#VU39648 NULL pointer dereference in Fedora - CVE-2016-8690
Vulnerability identifier: #VU39648
Vulnerability risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-476
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Fedora
Operating systems & Components /
Operating system
Vendor: Fedoraproject
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted BMP image in an imginfo command.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
Fedora: 23
External links
https://www.openwall.com/lists/oss-security/2016/08/23/6
https://www.openwall.com/lists/oss-security/2016/10/16/14
https://www.securityfocus.com/bid/93590
https://access.redhat.com/errata/RHSA-2017:1208
https://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/
https://bugzilla.redhat.com/show_bug.cgi?id=1385499
https://github.com/mdadams/jasper/commit/8f62b4761711d036fd8964df256b938c809b7fca
https://lists.debian.org/debian-lts-announce/2018/11/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22FCKKHQCQ3S6TZY5G44EFDTMWOJXJRD/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
