Some vulnerabilities have been reported in LibTIFF, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) An error within the "putcontig8bitYCbCr12tile()" function in libtiff/tif_getimage.c can be exploited to cause a crash when trying to flip an image vertically on 64-bit platforms.

2) An error within the "TIFFYCbCrtoRGB()" function in libtiff/tif_color.c when processing invalid ReferenceBlackWhite values can be exploited to cause a crash.

3) An assertion error within the "OJPEGPostDecode()" function in libtiff/tif_ojpeg.c can be exploited to terminate an application using the library.

4) The "TIFFNewScanlineSize()", "TIFFScanlineSize()", and "TIFFVStripSize()" functions in libtiff/tif_strip.c call the "TIFFGetField()" without properly checking the return value, which can potentially be exploited to e.g. cause a crash.

5) The library does not properly handle images with "SamplesPerPixel" set to "1" and "Photometric" set to "YCbCr", which can be exploited to cause a crash.

6) Errors when handling TIFF images with undefined strip byte counts can be exploited to cause a crash.

Solution
Update to version 3.9.5.

Provided and/or discovered by
1-4, 6) Reported in e.g. Red Hat bug #583081 or #603024
5) Sauli Pahlman

Changelog
Further details available in Customer Area

Original Advisory
http://www.remotesensing.org/libtiff/v3.9.5.html
http://bugzilla.maptools.org/show_bug.cgi?id=2207
https://bugzilla.redhat.com/show_bug.cgi?id=583081
http://bugzilla.maptools.org/show_bug.cgi?id=2208
https://bugzilla.redhat.com/show_bug.cgi?id=583081
http://bugzilla.maptools.org/show_bug.cgi?id=2209
https://bugzilla.redhat.com/show_bug.cgi?id=583081
http://bugzilla.maptools.org/show_bug.cgi?id=2215
https://bugzilla.redhat.com/show_bug.cgi?id=583081
http://bugzilla.maptools.org/show_bug.cgi?id=2216
http://bugzilla.maptools.org/show_bug.cgi?id=1996#c12
https://bugzilla.redhat.com/show_bug.cgi?id=603024#c9

Deep Links
Links available in Customer Area