SB2018051431 - Heap-based buffer overflow in tiff (Alpine package)
Published: May 14, 2018
Security Bulletin ID
SB2018051431
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Heap-based buffer overflow (CVE-ID: CVE-2018-8905)
The vulnerability allows a remote authenticated attacker to cause DoS condition or execute arbitrary code on the target system.The weakness exists in the LZWDecodeCompat function due to insufficient validation of user-supplied input. A remote attacker can submit a specially crafted TIFF file, cause the service to crash or execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=c1c8c5a78a149b9954517df485d61e66a73a93a4
- https://git.alpinelinux.org/aports/commit/?id=78ce279c75c408856851a5d65aa3c6cad2eb3304
- https://git.alpinelinux.org/aports/commit/?id=942d54f276770d9b694bd1d2720587b4fd09b789
- https://git.alpinelinux.org/aports/commit/?id=b5048f60578944dd85221fa9d5e279872d2315b9
- https://git.alpinelinux.org/aports/commit/?id=d9df36a6ec1d80263dd65a582b3b4b207b92ecd3
- https://git.alpinelinux.org/aports/commit/?id=e6a6453651a9c3c80af79c2193ce5ba2d9204c4c