CVE-2017-9937

Published: 26 June 2017

In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.

Priority

Negligible

CVSS 3 base score: 6.5

Status

Package Release Status
jbigkit
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Deferred
(2018-03-22)
Ubuntu 20.04 LTS (Focal Fossa) Deferred
(2018-03-22)
Ubuntu 18.04 LTS (Bionic Beaver) Deferred
(2018-03-22)
Ubuntu 16.04 LTS (Xenial Xerus) Deferred
(2018-03-22)
Ubuntu 14.04 ESM (Trusty Tahr) Deferred
(2018-03-22)

Notes

AuthorNote
mdeslaur
reported in libtiff, but issue lies in jbigkit
as of 2018-03-22, no fix available

this is a DoS only and is caused by the fact that jbigkit
handles failed memory allocations with abort(). (See
checked_malloc()). Fixing this properly would likely require
changing the library ABI.

References

Bugs