Vulnerability Description
The matchCurrentInput function inside lou_translateString.c of Liblouis prior to 3.7 does not check the input string's length, allowing attackers to cause a denial of service (application crash via out-of-bounds read) by crafting an input file with certain translation dictionaries.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liblouis | Liblouis | < 3.7.0 |
| Canonical | Ubuntu Linux | 14.04 |
| Opensuse | Leap | 15.0 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00038.htmlThird Party Advisory
- http://www.securityfocus.com/bid/105511Third Party AdvisoryVDB Entry
- https://github.com/liblouis/liblouis/commit/5e4089659bb49b3095fa541fa6387b4c40d7PatchThird Party Advisory
- https://github.com/liblouis/liblouis/issues/635ExploitPatchThird Party Advisory
- https://usn.ubuntu.com/3782-1/Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00038.htmlThird Party Advisory
- http://www.securityfocus.com/bid/105511Third Party AdvisoryVDB Entry
- https://github.com/liblouis/liblouis/commit/5e4089659bb49b3095fa541fa6387b4c40d7PatchThird Party Advisory
- https://github.com/liblouis/liblouis/issues/635ExploitPatchThird Party Advisory
- https://usn.ubuntu.com/3782-1/Third Party Advisory
FAQ
What is CVE-2018-17294?
CVE-2018-17294 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The matchCurrentInput function inside lou_translateString.c of Liblouis prior to 3.7 does not check the input string's length, allowing attackers to cause a denial of service (application crash via ou...
How severe is CVE-2018-17294?
CVE-2018-17294 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-17294?
Check the references section above for vendor advisories and patch information. Affected products include: Liblouis Liblouis, Canonical Ubuntu Linux, Opensuse Leap.