CVE-2016-3624
published 2016-10-03CVE-2016-3624: The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting…
PriorityP337high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
4.06%
89.4th percentile
The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the "-v" option to -1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tiff | < tiff 4.0.6-3 (bookworm) | tiff 4.0.6-3 (bookworm) |
| libtiff | libtiff | <= 4.0.6 | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g6q5-rqfh-3jr6: The cvtClump function in the rgb2ycbcr tool in LibTIFF 4
ghsa_unreviewed·2022-05-17
CVE-2016-3624 [HIGH] CWE-787 GHSA-g6q5-rqfh-3jr6: The cvtClump function in the rgb2ycbcr tool in LibTIFF 4
The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the "-v" option to -1.
OSV
CVE-2016-3624: The cvtClump function in the rgb2ycbcr tool in LibTIFF 4
osv·2016-10-03·CVSS 7.5
CVE-2016-3624 [HIGH] CVE-2016-3624: The cvtClump function in the rgb2ycbcr tool in LibTIFF 4
The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the "-v" option to -1.
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2017-07-19
CVE-2015-7554 LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.
USN-3212-1 and USN-3212-2 fixed a vulnerabilitiy in LibTIFF. This update provides a subset of
corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2017-02-27
CVE-2015-7554 LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.
It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libtiff: out of bounds write in the rgb2ycybr tool
vendor_redhat·2016-04-08·CVSS 7.5
CVE-2016-3624 [HIGH] CWE-787 libtiff: out of bounds write in the rgb2ycybr tool
libtiff: out of bounds write in the rgb2ycybr tool
The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the "-v" option to -1.
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Package: libtiff (Red Hat Enterprise Linux 5) - Will not fix
Package: libtiff (Red Hat Enterprise Linux 6) - Will not fix
Package: compat-libtiff3 (Red Hat Enterprise Linux 7) - Not affected
Package: libtiff (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2016-3624: tiff - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows ...
vendor_debian·2016·CVSS 7.5
CVE-2016-3624 [HIGH] CVE-2016-3624: tiff - The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows ...
The cvtClump function in the rgb2ycbcr tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) by setting the "-v" option to -1.
Scope: local
bookworm: resolved (fixed in 4.0.6-3)
bullseye: resolved (fixed in 4.0.6-3)
forky: resolved (fixed in 4.0.6-3)
sid: resolved (fixed in 4.0.6-3)
trixie: resolved (fixed in 4.0.6-3)
No detection rules found.
No public exploits indexed.
http://bugzilla.maptools.org/show_bug.cgi?id=2568http://www.debian.org/security/2017/dsa-3762http://www.openwall.com/lists/oss-security/2016/04/08/4http://www.securityfocus.com/bid/85956https://security.gentoo.org/glsa/201701-16http://bugzilla.maptools.org/show_bug.cgi?id=2568http://www.debian.org/security/2017/dsa-3762http://www.openwall.com/lists/oss-security/2016/04/08/4http://www.securityfocus.com/bid/85956https://security.gentoo.org/glsa/201701-16
2016-10-03
Published