CVE-2017-9935
published 2017-06-26CVE-2017-9935: In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages…
PriorityP346high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
3.92%
89.0th percentile
In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | tiff | < tiff 4.0.9-2 (bookworm) | tiff 4.0.9-2 (bookworm) |
| libtiff | libtiff | <= 4.0.8 | — |
| libtiff | libtiff | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
libtiff: Heap-based buffer overflow in tiff2pdf.c:t2p_write_pdf()
vendor_redhat·2018-10-02·CVSS 8.8
CVE-2018-17795 [HIGH] CWE-122 libtiff: Heap-based buffer overflow in tiff2pdf.c:t2p_write_pdf()
libtiff: Heap-based buffer overflow in tiff2pdf.c:t2p_write_pdf()
The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 and earlier allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.
Package: libtiff (Red Hat Enterprise Linux 5) - Not affected
Package: libtiff (Red Hat Enterprise Linux 6) - Not affected
Package: compat-libtiff3 (Red Hat Enterprise Linux 7) - Not affected
Package: libtiff (Red Hat Enterprise Linux 7) - Not affected
Package: libtiff (Red Hat Enterprise Linux 8) - Not affected
Package: mingw-libtiff (Red Hat Enterprise Linux 8) - Not affected
Ubuntu
LibTIFF vulnerabilities
vendor_ubuntu·2018-03-26
CVE-2016-3186 LibTIFF vulnerabilities
Title: LibTIFF vulnerabilities
Summary: LibTIFF could be made to crash or run programs as your login if it opened a
specially crafted file.
It was discovered that LibTIFF incorrectly handled certain malformed
images. If a user or automated system were tricked into opening a specially
crafted image, a remote attacker could crash the application, leading to a
denial of service, or possibly execute arbitrary code with user privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2018-17795: tiff - The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 and earlier allows rem...
vendor_debian·2018·CVSS 8.8
CVE-2018-17795 [HIGH] CVE-2018-17795: tiff - The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 and earlier allows rem...
The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 and earlier allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.
Scope: local
bookworm: resolved (fixed in 4.0.9-2)
bullseye: resolved (fixed in 4.0.9-2)
forky: resolved (fixed in 4.0.9-2)
sid: resolved (fixed in 4.0.9-2)
trixie: resolved (fixed in 4.0.9-2)
Red Hat
libtiff: Heap-based buffer overflow in t2p_write_pdf function
vendor_redhat·2017-07-11·CVSS 8.8
CVE-2017-9935 [HIGH] CWE-125 libtiff: Heap-based buffer overflow in t2p_write_pdf function
libtiff: Heap-based buffer overflow in t2p_write_pdf function
In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.
Package: libtiff (Red Hat Enterprise Linux 5) - Will not fix
Package: libtiff (Red Hat Enterprise Linux 6) - Will not fix
Package: compat-libtiff3 (Red Hat Enterprise Linux 7) - Will not fix
Package: libtiff (Red Hat Enterprise Linux 7) - Will not fix
Debian
CVE-2017-9935: tiff - In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf fun...
vendor_debian·2017·CVSS 8.8
CVE-2017-9935 [HIGH] CVE-2017-9935: tiff - In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf fun...
In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.
Scope: local
bookworm: resolved (fixed in 4.0.9-2)
bullseye: resolved (fixed in 4.0.9-2)
forky: resolved (fixed in 4.0.9-2)
sid: resolved (fixed in 4.0.9-2)
trixie: resolved (fixed in 4.0.9-2)
GHSA
GHSA-96fq-9mpq-xgqj: The function t2p_write_pdf in tiff2pdf
ghsa_unreviewed·2022-05-13·CVSS 8.8
CVE-2018-17795 [HIGH] CWE-787 GHSA-96fq-9mpq-xgqj: The function t2p_write_pdf in tiff2pdf
The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 and earlier allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.
GHSA
GHSA-ccm9-9gxr-9m3p: In LibTIFF 4
ghsa_unreviewed·2022-05-13
CVE-2017-9935 [HIGH] CWE-125 GHSA-ccm9-9gxr-9m3p: In LibTIFF 4
In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.
OSV
CVE-2018-17795: The function t2p_write_pdf in tiff2pdf
osv·2018-09-30·CVSS 8.8
CVE-2018-17795 [HIGH] CVE-2018-17795: The function t2p_write_pdf in tiff2pdf
The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 and earlier allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.
OSV
CVE-2017-9935: In LibTIFF 4
osv·2017-06-26·CVSS 8.8
CVE-2017-9935 [HIGH] CVE-2017-9935: In LibTIFF 4
In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could lead to different damages. For example, a crafted TIFF document can lead to an out-of-bounds read in TIFFCleanup, an invalid free in TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or a double free in t2p_free. Given these possibilities, it probably could cause arbitrary code execution.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-17795 libtiff: Heap-based buffer overflow in tiff2pdf.c:t2p_write_pdf()
bugzilla·2018-10-02·CVSS 8.8
CVE-2018-17795 [HIGH] CVE-2018-17795 libtiff: Heap-based buffer overflow in tiff2pdf.c:t2p_write_pdf()
CVE-2018-17795 libtiff: Heap-based buffer overflow in tiff2pdf.c:t2p_write_pdf()
The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted TIFF file, a similar issue to CVE-2017-9935.
Upstream Bug:
http://bugzilla.maptools.org/show_bug.cgi?id=2816
Discussion:
Not reproducible on f28 with libtiff-tools-4.0.9-10.fc28.x86_64.
---
Unable to reproduce on any RHEL* packages.
Bugzilla
CVE-2017-10688 CVE-2017-9935 CVE-2017-9936 CVE-2017-9937 mingw-libtiff: various flaws [epel-7]
bugzilla·2017-07-11·CVSS 7.5
CVE-2017-10688 [HIGH] CVE-2017-10688 CVE-2017-9935 CVE-2017-9936 CVE-2017-9937 mingw-libtiff: various flaws [epel-7]
CVE-2017-10688 CVE-2017-9935 CVE-2017-9936 CVE-2017-9937 mingw-libtiff: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template
Bugzilla
CVE-2017-10688 CVE-2017-9935 CVE-2017-9936 CVE-2017-9937 mingw-libtiff: various flaws [fedora-all]
bugzilla·2017-07-11·CVSS 7.5
CVE-2017-10688 [HIGH] CVE-2017-10688 CVE-2017-9935 CVE-2017-9936 CVE-2017-9937 mingw-libtiff: various flaws [fedora-all]
CVE-2017-10688 CVE-2017-9935 CVE-2017-9936 CVE-2017-9937 mingw-libtiff: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multip
Bugzilla
CVE-2017-10688 CVE-2017-9935 CVE-2017-9936 CVE-2017-9937 libtiff: various flaws [fedora-all]
bugzilla·2017-07-11·CVSS 7.5
CVE-2017-10688 [HIGH] CVE-2017-10688 CVE-2017-9935 CVE-2017-9936 CVE-2017-9937 libtiff: various flaws [fedora-all]
CVE-2017-10688 CVE-2017-9935 CVE-2017-9936 CVE-2017-9937 libtiff: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
Bugzilla
CVE-2017-9935 libtiff: Heap-based buffer overflow in t2p_write_pdf function
bugzilla·2017-07-11·CVSS 8.8
CVE-2017-9935 [HIGH] CVE-2017-9935 libtiff: Heap-based buffer overflow in t2p_write_pdf function
CVE-2017-9935 libtiff: Heap-based buffer overflow in t2p_write_pdf function
In LibTIFF 4.0.8, there is a heap-based buffer overflow in the
t2p_write_pdf function in tools/tiff2pdf.c. This heap overflow could
lead to different damages. For example, a crafted TIFF document can
lead to an out-of-bounds read in TIFFCleanup, an invalid free in
TIFFClose or t2p_free, memory corruption in t2p_readwrite_pdf_image, or
a double free in t2p_free. Given these possibilities, it probably could
cause arbitrary code execution.
Upstream bug:
http://bugzilla.maptools.org/show_bug.cgi?id=2704
Discussion:
Created libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1469734]
Created mingw-libtiff tracking bugs for this issue:
Affects: epel-7 [bug 1469735]
Affects: fedora-all [bug 1469736]
arXiv
Code-less Patching for Heap Vulnerabilities Using Targeted Calling Context Encoding
arxiv_fulltext·2018-12-11
Code-less Patching for Heap Vulnerabilities Using Targeted Calling Context Encoding
Code-less Patching for Heap Vulnerabilities Using Targeted Calling Context Encoding
comment
1st Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
City, Country
email address
2nd Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
City, Country
email address
3rd Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
City, Country
email address
4th Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
City, Country
email address
5th Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
City, Country
email address
6th Given Name Surname
dept. name of organization (of Aff.)
name of organization (of Aff.)
http://bugzilla.maptools.org/show_bug.cgi?id=2704http://www.securityfocus.com/bid/99296https://lists.debian.org/debian-lts-announce/2017/12/msg00008.htmlhttps://usn.ubuntu.com/3606-1/https://www.debian.org/security/2018/dsa-4100http://bugzilla.maptools.org/show_bug.cgi?id=2704http://www.securityfocus.com/bid/99296https://lists.debian.org/debian-lts-announce/2017/12/msg00008.htmlhttps://usn.ubuntu.com/3606-1/https://www.debian.org/security/2018/dsa-4100
2017-06-26
Published