CVE-2009-2347

Description

Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.

How to fix CVE-2009-2347

To remediate CVE-2009-2347, upgrade the affected package to a fixed version below.

• Debian/tiff—upgrade to 3.8.2-13 or later

Is CVE-2009-2347 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 3.8.2-13

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2009-2347