SB2018040103 - Resource exhaustion in tiff (Alpine package)
Published: April 1, 2018
Security Bulletin ID
SB2018040103
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource exhaustion (CVE-ID: CVE-2018-5784)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists in the TIFFSetDirectory function of tif_dir.c due to the declared number of directory entries is not validated against the actual number of directory entries. A remote attacker can submit a specially crafted tif file, trigger resource exhaustion and cause the service to crash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=c1c8c5a78a149b9954517df485d61e66a73a93a4
- https://git.alpinelinux.org/aports/commit/?id=332be619a78433b9c764c24921ce1c65be925706
- https://git.alpinelinux.org/aports/commit/?id=39e7a41708bf7726f95f47c383c9af376504e3f7
- https://git.alpinelinux.org/aports/commit/?id=d44bbad626a89045134ceddb388802b67aeb6cc3
- https://git.alpinelinux.org/aports/commit/?id=e132e3f9bf008c2ec054305050040eb7d6958633
- https://git.alpinelinux.org/aports/commit/?id=f8701de7f90a2ca4b4457a9607333faf24854030