CVE-2018-18557

NameCVE-2018-18557
DescriptionLibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1557-1, DSA-4349-1
NVD severitymedium
Debian Bugs911635

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tiff (PTS)stretch (security), stretch4.0.8-2+deb9u5fixed
buster, buster (security)4.1.0+git191117-2~deb10u2fixed
bullseye, sid4.2.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tiffsourcejessie4.0.3-12.3+deb8u7DLA-1557-1
tiffsourcestretch4.0.8-2+deb9u4DSA-4349-1
tiffsource(unstable)4.0.9+git181026-1911635
tiff3source(unstable)(unfixed)

Notes

https://bugs.chromium.org/p/project-zero/issues/detail?id=1697
https://gitlab.com/libtiff/libtiff/merge_requests/38
https://gitlab.com/libtiff/libtiff/commit/681748ec2f5ce88da5f9fa6831e1653e46af8a66

Search for package or bug name: Reporting problems