CVE-2015-7313
Publication date 17 March 2017
Last updated 24 July 2024
Ubuntu priority
LibTIFF allows remote attackers to cause a denial of service (memory consumption and crash) via a crafted tiff file.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| tiff | 22.04 LTS jammy |
Not affected
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial | Ignored see notes | |
| 14.04 LTS trusty | Ignored see notes | |
Notes
mdeslaur
as of 2021-02-24, no upstream fix
sbeattie
likely fixed in upstream 4.0.7 release reproducer in oss-security post
ccdm94
bionic and later are not-affected and the issue is not reproducible in trusty (no huge reallocs are made, as would be expected), and is also not reproducible in xenial (no reallocs made at all, according to ltrace output) with the POC file provided in the oss-security post. No upstream patch was identified after analysis of the libtiff changelog file, as well as the change history for the tiffdither code. Since this is a 2015 issue, trusty and xenial will be marked as ignored.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.5 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |