CVE-2008-2327

CVSS V2 Medium 6.8 CVSS V3 None

Description

Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.

Overview

CVE ID
CVE-2008-2327

Assigner
cve@mitre.org

Vulnerability Status
Modified

Published Version
2008-08-27T20:41:00

Last Modified Date
2018-10-11T20:40:17

Weakness Enumerations

CWE	URL
CWE-119	http://cwe.mitre.org/data/definitions/119.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version End
cpe:2.3:a:libtiff:libtiff::::::::	1	OR	3.8.2
cpe:2.3:a:libtiff:libtiff:3.4:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.5.1:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.5.2:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.5.3:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.5.4:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.5.5:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.5.6:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.5.7:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.6.0:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.6.1:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.7.0:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.7.1:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.8.0:::::::*	1	OR
cpe:2.3:a:libtiff:libtiff:3.8.1:::::::*	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector
NETWORK

Access Compatibility
MEDIUM

Authentication
NONE

Confidentiality Impact
PARTIAL

Integrity Impact
PARTIAL

Availability Impact
PARTIAL

Base Score
6.8

Severity
MEDIUM

Exploitability Score
8.6

Impact Score
6.4

References

Reference URL	Reference Tags
http://security-tracker.debian.net/tracker/CVE-2008-2327
http://security-tracker.debian.net/tracker/DSA-1632-1
http://security-tracker.debian.net/tracker/DTSA-160-1
http://www.debian.org/security/2008/dsa-1632	Patch
http://www.securityfocus.com/bid/30832
http://secunia.com/advisories/31610	Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2008-0863.html	Vendor Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2008:184
http://bugs.gentoo.org/show_bug.cgi?id=234080
http://secunia.com/advisories/31623	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=458674
http://secunia.com/advisories/31668	Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2008-0847.html
http://secunia.com/advisories/31670	Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2008-0848.html	Vendor Advisory
http://secunia.com/advisories/31698	Vendor Advisory
http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html
http://www.ubuntu.com/usn/usn-639-1
http://secunia.com/advisories/31882	Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00121.html
http://secunia.com/advisories/31838	Vendor Advisory
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00102.html
http://security.gentoo.org/glsa/glsa-200809-07.xml
http://www.vmware.com/security/advisories/VMSA-2008-0017.html
http://www.securitytracker.com/id?1020750
http://www.us-cert.gov/cas/techalerts/TA08-260A.html	US Government Resource
http://lists.apple.com/archives/security-announce//2008/Nov/msg00001.html
http://support.apple.com/kb/HT3298
http://support.apple.com/kb/HT3318
http://lists.apple.com/archives/security-announce/2008/Nov/msg00002.html
http://secunia.com/advisories/32756	Vendor Advisory
http://support.apple.com/kb/HT3276
http://secunia.com/advisories/31982
http://www.vupen.com/english/advisories/2009/2143	Vendor Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-26-265030-1
http://www.vupen.com/english/advisories/2008/2971	Vendor Advisory
http://www.vupen.com/english/advisories/2008/3107	Vendor Advisory
http://www.vupen.com/english/advisories/2008/2438	Vendor Advisory
http://www.vupen.com/english/advisories/2008/2584	Vendor Advisory
http://www.vupen.com/english/advisories/2008/3232
http://www.vupen.com/english/advisories/2008/2776	Vendor Advisory
http://secunia.com/advisories/32706
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5514
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11489
http://www.securityfocus.com/archive/1/497962/100/0/threaded
http://www.securityfocus.com/archive/1/496033/100/0/threaded

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2008-2327
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2327

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 18:28:52				Added to TrackCVE