PT-2019-5884 · Libtiff+8 · Libtiff+8

Published

2019-08-15

·

Updated

2025-01-17

·

CVE-2019-17546

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions LibTIFF versions 4.0.10 and earlier GDAL versions 3.0.1 and earlier
Description The issue is related to an integer overflow in the tif getimage.c component of the LibTIFF library, potentially causing a heap-based buffer overflow via a crafted RGBA image. This is associated with a "Negative-size-param" condition. Exploitation of this issue may allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service.
Recommendations For LibTIFF versions 4.0.10 and earlier, update to a version later than 4.0.10 to resolve the issue. For GDAL versions 3.0.1 and earlier, update to a version later than 3.0.1 to resolve the issue. As a temporary workaround, consider restricting the use of crafted RGBA images to minimize the risk of exploitation.

Fix

Integer Overflow

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-787

Related Identifiers

ALSA-2020:4634
ALT-PU-2019-3143
ALT-PU-2020-1428
ALT-PU-2021-1729
ALT-PU-2021-2853
ALT-PU-2025-1397
AZL-44190
BDU:2021-03591
CESA-2020_3902
CESA-2020_4634
CVE-2019-17546
DLA-2009-1
DLA-2147-1
DSA-4608-1
DSA-4670-1
MGASA-2019-0366
OPENSUSE-SU-2022:0480-1
OPENSUSE-SU-2022_0480-1
OPENSUSE-SU-2024:13381-1
RHSA-2020:3902
RHSA-2020:4634
RHSA-2020_3902
RHSA-2020_4634
RLSA-2020:4634
SUSE-SU-2022:0480-1
SUSE-SU-2022:0496-1
USN-4158-1
USN-5841-1

Affected Products

Alt Linux
Almalinux
Centos
Gdal
Libtiff
Red Hat
Rocky Linux
Suse
Ubuntu