CVE-2017-9937
Publication date 26 June 2017
Last updated 24 July 2024
Ubuntu priority
In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| jbigkit | ||
| 22.04 LTS jammy |
Fixed 2.1-3.1ubuntu0.22.04.1
|
|
| 20.04 LTS focal |
Fixed 2.1-3.1ubuntu0.20.04.1
|
|
| 18.04 LTS bionic |
Fixed 2.1-3.1ubuntu0.18.04.1
|
|
| 16.04 LTS xenial |
Fixed 2.1-3.1ubuntu0.1~esm1
|
|
| 14.04 LTS trusty |
Fixed 2.0-2ubuntu4.1+esm1
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
mdeslaur
reported in libtiff, but issue lies in jbigkit as of 2018-03-22, no fix available this is a DoS only and is caused by the fact that jbigkit handles failed memory allocations with abort(). (See checked_malloc()). Fixing this properly would likely require changing the library ABI.
ccdm94
commit bc3293299b was released in 2020, and it seems to be the commit that fixes this issue, according to the commit message and according to tests made with the commit applied to jbigkit (the error no longer occurs once this fix is applied).
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5742-1
- JBIG-KIT vulnerability
- 24 November 2022