CVE-2015-7313
Published: 17 March 2017
LibTIFF allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted tiff file.
Notes
Author | Note |
---|---|
mdeslaur | as of 2021-02-24, no upstream fix |
sbeattie | likely fixed in upstream 4.0.7 release reproducer in oss-security post |
ccdm94 | bionic and later are not-affected and the issue is not reproducible in trusty (no huge reallocs are made, as would be expected), and is also not reproducible in xenial (no reallocs made at all, according to ltrace output) with the POC file provided in the oss-security post. No upstream patch was identified after analysis of the libtiff changelog file, as well as the change history for the tiffdither code. Since this is a 2015 issue, trusty and xenial will be marked as ignored. |
Priority
Status
Package | Release | Status |
---|---|---|
tiff Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(4.0.9-5ubuntu0.1)
|
|
cosmic |
Not vulnerable
(4.0.9-6ubuntu0.1)
|
|
disco |
Not vulnerable
(4.0.10-4)
|
|
eoan |
Not vulnerable
(4.0.10-4)
|
|
focal |
Not vulnerable
(4.1.0+git191117-2build1)
|
|
groovy |
Not vulnerable
(4.1.0+git191117-2build1)
|
|
hirsute |
Not vulnerable
(4.1.0+git191117-2build1)
|
|
impish |
Not vulnerable
(4.3.0-1)
|
|
jammy |
Not vulnerable
(4.3.0-6)
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Ignored
(see notes)
|
|
upstream |
Released
(4.0.7-1)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Ignored
(see notes)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |