CVE-2017-2870
published 2017-09-05CVE-2017-2870: An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted…
PriorityP339high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
2.61%
83.5th percentile
An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | gdk-pixbuf | < gdk-pixbuf 2.36.10-1 (bookworm) | gdk-pixbuf 2.36.10-1 (bookworm) |
| gnome | gdk-pixbuf | — | — |
| gnome | gdk-pixbuf | — | — |
| gnome | gdk-pixbuf | >= 0 < 2.36.10-1 | 2.36.10-1 |
| gnome | gdk-pixbuf | >= 0 < 2.36.10-1 | 2.36.10-1 |
| gnome | gdk-pixbuf | >= 0 < 2.36.10-1 | 2.36.10-1 |
| gnome | gdk-pixbuf | >= 0 < 2.36.10-1 | 2.36.10-1 |
| gnome | gdk-pixbuf | >= 0 < 2.30.7-0ubuntu1.7 | 2.30.7-0ubuntu1.7 |
| gnome | gdk-pixbuf | >= 0 < 2.32.2-1ubuntu1.3 | 2.32.2-1ubuntu1.3 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8frw-r4fr-c96p: An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2
ghsa_unreviewed·2022-05-13
CVE-2017-2870 [HIGH] CWE-190 GHSA-8frw-r4fr-c96p: An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2
An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.
OSV
gdk-pixbuf vulnerabilities
osv·2017-09-18·CVSS 7.8
CVE-2017-2862 [HIGH] gdk-pixbuf vulnerabilities
gdk-pixbuf vulnerabilities
It was discovered that the GDK-PixBuf library did not properly handle
certain jpeg images. If an user or automated system were tricked into
opening a specially crafted jpeg file, a remote attacker could use this
flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2017-2862)
It was discovered that the GDK-PixBuf library did not properly handle
certain tiff images. If an user or automated system were tricked into
opening a specially crafted tiff file, a remote attacker could use this
flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2017-2870)
Ariel Zelivansky discovered that the GDK-PixBuf library did not properly
handle printing certain error m
OSV
CVE-2017-2870: An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2
osv·2017-09-05·CVSS 7.8
CVE-2017-2870 [HIGH] CVE-2017-2870: An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2
An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.
Ubuntu
GDK-PixBuf vulnerabilities
vendor_ubuntu·2017-09-18·CVSS 7.8
CVE-2017-2862 [HIGH] GDK-PixBuf vulnerabilities
Title: GDK-PixBuf vulnerabilities
Summary: GDK-PixBuf could be made to crash or run programs as your login if it
opened a specially crafted file.
It was discovered that the GDK-PixBuf library did not properly handle
certain jpeg images. If an user or automated system were tricked into
opening a specially crafted jpeg file, a remote attacker could use this
flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2017-2862)
It was discovered that the GDK-PixBuf library did not properly handle
certain tiff images. If an user or automated system were tricked into
opening a specially crafted tiff file, a remote attacker could use this
flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or
possibly execute arbitrary code. (
Debian
CVE-2017-2870: gdk-pixbuf - An exploitable integer overflow vulnerability exists in the tiff_image_parse fun...
vendor_debian·2017·CVSS 7.8
CVE-2017-2870 [HIGH] CVE-2017-2870: gdk-pixbuf - An exploitable integer overflow vulnerability exists in the tiff_image_parse fun...
An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.
Scope: local
bookworm: resolved (fixed in 2.36.10-1)
bullseye: resolved (fixed in 2.36.10-1)
forky: resolved (fixed in 2.36.10-1)
sid: resolved (fixed in 2.36.10-1)
trixie: resolved (fixed in 2.36.10-1)
Red Hat
gdk-pixbuf2: Integer overflow in tiff_image_parse function
vendor_redhat·2016-09-07·CVSS 7.8
CVE-2017-2870 [HIGH] CWE-190 gdk-pixbuf2: Integer overflow in tiff_image_parse function
gdk-pixbuf2: Integer overflow in tiff_image_parse function
An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.
Package: gdk-pixbuf2 (Red Hat Enterprise Linux 6) - Will not fix
Package: gdk-pixbuf2 (Red Hat Enterprise Linux 7) - Will not fix
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities
blogs_talos·2017-08-30·CVSS 7.8
[HIGH] Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities
## Overview
Today, Talos is disclosing the discovery of two remote code execution vulnerabilities which have been identified in the Gdk-Pixbuf Toolkit. This toolkit used in multiple desktop applications including Chromium, Firefox, GNOME thumbnailer, VLC and others. Exploiting this vulnerability allows an attacker to gain full control over the victim's machine. If an attacker builds a specially crafted TIFF or JPEG image and entices the victim to open it, the attackers code will be executed with the privileges of the local user.
## Details
#### TALOS-2017-0377-- CVE-2017-2870
Vulnerability discovered by Marcin Noga of Cisco Talos and also independently discovered by Tobias Mueller from GDK Security.
An exploitable integer overflow vulnerability exists in the tiff_image_parse functiona
Talos
Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities
blogs_talos·2017-08-30·CVSS 7.8
[HIGH] Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities
## Vulnerability Spotlight: Multiple Gdk-Pixbuf Vulnerabilities
## Overview
Today, Talos is disclosing the discovery of two remote code execution vulnerabilities which have been identified in the Gdk-Pixbuf Toolkit. This toolkit used in multiple desktop applications including Chromium, Firefox, GNOME thumbnailer, VLC and others. Exploiting this vulnerability allows an attacker to gain full control over the victim's machine. If an attacker builds a specially crafted TIFF or JPEG image and entices the victim to open it, the attackers code will be executed with the privileges of the local user.
## Details
## TALOS-2017-0377 -- CVE-2017-2870
Vulnerability discovered by Marcin Noga of Cisco Talos and also independently discovered by Tobias Mueller from GDK Security.
An exploitable integer
Bugzilla
CVE-2017-2870 gdk-pixbuf2: Integer overflow in tiff_image_parse function
bugzilla·2017-08-30·CVSS 7.8
CVE-2017-2870 [HIGH] CVE-2017-2870 gdk-pixbuf2: Integer overflow in tiff_image_parse function
CVE-2017-2870 gdk-pixbuf2: Integer overflow in tiff_image_parse function
An integer overflow vulnerability was foud in tiff_image_parse function leading to undefined behaviour.
Upstream patch:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=31a6cff
Upstream bugs:
https://bugzilla.gnome.org/show_bug.cgi?id=770986
https://bugzilla.gnome.org/show_bug.cgi?id=780269
Discussion:
Analysis:
This is an integer overflow leading to a heap-buffer overflow, which can lead to application crash or even arbitrary code execution in some certain cases.
However as per https://bugzilla.gnome.org/show_bug.cgi?id=780269#c8 it seems that gcc is not really impacted (At least versions of gcc shipped in Red Hat Enterprise Linux which is used to compile all applications shipped in Red Hat Enterprise Linu
http://www.securityfocus.com/bid/100541https://lists.debian.org/debian-lts-announce/2019/12/msg00025.htmlhttps://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0377http://www.securityfocus.com/bid/100541https://lists.debian.org/debian-lts-announce/2019/12/msg00025.htmlhttps://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0377
2017-09-05
Published