[Secure-testing-team] Bug#883320: tiff: CVE-2017-17095: heap-based buffer overflow in pal2rgb tool
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 2 10:58:05 UTC 2017
Source: tiff
Version: 4.0.8-6
X-Debbugs-CC: team at security.debian.org secure-testing-team at lists.alioth.debian.org
Severity: normal
Tags: security upstream
Forwarded: http://bugzilla.maptools.org/show_bug.cgi?id=2750
Hi,
the following vulnerability was published for tiff. Since it only
leads to a crash in cli tool we marked it as unimportant in the
security-tracker, still filling a bug to keep track of a fix if it
lands upstream.
CVE-2017-17095[0]:
| tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to
| cause a denial of service (TIFFSetupStrips heap-based buffer overflow
| and application crash) or possibly have unspecified other impact via a
| crafted TIFF file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17095
[1] http://bugzilla.maptools.org/show_bug.cgi?id=2750
Please adjust the affected versions in the BTS as needed, only
unstable has been checked.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list