Severity
Medium
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 16.04
- Canonical Ubuntu 18.04
Description
It was discovered that LibTIFF was not properly handling variables used to perform memory management operations when processing an image through tiffcrop, which could lead to a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2023-25433, CVE-2023-26965) It was discovered that LibTIFF was not properly processing numerical values when dealing with little-endian input data, which could lead to the execution of an invalid operation. An attacker could possibly use this issue to cause a denial of service (CVE-2023-26966) It was discovered that LibTIFF was not properly performing bounds checks when closing a previously opened TIFF file, which could lead to a NULL pointer dereference. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-3316) Update Instructions: Run `sudo pro fix USN-6229-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libtiff-opengl – 4.0.6-1ubuntu0.8+esm11 libtiff-tools – 4.0.6-1ubuntu0.8+esm11 libtiff5-dev – 4.0.6-1ubuntu0.8+esm11 libtiff5 – 4.0.6-1ubuntu0.8+esm11 libtiffxx5 – 4.0.6-1ubuntu0.8+esm11 libtiff-doc – 4.0.6-1ubuntu0.8+esm11 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro
CVEs contained in this USN include: CVE-2023-25433, CVE-2023-26965, CVE-2023-26966, CVE-2023-3316.
Affected Cloud Foundry Products and Versions
Severity is medium unless otherwise noted.
- CF Deployment
- All versions prior to 30.0.0
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- CF Deployment
- Upgrade all versions to 30.0.0 or greater
History
2023-08-10: Initial vulnerability report published.
