UBUNTU-CVE-2019-5086

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2019-5086

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-5086.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-5086

Upstream

CVE-2019-5086

Downstream

USN-5988-1

Related

USN-5988-1

Published

2019-11-21T16:15:00Z

Modified

2026-02-04T04:17:33.477507Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

An exploitable integer overflow vulnerability exists in the flattenIncrementally function in the xcf2png and xcf2pnm binaries of xcftools, version 1.0.7. An integer overflow can occur while walking through tiles that could be exploited to corrupt memory and execute arbitrary code. In order to trigger this vulnerability, a victim would need to open a specially crafted XCF file.

References

Affected packages

Ubuntu:Pro:16.04:LTS / xcftools

Package

Name: xcftools
Purl: pkg:deb/ubuntu/xcftools@1.0.7-5ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.7-5ubuntu0.1~esm1

Affected versions

1.*

1.0.7-4ubuntu1

1.0.7-5

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "xcftools",
            "binary_version": "1.0.7-5ubuntu0.1~esm1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-5086.json"

Ubuntu:18.04:LTS / xcftools

Package

Name: xcftools
Purl: pkg:deb/ubuntu/xcftools@1.0.7-6ubuntu0.1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.7-6ubuntu0.1

Affected versions

1.*

1.0.7-6

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "xcftools",
            "binary_version": "1.0.7-6ubuntu0.1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-5086.json"

Ubuntu:20.04:LTS / xcftools

Package

Name: xcftools
Purl: pkg:deb/ubuntu/xcftools@1.0.7-6ubuntu0.20.04.1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.7-6ubuntu0.20.04.1

Affected versions

1.*

1.0.7-6

1.0.7-6build1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "xcftools",
            "binary_version": "1.0.7-6ubuntu0.20.04.1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-5086.json"