CVE-2019-17546

Published: 14 October 2019

tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.

From the Ubuntu Security Team

It was discovered that GDAL incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges.

Priority

Cvss 3 Severity Score

8.8

Score breakdown

Status

Package	Release	Status
blender Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
chromium-browser Launchpad, Ubuntu, Debian	bionic	Not vulnerable (80.0.3987.87-0ubuntu0.18.04.1)
	disco	Ignored (reached end-of-life)
	eoan	Not vulnerable (code not present)
	focal	Not vulnerable (code not present)
	groovy	Not vulnerable (code not present)
	hirsute	Not vulnerable (code not present)
	impish	Not vulnerable (code not present)
	jammy	Not vulnerable (code not present)
	kinetic	Not vulnerable (code not present)
	lunar	Not vulnerable (code not present)
	trusty	Does not exist
	upstream	Released
	xenial	Not vulnerable (80.0.3987.87-0ubuntu0.16.04.1)
gdal Launchpad, Ubuntu, Debian	bionic	Not vulnerable (uses system tiff)
	disco	Not vulnerable (uses system tiff)
	eoan	Not vulnerable (uses system tiff)
	focal	Not vulnerable (uses system tiff)
	groovy	Not vulnerable (uses system tiff)
	hirsute	Not vulnerable (uses system tiff)
	impish	Not vulnerable (uses system tiff)
	jammy	Not vulnerable (uses system tiff)
	kinetic	Not vulnerable (uses system tiff)
	lunar	Not vulnerable (uses system tiff)
	trusty	Released (1.10.1+dfsg-5ubuntu1+esm1)
	upstream	Needs triage
	xenial	Needed
	Patches: upstream: https://github.com/OSGeo/gdal/commit/21674033ee246f698887604c7af7ba1962a40ddf
insighttoolkit4 Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
ivtools Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
libtk-img Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
neuron Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
openjpeg2 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (uses system tiff)
	disco	Not vulnerable (uses system tiff)
	eoan	Not vulnerable (uses system tiff)
	focal	Not vulnerable (uses system tiff)
	groovy	Not vulnerable (uses system tiff)
	hirsute	Not vulnerable (uses system tiff)
	impish	Not vulnerable (uses system tiff)
	jammy	Not vulnerable (uses system tiff)
	kinetic	Not vulnerable (uses system tiff)
	lunar	Not vulnerable (uses system tiff)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Not vulnerable (uses system tiff)
paraview Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
povray Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
qt4-x11 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (uses system libtiff)
	disco	Not vulnerable (uses system libtiff)
	eoan	Not vulnerable (uses system libtiff)
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	trusty	Not vulnerable (uses system libtiff)
	upstream	Needs triage
	xenial	Not vulnerable (uses system libtiff)
qtimageformats-opensource-src Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
qtwebengine-opensource-src Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
sfftobmp Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
texmaker Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
tiff Launchpad, Ubuntu, Debian	bionic	Released (4.0.9-5ubuntu0.3)
	disco	Released (4.0.10-4ubuntu0.1)
	eoan	Not vulnerable (4.0.10+git191003-1)
	focal	Not vulnerable (4.0.10+git191003-1)
	groovy	Not vulnerable (4.0.10+git191003-1)
	hirsute	Not vulnerable (4.0.10+git191003-1)
	impish	Not vulnerable (4.0.10+git191003-1)
	jammy	Not vulnerable (4.0.10+git191003-1)
	kinetic	Not vulnerable (4.0.10+git191003-1)
	lunar	Not vulnerable (4.0.10+git191003-1)
	trusty	Released (4.0.3-7ubuntu0.11+esm6)
	upstream	Released (4.0.10+git190818-1)
	xenial	Released (4.0.6-1ubuntu0.7)
	Patches: upstream: https://gitlab.com/libtiff/libtiff/commit/4bb584a35f87af42d6cf09d15e9ce8909a839145
xloadimage Launchpad, Ubuntu, Debian	bionic	Needs triage
	disco	Ignored (reached end-of-life)
	eoan	Ignored (reached end-of-life)
	focal	Needs triage
	groovy	Ignored (reached end-of-life)
	hirsute	Ignored (reached end-of-life)
	impish	Ignored (reached end-of-life)
	jammy	Needs triage
	kinetic	Needs triage
	lunar	Needs triage
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage

Severity score breakdown

Parameter	Value
Base score	8.8
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›