CVE-2020-35521

Note

various sources, including upstream, seem to indicate that the
patch for this issue is the same as the patch for CVE-2020-35522.
No patches addressing CVE-2020-35521 specifically were found, and
the upstream changelog indicates that commit b5a935d96b is fixing
more than one issue, both being most likely closely related. No
reproducers or stack traces involving this vulnerability were
found, and the issue links (207 and 209) seem to not exist anymore.
Therefore, releases that have been patched for CVE-2020-35522 will
be considered to have been patched for CVE-2020-35521 as well, as
the only sources of information indicate that the patch for both
issues is the same.

Package	Release	Status
tiff Launchpad, Ubuntu, Debian	bionic	Released (4.0.9-5ubuntu0.5)
	focal	Released (4.1.0+git191117-2ubuntu0.20.04.3)
	groovy	Ignored (end of life)
	hirsute	Not vulnerable (4.1.0+git201212-1ubuntu1)
	impish	Not vulnerable (4.3.0-1)
	jammy	Not vulnerable (4.3.0-6)
	trusty	Released (4.0.3-7ubuntu0.11+esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	upstream	Released (4.2.0, 4.1.0+git201212-1)
	xenial	Released (4.0.6-1ubuntu0.8+esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	Patches: upstream: https://gitlab.com/libtiff/libtiff/-/commit/b5a935d96b21cda0f434230cdf8ca958cd8b4eef upstream: https://gitlab.com/libtiff/libtiff/-/merge_requests/165

Parameter	Value
Base score	5.5
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVE-2020-35521

Notes

Priority

Cvss 3 Severity Score

Status

Severity score breakdown

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading