CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
EPSS
Percentile
92.7%
ocert reports:
The dcraw tool, as well as several other projects re-using its
code, suffers from an integer overflow condition which lead to a
buffer overflow.
The vulnerability concerns the ‘len’ variable, parsed without
validation from opened images, used in the ljpeg_start()
function.
A maliciously crafted raw image file can be used to trigger the
vulnerability, causing a Denial of Service condition.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | cinepaint | = 0.22.0 | UNKNOWN |
FreeBSD | any | noarch | darktable | < 1.6.7 | UNKNOWN |
FreeBSD | any | noarch | dcraw | = 7.00 | UNKNOWN |
FreeBSD | any | noarch | dcraw | < 9.26 | UNKNOWN |
FreeBSD | any | noarch | dcraw-m | = 0 | UNKNOWN |
FreeBSD | any | noarch | exact-image | < 0.9.1 | UNKNOWN |
FreeBSD | any | noarch | flphoto | = 0 | UNKNOWN |
FreeBSD | any | noarch | freeimage | = 3.13.0 | UNKNOWN |
FreeBSD | any | noarch | freeimage | < 3.16.0_1 | UNKNOWN |
FreeBSD | any | noarch | kodi | < 14.2_1 | UNKNOWN |