Your submission was sent successfully! Close

CVE-2017-9117

Published: 21 May 2017

In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
tiff
Launchpad, Ubuntu, Debian 		artful Not vulnerable
(4.0.8-5)
precise Ignored

trusty
Released (4.0.3-7ubuntu0.9)
upstream Needs triage

xenial
Released (4.0.6-1ubuntu0.4)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)

Notes

AuthorNote
sbeattie 
likely only affects bmp2tiff binary, which was removed in
4.0.7 or 4.0.8
mdeslaur 
proposed patch in upstream bug
bmp2tiff removed in recent versions
same fix as CVE-2017-5563
we will not be fixing this issue in precise/esm

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading