DescriptionThe t2p_readwrite_pdf_image_tile function in LibTIFF allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly execute arbitrary code via a JPEG file with a TIFFTAG_JPEGTABLES of length one.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tiff (PTS)buster4.1.0+git191117-2~deb10u4fixed
buster (security)4.1.0+git191117-2~deb10u7fixed
bullseye (security)4.2.0-1+deb11u4fixed
bookworm, sid4.5.0-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tiff3sourcewheezy(not affected)


CVE-2016-9453 for wheezy fixed via CVE-2016-5652
[wheezy] - tiff3 <not-affected> (Tools not shipped by tiff3)
For unstable this fix was included in the fix for TALOS-CAN-0187 / CVE-2016-5652
and included in patches/09-CVE-2016-5652.patch
Problem not reproducible in wheezy with 4.0.2-6+deb7u7, in jessie with 4.0.3-12.3+deb8u1, in both cases I get this output (but no segfault or error with valgrind):
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered.
TIFFReadDirectory: IO error during reading of "BitsPerSample".
tiff2pdf: Can't open input file ./CVE-2016-9453.tiff for reading.

Search for package or bug name: Reporting problems