Severity Medium
Remote Yes
Type Denial of service
In LibTIFF before 4.0.10, there is a denial of service vulnerability in the TIFFOpen function triggered by resource consumption via crafted input files. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer.
Group Package Affected Fixed Severity Status Ticket
AVG-791 lib32-libtiff 4.0.9-1 4.0.10-1 High Fixed FS#60599
AVG-790 libtiff 4.0.9-2 4.0.10-1 High Fixed FS#60599
Date Advisory Group Package Severity Description
20 Nov 2018 ASA-201811-18 AVG-791 lib32-libtiff High multiple issues
20 Nov 2018 ASA-201811-17 AVG-790 libtiff High multiple issues