CVE-2017-2870

Advisory lineage Upstream: 0 Downstream: 8
Modified
Published: 05 Sept 2017, 18:00
Last modified:16 Sept 2024, 17:48

Vulnerability Summary

Overall Risk (default)
medium
46/100
CVSS Score
8.8 HIGH
v3.0 (cve.org)
EPSS Score
2.33% LOW
2% probability -0.80%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

05 Sept 2017, 18:00
Published
Vulnerability first disclosed
16 Sept 2024, 17:48
Last Modified
Vulnerability information updated

Description

An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.

CVSS Metrics

  • v3.1HIGHScore: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • v3.0HIGHScore: 8.8CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • v2.0MEDIUMScore: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 2.33% Percentile: 85%

Techniques & Countermeasures

  • CWE-190Integer Overflow or Wraparound

    The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Affected Systems

  • debiandebian_linux

    8.0

  • gnomegdk-pixbuf

    2.36.6 commit: aba8d88798dfc2f3856ea0ddda14b06174bbb2bc compiled with clang -O3 flag libtiff 4.0.6 | 2.36.6

References (3)