CVE-2017-5849
Publication date 15 March 2017
Last updated 25 August 2025
Ubuntu priority
Description
tiffttopnm in netpbm 10.47.63 does not properly use the libtiff TIFFRGBAImageGet function, which allows remote attackers to cause a denial of service (out-of-bounds read and write) via a crafted tiff image file, related to transposing width and height values.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| netpbm-free | ||
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
Notes
mdeslaur
Debian and Ubuntu use a netpbm fork which does not contain the issue. See here: http://bugzilla.maptools.org/show_bug.cgi?id=2654#c8
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.5 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |