CVE-2018-7456: Null Pointer Dereference
First published: Sat Feb 24 2018(Updated: )
A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6, 4.0.0beta7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.4beta, 4.0.5, 4.0.6, 4.0.7, 4.0.8 and 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.)
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 | |
| debian/tiff | 4.2.0-1+deb11u5 4.2.0-1+deb11u6 4.5.0-6+deb12u2 4.5.0-6+deb12u1 4.5.1+git230720-5 | |
| libtiff | =4.0.9 | |
| Debian | =7.0 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =18.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bugzilla.maptools.org/show_bug.cgi?id=2778
- https://access.redhat.com/errata/RHSA-2019:2051
- https://access.redhat.com/errata/RHSA-2019:2053
- https://github.com/xiaoqx/pocs/tree/master/libtiff
- https://gitlab.com/libtiff/libtiff/commit/be4c85b16e8801a16eec25e80eb9f3dd6a96731b
- https://lists.debian.org/debian-lts-announce/2018/04/msg00010.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00011.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00002.html
- https://usn.ubuntu.com/3864-1/
- https://www.debian.org/security/2018/dsa-4349
- https://launchpad.net/bugs/cve/CVE-2018-7456
- https://access.redhat.com/security/cve/CVE-2017-18013
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1556709
- https://bugzilla.redhat.com/show_bug.cgi?id=1556708
- https://security-tracker.debian.org/tracker/CVE-2018-7456
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7456
- https://nvd.nist.gov/vuln/detail/CVE-2018-7456
- https://ubuntu.com/security/CVE-2018-7456
- https://www.ibm.com/support/pages/node/7177223 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2018-7456?
CVE-2018-7456 is considered to have a moderate severity level due to the potential for a NULL Pointer Dereference vulnerability affecting various versions of LibTIFF.
How do I fix CVE-2018-7456?
To fix CVE-2018-7456, update to the latest patched versions of LibTIFF or affected software such as Cognos Analytics and Debian's tiff package.
Which versions of LibTIFF are affected by CVE-2018-7456?
CVE-2018-7456 affects LibTIFF versions 3.9.3 through 4.0.9.
Does CVE-2018-7456 affect Debian systems?
Yes, CVE-2018-7456 affects Debian systems, particularly with the tiff package versions specified in the advisory.
Can CVE-2018-7456 impact applications that use LibTIFF?
Yes, applications utilizing vulnerable versions of LibTIFF are at risk of encountering NULL Pointer Dereference issues.
- agent/type
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-7456
- agent/severity
- agent/remedy
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/first-publish-date
- agent/event
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/description
- agent/trending
- agent/source
- collector/security-tracker-debian
- source/Debian
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp4
- package-manager/debian
- vendor/libtiff
- canonical/libtiff
- version/libtiff/4.0.9
- vendor/debian
- canonical/debian
- version/debian/7.0
- version/debian/8.0
- version/debian/9.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/18.10