Buffer overflow in tiff (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-16231 |
| CWE-ID | CWE-119 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
tiff (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Buffer overflow
EUVDB-ID: #VU31989
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-16231
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.
** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used.
MitigationInstall update from vendor's website.
Vulnerable software versionstiff (Alpine package): 4.0.8-r0 - 4.0.8-r1
CPE2.3- cpe:2.3:o:alpine:tiff_alpine_package:4.0.8-r1:*:*:*:*:alpine_linux:*:
- cpe:2.3:o:alpine:tiff_alpine_package:4.0.8-r0:*:*:*:*:alpine_linux:*:
http://git.alpinelinux.org/aports/commit/?id=622c0975ca8f9a0441df23a7b943c7172993c082
http://git.alpinelinux.org/aports/commit/?id=47b52e878e5d803ceb888a1404a311e19f30cb6e
http://git.alpinelinux.org/aports/commit/?id=3bb6858aff988546af833aadbf73ab5abafc394f
http://git.alpinelinux.org/aports/commit/?id=0b4aeeae39d8c4e7b2e383af2c5a4590fbaac5d8
http://git.alpinelinux.org/aports/commit/?id=0cff3d3f5f3f43853528ce076c44db6d3493a33e
http://git.alpinelinux.org/aports/commit/?id=62cf5b826847b3244ca96be46f33a14bd7422b3a
http://git.alpinelinux.org/aports/commit/?id=a38ca99fc61c8dc3d9415dab827db85651df413c
http://git.alpinelinux.org/aports/commit/?id=afcf5d53d3f4bbfa525b449faf8ccec32e32983d
http://git.alpinelinux.org/aports/commit/?id=ed7168b963a5da887d32c26351c87f627a6147b2
http://git.alpinelinux.org/aports/commit/?id=17f5b0b8cb4daab681a3b9c2aca7d363aaa53641
http://git.alpinelinux.org/aports/commit/?id=6db06001eab088ffd4b195b0b537d2b4634b49f8
http://git.alpinelinux.org/aports/commit/?id=713292e9b39017387f68cc813361e3da8a1d378b
http://git.alpinelinux.org/aports/commit/?id=e9c43273f1af86175e73a28b12085cc76e1a7ea6
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
