CVE-2018-8975

Name
CVE-2018-8975
Description
The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://github.com/xiaoqx/pocs/blob/master/netpbm
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LVMWVVFEADMA7XIPXFHGSBRYKEGGDFGE/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VEZRUJ5LNGULJL7QUAHPV5LBOKIJYP5I/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:netpbm_project:netpbm:*:*:*:*:*:*:*:* netpbm >= None <= 10.81.03

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
netpbm 3.17-community 10.73.41-r1 Tom Parker-Shemilt <palfrey@tevp.net> possibly vulnerable