Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2017-14528

Published: 18 September 2017

The TIFFSetProfiles function in coders/tiff.c in ImageMagick 7.0.6 has incorrect expectations about whether LibTIFF TIFFGetField return values imply that data validation has occurred, which allows remote attackers to cause a denial of service (use-after-free after an invalid call to TIFFSetField, and application crash) via a crafted file.

Notes

AuthorNote
mdeslaur
code not present in jessie
sespiros
(xenial) cannot reproduce in 8:6.8.9.9-7ubuntu5.16+esm1
Priority

Negligible

CVSS 3 base score: 6.5

Status

Package Release Status
imagemagick
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic
Released (8:6.9.7.4+dfsg-16ubuntu6.11)
cosmic Not vulnerable
(8:6.9.10.8+dfsg-1ubuntu2)
disco Not vulnerable
(8:6.9.10.8+dfsg-1ubuntu2)
eoan Not vulnerable
(8:6.9.10.8+dfsg-1ubuntu2)
focal Not vulnerable
(8:6.9.10.8+dfsg-1ubuntu2)
groovy Not vulnerable
(8:6.9.10.8+dfsg-1ubuntu2)
hirsute Not vulnerable
(8:6.9.10.8+dfsg-1ubuntu2)
impish Not vulnerable
(8:6.9.10.8+dfsg-1ubuntu2)
jammy Not vulnerable
(8:6.9.10.8+dfsg-1ubuntu2)
kinetic Not vulnerable
(8:6.9.10.8+dfsg-1ubuntu2)
precise Does not exist

trusty Needs triage

upstream Needs triage

xenial Deferred
(2020-10-26)
zesty Ignored
(reached end-of-life)
Patches:
upstream: https://github.com/ImageMagick/ImageMagick6/commit/6f7cba13ebae405b2689647a2277827f1c272364