Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2017-9117

Published: 21 May 2017

In LibTIFF 4.0.7, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, leading to a heap-based buffer over-read in bmp2tiff.

Notes

AuthorNote
sbeattie 
likely only affects bmp2tiff binary, which was removed in
4.0.7 or 4.0.8
mdeslaur 
proposed patch in upstream bug
bmp2tiff removed in recent versions
same fix as CVE-2017-5563
we will not be fixing this issue in precise/esm

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
tiff
Launchpad, Ubuntu, Debian 		artful Not vulnerable
(4.0.8-5)
precise Ignored

trusty
Released (4.0.3-7ubuntu0.9)
upstream Needs triage

xenial
Released (4.0.6-1ubuntu0.4)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading