Vulnerability Description
LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by failure of tif_next.c to verify that the BitsPerSample value is 2, and the t2p_sample_lab_signed_to_unsigned function in tiff2pdf.c.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Libtiff | Libtiff | 4.0.3 |
| Debian | Debian Linux | 7.0 |
| Redhat | Enterprise Linux Server | 6.0 |
| Redhat | Enterprise Linux Server Aus | 7.2 |
| Redhat | Enterprise Linux Server Eus | 7.2 |
| Redhat | Enterprise Linux Server Tus | 7.2 |
| Apple | Mac Os X | 10.8.5 |
| Apple | Iphone Os | - |
Related Weaknesses (CWE)
References
- http://bugzilla.maptools.org/show_bug.cgi?id=2487ExploitIssue Tracking
- http://bugzilla.maptools.org/show_bug.cgi?id=2488ExploitIssue Tracking
- http://lists.apple.com/archives/security-announce/2015/Jun/msg00001.htmlMailing List
- http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.htmlMailing List
- http://openwall.com/lists/oss-security/2015/01/24/15Mailing List
- http://rhn.redhat.com/errata/RHSA-2016-1546.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2016-1547.htmlThird Party Advisory
- http://support.apple.com/kb/HT204941Third Party Advisory
- http://support.apple.com/kb/HT204942Third Party Advisory
- http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_and_WrThird Party Advisory
- http://www.securityfocus.com/bid/72352Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1032760Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=1185815Issue TrackingPatch
- https://security.gentoo.org/glsa/201701-16Third Party Advisory
- https://www.debian.org/security/2015/dsa-3273Third Party Advisory
FAQ
What is CVE-2014-8129?
CVE-2014-8129 is a vulnerability with a CVSS score of 8.8 (HIGH). LibTIFF 4.0.3 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted TIFF image, as demonstrated by failure of tif_next.c to...
How severe is CVE-2014-8129?
CVE-2014-8129 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-8129?
Check the references section above for vendor advisories and patch information. Affected products include: Libtiff Libtiff, Debian Debian Linux, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus, Redhat Enterprise Linux Server Eus.