SB2017112323 - Input validation error in tiff (Alpine package)
Published: November 23, 2017
Security Bulletin ID
SB2017112323
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2017-16232)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=3bb6858aff988546af833aadbf73ab5abafc394f
- https://git.alpinelinux.org/aports/commit/?id=17f5b0b8cb4daab681a3b9c2aca7d363aaa53641
- https://git.alpinelinux.org/aports/commit/?id=6db06001eab088ffd4b195b0b537d2b4634b49f8
- https://git.alpinelinux.org/aports/commit/?id=713292e9b39017387f68cc813361e3da8a1d378b
- https://git.alpinelinux.org/aports/commit/?id=e9c43273f1af86175e73a28b12085cc76e1a7ea6