
t2p_readwrite_pdf_image, or a double free in t2p_free. Given these
possibilities, it probably could cause arbitrary code execution.

This overflow is linked to an underlying assumption that all pages in a tiff
document will have the same transfer function. There is nothing in the tiff
standard that says this needs to be the case.

For Debian 7 "Wheezy", these problems have been fixed in version
4.0.2-6+deb7u17.

We recommend that you upgrade your tiff packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.004

Percentile

75.1%