CVE-2017-17440

Published: 06 December 2017

GNU Libextractor 1.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted GIF, IT (Impulse Tracker), NSFE, S3M (Scream Tracker 3), SID, or XM (eXtended Module) file, as demonstrated by the EXTRACTOR_xm_extract_method function in plugins/xm_extractor.c.

From the Ubuntu security team

It was discovered tha Libextractor incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
libextractor
Launchpad, Ubuntu, Debian
Upstream
Released (1:1.3-2+deb8u1, 1:1.3-4+deb9u1, 1:1.6-2)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1:1.6-2)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(1:1.6-2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1:1.6-2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1:1.6-2)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1:1.3-4+deb9u3build0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)
Patches:
Other: https://gnunet.org/git/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e