Vulnerability Details CVE-2018-8975
The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted image file, as demonstrated by pbmmask.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 62.8%
CVSS Severity
CVSS v3 Score 5.5
CVSS v2 Score 4.3
References
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html
- https://github.com/xiaoqx/pocs/blob/master/netpbm
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVMWVVFEADMA7XIPXFHGSBRYKEGGDFGE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VEZRUJ5LNGULJL7QUAHPV5LBOKIJYP5I/
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00056.html
- https://github.com/xiaoqx/pocs/blob/master/netpbm
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LVMWVVFEADMA7XIPXFHGSBRYKEGGDFGE/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VEZRUJ5LNGULJL7QUAHPV5LBOKIJYP5I/
Products affected by CVE-2018-8975
-
cpe:2.3:a:netpbm_project:netpbm:10.35.0
-
cpe:2.3:a:netpbm_project:netpbm:10.35.98
-
cpe:2.3:a:netpbm_project:netpbm:10.36.0
-
cpe:2.3:a:netpbm_project:netpbm:10.37.0
-
cpe:2.3:a:netpbm_project:netpbm:10.38.0
-
cpe:2.3:a:netpbm_project:netpbm:10.39.0
-
cpe:2.3:a:netpbm_project:netpbm:10.40.0
-
cpe:2.3:a:netpbm_project:netpbm:10.41.0
-
cpe:2.3:a:netpbm_project:netpbm:10.42.0
-
cpe:2.3:a:netpbm_project:netpbm:10.42.06
-
cpe:2.3:a:netpbm_project:netpbm:10.43.00
-
cpe:2.3:a:netpbm_project:netpbm:10.43.06
-
cpe:2.3:a:netpbm_project:netpbm:10.44.00
-
cpe:2.3:a:netpbm_project:netpbm:10.44.04
-
cpe:2.3:a:netpbm_project:netpbm:10.45.00
-
cpe:2.3:a:netpbm_project:netpbm:10.45.07
-
cpe:2.3:a:netpbm_project:netpbm:10.46.00
-
cpe:2.3:a:netpbm_project:netpbm:10.46.06
-
cpe:2.3:a:netpbm_project:netpbm:10.47.00
-
cpe:2.3:a:netpbm_project:netpbm:10.47.63
-
cpe:2.3:a:netpbm_project:netpbm:10.48.00
-
cpe:2.3:a:netpbm_project:netpbm:10.48.04
-
cpe:2.3:a:netpbm_project:netpbm:10.49.00
-
cpe:2.3:a:netpbm_project:netpbm:10.49.05
-
cpe:2.3:a:netpbm_project:netpbm:10.50.00
-
cpe:2.3:a:netpbm_project:netpbm:10.50.08
-
cpe:2.3:a:netpbm_project:netpbm:10.51.00
-
cpe:2.3:a:netpbm_project:netpbm:10.51.05
-
cpe:2.3:a:netpbm_project:netpbm:10.52.00
-
cpe:2.3:a:netpbm_project:netpbm:10.52.06
-
cpe:2.3:a:netpbm_project:netpbm:10.53.00
-
cpe:2.3:a:netpbm_project:netpbm:10.53.05
-
cpe:2.3:a:netpbm_project:netpbm:10.54.00
-
cpe:2.3:a:netpbm_project:netpbm:10.54.04
-
cpe:2.3:a:netpbm_project:netpbm:10.55.00
-
cpe:2.3:a:netpbm_project:netpbm:10.55.03
-
cpe:2.3:a:netpbm_project:netpbm:10.56.00
-
cpe:2.3:a:netpbm_project:netpbm:10.56.05
-
cpe:2.3:a:netpbm_project:netpbm:10.57.00
-
cpe:2.3:a:netpbm_project:netpbm:10.57.04
-
cpe:2.3:a:netpbm_project:netpbm:10.58.00
-
cpe:2.3:a:netpbm_project:netpbm:10.58.03
-
cpe:2.3:a:netpbm_project:netpbm:10.59.00
-
cpe:2.3:a:netpbm_project:netpbm:10.59.03
-
cpe:2.3:a:netpbm_project:netpbm:10.60.00
-
cpe:2.3:a:netpbm_project:netpbm:10.60.06
-
cpe:2.3:a:netpbm_project:netpbm:10.61.00
-
cpe:2.3:a:netpbm_project:netpbm:10.61.04
-
cpe:2.3:a:netpbm_project:netpbm:10.62.00
-
cpe:2.3:a:netpbm_project:netpbm:10.62.09
-
cpe:2.3:a:netpbm_project:netpbm:10.63.00
-
cpe:2.3:a:netpbm_project:netpbm:10.63.01
-
cpe:2.3:a:netpbm_project:netpbm:10.64.00
-
cpe:2.3:a:netpbm_project:netpbm:10.64.06
-
cpe:2.3:a:netpbm_project:netpbm:10.65.00
-
cpe:2.3:a:netpbm_project:netpbm:10.65.07
-
cpe:2.3:a:netpbm_project:netpbm:10.66.00
-
cpe:2.3:a:netpbm_project:netpbm:10.66.04
-
cpe:2.3:a:netpbm_project:netpbm:10.67.00
-
cpe:2.3:a:netpbm_project:netpbm:10.67.04
-
cpe:2.3:a:netpbm_project:netpbm:10.68.00
-
cpe:2.3:a:netpbm_project:netpbm:10.68.03
-
cpe:2.3:a:netpbm_project:netpbm:10.69.00
-
cpe:2.3:a:netpbm_project:netpbm:10.69.07
-
cpe:2.3:a:netpbm_project:netpbm:10.70.00
-
cpe:2.3:a:netpbm_project:netpbm:10.70.07
-
cpe:2.3:a:netpbm_project:netpbm:10.71.00
-
cpe:2.3:a:netpbm_project:netpbm:10.71.03
-
cpe:2.3:a:netpbm_project:netpbm:10.72.00
-
cpe:2.3:a:netpbm_project:netpbm:10.72.04
-
cpe:2.3:a:netpbm_project:netpbm:10.73.00
-
cpe:2.3:a:netpbm_project:netpbm:10.74.00
-
cpe:2.3:a:netpbm_project:netpbm:10.74.05
-
cpe:2.3:a:netpbm_project:netpbm:10.75.00
-
cpe:2.3:a:netpbm_project:netpbm:10.75.03
-
cpe:2.3:a:netpbm_project:netpbm:10.76.00
-
cpe:2.3:a:netpbm_project:netpbm:10.76.01
-
cpe:2.3:a:netpbm_project:netpbm:10.77.00
-
cpe:2.3:a:netpbm_project:netpbm:10.77.04
-
cpe:2.3:a:netpbm_project:netpbm:10.78.00
-
cpe:2.3:a:netpbm_project:netpbm:10.78.06
-
cpe:2.3:a:netpbm_project:netpbm:10.79.00
-
cpe:2.3:a:netpbm_project:netpbm:10.79.07
-
cpe:2.3:a:netpbm_project:netpbm:10.80.00
-
cpe:2.3:a:netpbm_project:netpbm:10.80.02
-
cpe:2.3:a:netpbm_project:netpbm:10.81.00
-
cpe:2.3:a:netpbm_project:netpbm:10.81.03