CVE-2023-52355
Publication date 25 January 2024
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.
Read the notes from the security team
Why is this CVE negligible priority?
The fix for this issue is in the documentation for applications to ensure they properly limit memory usage.
Status
Package | Ubuntu Release | Status |
---|---|---|
gdal | ||
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial | Ignored documentation only | |
14.04 LTS trusty | Ignored end of ESM support, was ignored [documentation only] | |
neuron | ||
22.04 LTS jammy | Ignored documentation only | |
20.04 LTS focal | Ignored documentation only | |
18.04 LTS bionic | Ignored documentation only | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
qtwebengine-opensource-src | ||
22.04 LTS jammy | Ignored documentation only | |
20.04 LTS focal | Ignored documentation only | |
18.04 LTS bionic | Ignored documentation only | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
texmaker | ||
22.04 LTS jammy | Ignored documentation only | |
20.04 LTS focal | Ignored documentation only | |
18.04 LTS bionic | Ignored documentation only | |
16.04 LTS xenial | Ignored documentation only | |
14.04 LTS trusty |
Not affected
|
|
tiff | ||
22.04 LTS jammy | Ignored documentation only | |
20.04 LTS focal | Ignored documentation only | |
18.04 LTS bionic | Ignored documentation only | |
16.04 LTS xenial | Ignored documentation only | |
14.04 LTS trusty | Ignored end of ESM support, was ignored [documentation only] |
Notes
sbeattie
texmaker added an embedded copy of libtiff in bionic
rodrigo-zaiden
fix in documentation only, marking all Ubuntu releases as ignored, as the fix in Documentation won't be of any usage in backports. if that is not the case, I'll be happy to move it back to an active status.
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |