CVE-2018-12900 — tiff - security update

Description

Heap-based buffer overflow in the cpSeparateBufToContigBuf function in tiffcp.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0beta7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 allows remote attackers to cause a denial of service (crash) or possibly have unspecified other impact via a crafted TIFF file.

How to fix CVE-2018-12900

To remediate CVE-2018-12900, upgrade the affected package to a fixed version below.

—upgrade to 4.0.10-r0 or later
—upgrade to 4.0.10-4 or later
—upgrade to 4.0.8-2+deb9u5 or later

Is CVE-2018-12900 being exploited?

Moderate — EPSS is 9.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 4.0.10-r0
from 0, < 4.0.10-4
from 0, < 4.0.8-2+deb9u5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2018-12900
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-12900