{"id":"USN-5841-1","summary":"tiff vulnerabilities","details":"It was discovered that LibTIFF incorrectly handled certain malformed\nimages. If a user or automated system were tricked into opening a\nspecially crafted image, a remote attacker could crash the application,\nleading to a denial of service, or possibly execute arbitrary code with\nuser privileges. This issue was only fixed in Ubuntu 14.04 ESM.\n(CVE-2019-14973, CVE-2019-17546, CVE-2020-35523, CVE-2020-35524,\nCVE-2022-3970)\n\nIt was discovered that LibTIFF was incorrectly acessing a data structure\nwhen processing data with the tiffcrop tool, which could lead to a heap\nbuffer overflow. An attacker could possibly use this issue to cause a\ndenial of service or execute arbitrary code. (CVE-2022-48281)\n","modified":"2026-02-10T04:42:56Z","published":"2023-02-02T16:34:35Z","related":["UBUNTU-CVE-2019-14973","UBUNTU-CVE-2019-17546","UBUNTU-CVE-2020-35523","UBUNTU-CVE-2020-35524","UBUNTU-CVE-2022-3970","UBUNTU-CVE-2022-48281"],"upstream":["CVE-2019-14973","CVE-2019-17546","CVE-2020-35523","CVE-2020-35524","CVE-2022-3970","CVE-2022-48281","UBUNTU-CVE-2019-14973","UBUNTU-CVE-2019-17546","UBUNTU-CVE-2020-35523","UBUNTU-CVE-2020-35524","UBUNTU-CVE-2022-3970","UBUNTU-CVE-2022-48281"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5841-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-14973"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-17546"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-35523"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-35524"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-3970"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-48281"}],"affected":[{"package":{"name":"tiff","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/tiff@4.0.3-7ubuntu0.11+esm6?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.3-7ubuntu0.11+esm6"}]}],"versions":["4.0.2-4ubuntu3","4.0.3-5ubuntu1","4.0.3-6","4.0.3-6ubuntu1","4.0.3-7","4.0.3-7ubuntu0.1","4.0.3-7ubuntu0.2","4.0.3-7ubuntu0.3","4.0.3-7ubuntu0.4","4.0.3-7ubuntu0.6","4.0.3-7ubuntu0.7","4.0.3-7ubuntu0.8","4.0.3-7ubuntu0.9","4.0.3-7ubuntu0.10","4.0.3-7ubuntu0.11","4.0.3-7ubuntu0.11+esm1","4.0.3-7ubuntu0.11+esm2","4.0.3-7ubuntu0.11+esm3","4.0.3-7ubuntu0.11+esm4","4.0.3-7ubuntu0.11+esm5"],"ecosystem_specific":{"binaries":[{"binary_name":"libtiff-opengl","binary_version":"4.0.3-7ubuntu0.11+esm6"},{"binary_name":"libtiff-tools","binary_version":"4.0.3-7ubuntu0.11+esm6"},{"binary_name":"libtiff4-dev","binary_version":"4.0.3-7ubuntu0.11+esm6"},{"binary_name":"libtiff5","binary_version":"4.0.3-7ubuntu0.11+esm6"},{"binary_name":"libtiff5-alt-dev","binary_version":"4.0.3-7ubuntu0.11+esm6"},{"binary_name":"libtiff5-dev","binary_version":"4.0.3-7ubuntu0.11+esm6"},{"binary_name":"libtiffxx5","binary_version":"4.0.3-7ubuntu0.11+esm6"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5841-1.json","cves_map":{"cves":[{"id":"CVE-2019-14973","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2019-17546","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2020-35523","severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2020-35524","severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2022-3970","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2022-48281","severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:14.04:LTS"}}},{"package":{"name":"tiff","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/tiff@4.0.6-1ubuntu0.8+esm9?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.0.6-1ubuntu0.8+esm9"}]}],"versions":["4.0.3-12.3ubuntu2","4.0.5-1","4.0.6-1","4.0.6-1ubuntu0.1","4.0.6-1ubuntu0.2","4.0.6-1ubuntu0.3","4.0.6-1ubuntu0.4","4.0.6-1ubuntu0.5","4.0.6-1ubuntu0.6","4.0.6-1ubuntu0.7","4.0.6-1ubuntu0.8","4.0.6-1ubuntu0.8+esm1","4.0.6-1ubuntu0.8+esm2","4.0.6-1ubuntu0.8+esm3","4.0.6-1ubuntu0.8+esm4","4.0.6-1ubuntu0.8+esm6","4.0.6-1ubuntu0.8+esm7","4.0.6-1ubuntu0.8+esm8"],"ecosystem_specific":{"binaries":[{"binary_name":"libtiff-opengl","binary_version":"4.0.6-1ubuntu0.8+esm9"},{"binary_name":"libtiff-tools","binary_version":"4.0.6-1ubuntu0.8+esm9"},{"binary_name":"libtiff5","binary_version":"4.0.6-1ubuntu0.8+esm9"},{"binary_name":"libtiff5-dev","binary_version":"4.0.6-1ubuntu0.8+esm9"},{"binary_name":"libtiffxx5","binary_version":"4.0.6-1ubuntu0.8+esm9"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5841-1.json","cves_map":{"cves":[{"id":"CVE-2022-48281","severity":[{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}}],"schema_version":"1.7.3"}