CVE-2017-5849 — Out-of-bounds Read in Project Netpbm

CWE-125 — Out-of-bounds Read CWE-787 — Out-of-bounds Write6 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.2%

top 53.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fedoraproject Fedora Netpbm Project Netpbm Debian Netpbm-free

Timeline

PublishedMar 15

Latest updateMay 17

Description

tiffttopnm in netpbm 10.47.63 does not properly use the libtiff TIFFRGBAImageGet function, which allows remote attackers to cause a denial of service (out-of-bounds read and write) via a crafted tiff image file, related to transposing width and height values.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶debiandebian/netpbm-free

▶NVDnetpbm_project/netpbm10.47.63

Also affects: Fedora 24, 25

🔴Vulnerability Details

GHSA

GHSA-7c32-9pjx-pj89: tiffttopnm in netpbm 10↗2022-05-17

▶

📋Vendor Advisories

Red Hat

netpbm: Calls TIFFRGBA with width and height parameters switched↗2017-01-31

▶

Debian

CVE-2017-5849: netpbm-free - tiffttopnm in netpbm 10.47.63 does not properly use the libtiff TIFFRGBAImageGet...↗2017

▶

💬Community

Bugzilla

CVE-2017-5849 netpbm: Calls TIFFRGBA with width and height parameters switched↗2017-02-06

▶

Bugzilla

CVE-2017-2586 CVE-2017-2587 CVE-2017-5849 netpbm: various flaws [fedora-all]↗2017-02-06

▶