New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 3.6
SynopsisThe remote Debian host is missing a security update.
A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c (called from TIFFWriteDirectoryTagTransferfunction) allows an attacker to cause a denial of service through a crafted tiff file. This vulnerability can be triggered by the executable tiffcp.
There is a NULL pointer dereference in the TIFFWriteDirectorySec function in tif_dirwrite.c that will lead to a denial of service attack, as demonstrated by tiffset.
An Invalid Address dereference was discovered in TIFFWriteDirectoryTagTransferfunction in libtiff/tif_dirwrite.c, affecting the cpSeparateBufToContigBuf function in tiffcp.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tiff file.
We believe this is the same as CVE-2018-17000 (above).
For Debian 8 'Jessie', these problems have been fixed in version 4.0.3-12.3+deb8u8.
We recommend that you upgrade your tiff packages.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpgrade the affected packages.