DescriptionThe OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to "downsampled OJPEG input."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tiff (PTS)wheezy4.0.2-6+deb7u5vulnerable
wheezy (security)4.0.2-6+deb7u18vulnerable
jessie (security)4.0.3-12.3+deb8u5vulnerable
stretch (security), stretch4.0.8-2+deb9u2fixed
buster, sid4.0.9-4fixed
tiff3 (PTS)wheezy3.9.6-11vulnerable
wheezy (security)3.9.6-11+deb7u9fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


fixed by
according to upstream
unreproducible in VCS. Confirmed for version 4.0.6 in Stretch by verifying
that the reproducer does not trigger the crash anymore.
Tom Lane's patch should be applied for tiff in Wheezy too.
Not confirmed which exact version should fix the issue.

Search for package or bug name: Reporting problems