CVE-2024-13978

EUVD-2024-54843

01.08.2025, 22:15

A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as problematic. Affected by this vulnerability is the function t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The patch is named 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply a patch to fix this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	2.5 LOW	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
VulDB	CNA	2.5 LOW				CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Affected Products (NVD)

Vendor	Product	Version
libtiff	libtiff	𝑥 ≤ 4.7.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tiff

bookworm	no-dsa
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	4.2.0-1+deb11u7 fixed
forky	4.7.1-1 fixed
sid	4.7.1-1 fixed
trixie	4.7.0-3+deb13u1 fixed
trixie (security)	4.7.0-3+deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

tiff

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
questing	Fixed 4.7.0-3ubuntu2 released
trusty	not-affected
xenial	not-affected

qtwebengine-opensource-src

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
plucky	needs-triage
questing	needs-triage

texmaker

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
plucky	needs-triage
questing	needs-triage
xenial	needs-triage

gdal

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
questing	not-affected
trusty	needs-triage
xenial	needs-triage

neuron

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	not-affected
plucky	not-affected
questing	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-404 - Improper Resource Shutdown or Release
The program does not release or incorrectly releases a resource before it is made available for re-use.

References

http://www.libtiff.org/

https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4

https://gitlab.com/libtiff/libtiff/-/issues/649

https://gitlab.com/libtiff/libtiff/-/merge_requests/667

https://vuldb.com/?ctiid.318355

https://vuldb.com/?id.318355

https://vuldb.com/?submit.624562

https://lists.debian.org/debian-lts-announce/2025/09/msg00031.html

https://gitlab.com/libtiff/libtiff/-/issues/649