LibTIFF is prone to an overflow condition. The TIFFReadDirectory() function in tif_dirread.c fails to properly sanitize user-supplied input resulting in a type casting error, which will cause a stack-based buffer overflow. With a specially crafted TIFF image file, a context-dependent attacker can potentially execute arbitrary code.

Upgrade to version 3.9.7, 4.0.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1028139
• ISS X-Force ID: 1028141
• CVE ID: 2012-2088 (see also: NVD)
• Secunia Advisory ID: 48684 49686 49770 49833 50726 51920 52168 52643
• Bugtraq ID: 54270
• Other Advisory URL: http://home.gdal.org/private/zdi-can-1221/zdi-can-1221.txt
  http://www.mandriva.com/security/advisories?name=MDVSA-2012:101
  https://hermes.opensuse.org/messages/15083566
• Vendor Specific News/Changelog Entry: http://lists.opensuse.org/opensuse-updates/2012-07/msg00009.html
  http://www.gentoo.org/security/en/glsa/glsa-201209-02.xml
  http://www.ubuntu.com/usn/usn-1498-1/
  https://bugzilla.redhat.com/show_bug.cgi?id=810551
  https://bugzilla.redhat.com/show_bug.cgi?id=832864
  https://downloads.avaya.com/css/P8/documents/100166264
• Vendor Specific Advisory URL: http://support.apple.com/kb/HT5672
  http://www.blackberry.com/btsc/KB33425
• Vendor URL: http://www.libtiff.org/
  http://www.remotesensing.org/libtiff/
• RedHat RHSA: RHSA-2012-1054

• Karel Volný