CVE-2017-9937
Published: 26 June 2017
In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.
Notes
| Author | Note |
|---|---|
| mdeslaur | reported in libtiff, but issue lies in jbigkit as of 2018-03-22, no fix available this is a DoS only and is caused by the fact that jbigkit handles failed memory allocations with abort(). (See checked_malloc()). Fixing this properly would likely require changing the library ABI. |
| ccdm94 | commit bc3293299b was released in 2020, and it seems to be the commit that fixes this issue, according to the commit message and according to tests made with the commit applied to jbigkit (the error no longer occurs once this fix is applied). |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
jbigkit Launchpad, Ubuntu, Debian |
upstream |
Pending
(2.2)
|
| hirsute |
Ignored
(end of life)
|
|
| artful |
Ignored
(end of life)
|
|
| bionic |
Released
(2.1-3.1ubuntu0.18.04.1)
|
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Released
(2.1-3.1ubuntu0.20.04.1)
|
|
| groovy |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Released
(2.1-3.1ubuntu0.22.04.1)
|
|
| kinetic |
Released
(2.1-3.1ubuntu0.22.10.1)
|
|
| lunar |
Released
(2.1-6ubuntu1)
|
|
| trusty |
Released
(2.0-2ubuntu4.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| xenial |
Released
(2.1-3.1ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Ignored
(end of life)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |