#VU20390 Integer overflow in LibTIFF - CVE-2019-14973


| Updated: 2022-05-21

Vulnerability identifier: #VU20390

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-14973

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LibTIFF
Universal components / Libraries / Libraries used by multiple products

Vendor: LibTIFF

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attacks.

The vulnerability exists due to integer overflow in the "_TIFFCheckMalloc" and "_TIFFCheckRealloc" functions in the "tif_aux.c" file. A remote attacker can trick a victim to open a specially crafted file that contains crafted TIFF images, trigger integer overflow and crash the target application.


Mitigation
Install update from vendor's website.

Vulnerable software versions

LibTIFF: 3.4 - 4.0.10

External links
https://gitlab.com/libtiff/libtiff/merge_requests/90

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


VMware Tanzu Operations Manager update for LibTIFF
Ubuntu update for tiff
Multiple vulnerabilities in Red Hat Ansible Automation Platform 1.2
Amazon Linux AMI update for libtiff
OpenSUSE Linux update for tiff
Red Hat Enterprise Linux 7 update for libtiff
OpenSUSE Linux update for tiff
Debian update for tiff
Red Hat Enterprise Linux 8 update for libtiff
Debian update for tiff