{"id":"CVE-2018-5784","details":"In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries.","modified":"2026-04-16T01:44:37.824195687Z","published":"2018-01-19T08:29:00.320Z","related":["SUSE-SU-2018:1180-1","openSUSE-SU-2024:11461-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"14.04"}]},{"cpe":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"16.04"}]},{"cpe":"cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"17.10"}]},{"cpe":"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.0"}]},{"cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"8.0"}]},{"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}]}]},"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/05/msg00022.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00002.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3602-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3606-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4349"},{"type":"REPORT","url":"http://bugzilla.maptools.org/show_bug.cgi?id=2772"},{"type":"FIX","url":"https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vadz/libtiff","events":[{"introduced":"0"},{"last_affected":"636f2684a0faaf9510ae4219f286a53f98f37483"}],"database_specific":{"cpe":"cpe:2.3:a:libtiff:libtiff:4.0.9:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"4.0.9"}]}}],"versions":["Pre360","Release-","Release-3-7-0","Release-v3-5-","Release-v3-5-4","Release-v3-5-5","Release-v3-5-7","Release-v3-6-0","Release-v3-6-0beta2","Release-v3-6-1","Release-v3-7-0-alpha","Release-v3-7-0beta","Release-v3-7-0beta2","Release-v3-7-1","Release-v3-7-2","Release-v3-7-3","Release-v3-7-4","Release-v3-8-0","Release-v3-8-1","Release-v3-8-2","Release-v4-0-0","Release-v4-0-0alpha","Release-v4-0-0alpha4","Release-v4-0-0alpha5","Release-v4-0-0alpha6","Release-v4-0-0beta7","Release-v4-0-1","Release-v4-0-2","Release-v4-0-3","Release-v4-0-4","Release-v4-0-4beta","Release-v4-0-5","Release-v4-0-6","Release-v4-0-7","Release-v4-0-8","Release-v4-0-9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-5784.json"}},{"ranges":[{"type":"GIT","repo":"https://gitlab.com/libtiff/libtiff","events":[{"introduced":"0"},{"fixed":"473851d211cf8805a161820337ca74cc9615d6ef"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v3.5.3","v3.5.4","v3.5.5","v3.5.7","v3.6.0","v3.6.0beta2","v3.6.1","v3.7.0","v3.7.0alpha","v3.7.0beta","v3.7.0beta2","v3.7.1","v3.7.2","v3.7.3","v3.7.4","v3.8.0","v3.8.1","v3.8.2","v4.0.0","v4.0.0alpha","v4.0.0alpha4","v4.0.0alpha5","v4.0.0alpha6","v4.0.0beta7","v4.0.1","v4.0.2","v4.0.3","v4.0.4","v4.0.4beta","v4.0.5","v4.0.6","v4.0.7","v4.0.8","v4.0.9"],"database_specific":{"vanir_signatures":[{"deprecated":false,"id":"CVE-2018-5784-32fcc861","digest":{"line_hashes":["75831772826903519163531091244361149601","78375691951534252794824230083328114641","293301950844137652162995674059519515684","199221968750314404018989121865056121067","5327546639558208921209613398130438931","131256751223841078268448253529362595545","330585039822195982558293263417307448225"],"threshold":0.9},"target":{"file":"tools/tiff2pdf.c"},"signature_type":"Line","source":"https://gitlab.com/libtiff/libtiff@473851d211cf8805a161820337ca74cc9615d6ef","signature_version":"v1"},{"deprecated":false,"source":"https://gitlab.com/libtiff/libtiff@473851d211cf8805a161820337ca74cc9615d6ef","signature_version":"v1","digest":{"length":5724,"function_hash":"213609115515777586211141951442237006584"},"signature_type":"Function","id":"CVE-2018-5784-4a632204","target":{"file":"tools/tiff2pdf.c","function":"t2p_read_tiff_init"}},{"deprecated":false,"signature_version":"v1","digest":{"length":1584,"function_hash":"217941978878947320029816834975166642295"},"target":{"file":"contrib/addtiffo/tif_overview.c","function":"TIFF_WriteOverview"},"signature_type":"Function","id":"CVE-2018-5784-6a8edbef","source":"https://gitlab.com/libtiff/libtiff@473851d211cf8805a161820337ca74cc9615d6ef"},{"deprecated":false,"signature_version":"v1","source":"https://gitlab.com/libtiff/libtiff@473851d211cf8805a161820337ca74cc9615d6ef","target":{"file":"contrib/addtiffo/tif_overview.c"},"signature_type":"Line","id":"CVE-2018-5784-8be40752","digest":{"line_hashes":["280118026582751531607203991365373546876","43719099175510905525229923302533711661","70680763122485257495134726048061920842","57881666676319679057535677400894311885","106582711542385200867802239147585812831","132354293960869030127950657134287496699","55761791276588461682510708734136367267","337647114143564325189136562211559769739","223325157716770488910409838864759636822","42083156524159150658991999267604601331","204171970194303696611234922170369988794"],"threshold":0.9}},{"deprecated":false,"signature_version":"v1","source":"https://gitlab.com/libtiff/libtiff@473851d211cf8805a161820337ca74cc9615d6ef","target":{"file":"tools/tiffcrop.c"},"signature_type":"Line","id":"CVE-2018-5784-af240c7b","digest":{"line_hashes":["172353140212210332738028602722684502789","253628019908197467971345379500435746871","314230488715923400105651815237839916662","77322807136046078891198257595381707816","69718155279689978593491466533212242267","216893751462658506253463015470644614992","302612334229579431412840180403522687990","63355102319794581852982502112322842388","228539468221171595535354674831310576492","19616000769208776864051079112019526069"],"threshold":0.9}},{"deprecated":false,"source":"https://gitlab.com/libtiff/libtiff@473851d211cf8805a161820337ca74cc9615d6ef","signature_version":"v1","digest":{"length":5554,"function_hash":"98152871295658607399717771184892726884"},"signature_type":"Function","id":"CVE-2018-5784-d6b69b9f","target":{"file":"tools/tiffcrop.c","function":"main"}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-5784.json","vanir_signatures_modified":"2026-04-11T21:32:51Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}