Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2017-9117

Published: 21 May 2017

In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.

Notes

AuthorNote
sbeattie
likely only affects bmp2tiff binary, which was removed in
4.0.7 or 4.0.8
mdeslaur
proposed patch in upstream bug
bmp2tiff removed in recent versions
same fix as CVE-2017-5563
we will not be fixing this issue in precise/esm

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
tiff
Launchpad, Ubuntu, Debian
artful Not vulnerable
(4.0.8-5)
precise Ignored

trusty
Released (4.0.3-7ubuntu0.9)
upstream Needs triage

xenial
Released (4.0.6-1ubuntu0.4)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)