{"id":"CVE-2017-5225","details":"LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the tools/tiffcp resulting in DoS or code execution via a crafted BitsPerSample value.","modified":"2026-04-16T06:18:49.296715025Z","published":"2017-01-12T11:59:00.133Z","related":["SUSE-SU-2017:0453-1","SUSE-SU-2018:1835-1","openSUSE-SU-2024:11461-1"],"references":[{"type":"WEB","url":"http://www.securitytracker.com/id/1037911"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201709-27"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3844"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/95413"},{"type":"REPORT","url":"http://bugzilla.maptools.org/show_bug.cgi?id=2656"},{"type":"REPORT","url":"http://bugzilla.maptools.org/show_bug.cgi?id=2657"},{"type":"FIX","url":"https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vadz/libtiff","events":[{"introduced":"0"},{"last_affected":"b28076b056eba9d665881bab139d21b21137fd2d"},{"fixed":"5c080298d59efa53264d7248bbe3a04660db6ef7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.0.7"}]}}],"versions":["Pre360","Release-","Release-3-7-0","Release-v3-5-","Release-v3-5-4","Release-v3-5-5","Release-v3-5-7","Release-v3-6-0","Release-v3-6-0beta2","Release-v3-6-1","Release-v3-7-0-alpha","Release-v3-7-0beta","Release-v3-7-0beta2","Release-v3-7-1","Release-v3-7-2","Release-v3-7-3","Release-v3-7-4","Release-v3-8-0","Release-v3-8-1","Release-v3-8-2","Release-v4-0-0","Release-v4-0-0alpha","Release-v4-0-0alpha4","Release-v4-0-0alpha5","Release-v4-0-0alpha6","Release-v4-0-0beta7","Release-v4-0-1","Release-v4-0-2","Release-v4-0-3","Release-v4-0-4","Release-v4-0-4beta","Release-v4-0-5","Release-v4-0-6","Release-v4-0-7"],"database_specific":{"vanir_signatures_modified":"2026-04-11T03:11:39Z","vanir_signatures":[{"target":{"function":"tiffcp","file":"tools/tiffcp.c"},"id":"CVE-2017-5225-4e09e5be","digest":{"length":6122,"function_hash":"139757515412619317776256060797273960561"},"deprecated":false,"source":"https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7","signature_version":"v1","signature_type":"Function"},{"target":{"function":"DECLAREcpFunc","file":"tools/tiffcp.c"},"signature_version":"v1","id":"CVE-2017-5225-56360e4e","deprecated":false,"digest":{"length":1011,"function_hash":"168156336267725420381506114202630947193"},"source":"https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7","signature_type":"Function"},{"target":{"file":"tools/tiffcp.c"},"signature_version":"v1","id":"CVE-2017-5225-da219ced","deprecated":false,"digest":{"line_hashes":["136248069597515547354886829352792017324","276184522356552445469833162815849296552","48733699451098292164688078749491633094","25400277086004514631513115314684551438","98582711887134687347867759195701524014","101824058636121926936295693400555351272","10611410785911493730315934183292050452","322599227046705245941446755801945879635","98582711887134687347867759195701524014","101824058636121926936295693400555351272","10611410785911493730315934183292050452","322599227046705245941446755801945879635","170271766192263683930282281212249681344","229697156173984413749737760831716949294","218489414069696955633694738271343607190","43264974078353853148923916561927878852"],"threshold":0.9},"source":"https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7","signature_type":"Line"},{"target":{"function":"DECLAREcpFunc","file":"tools/tiffcp.c"},"id":"CVE-2017-5225-fa060928","digest":{"length":1011,"function_hash":"97221662646033453553265587060548636437"},"deprecated":false,"source":"https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7","signature_version":"v1","signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5225.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}