CVE-2019-7663

Published: 09 February 2019

An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c in LibTIFF 4.0.10, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file. This is different from CVE-2018-12900.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
chromium
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

gdal
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(uses system libtiff)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system libtiff)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system libtiff)
Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

openjpeg2
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

qt4-x11
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system libtiff)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(uses system libtiff)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(uses system libtiff)
qtimageformats-opensource-src
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
qtwebengine-opensource-src
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

texmaker
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
tiff
Launchpad, Ubuntu, Debian
Upstream
Released (4.0.10-4)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(4.0.10-4)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(4.0.10-4)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.0.9-5ubuntu0.2)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.0.6-1ubuntu0.6)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (4.0.3-7ubuntu0.11)
Patches:
Upstream: https://gitlab.com/libtiff/libtiff/commit/802d3cbf3043be5dce5317e140ccb1c17a6a2d39
Upstream: https://gitlab.com/libtiff/libtiff/commit/27124e9148b2056d0e0bf4033b4924d5d2a38d01
Other: https://gitlab.com/libtiff/libtiff/merge_requests/60
Other: https://gitlab.com/libtiff/libtiff/merge_requests/44
tiff3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
msalvatore
gdal in bionic and later uses system libtiff
mdeslaur
same fixes as CVE-2018-17000 and CVE-2018-12900
ebarretto
marking openjpeg2 as not affected as it uses system libtiff

References

Bugs