Out-of-bounds write vulnerability was found in _TIFFVGetField function in tif_dirinfo.c, allowing attacker to cause a denial of service or command execution via a crafted TIFF image. Vulnerable code: libtiff/tif_dir.c:1073 1068 if (fip->field_type == TIFF_ASCII 1069 || fip->field_readcount == TIFF_VARIABLE 1070 || fip->field_readcount == TIFF_VARIABLE2 1071 || fip->field_readcount == TIFF_SPP 1072 || tv->count > 1) { 1073 *va_arg(ap, void **) = tv->value; 1074 ret_val = 1; Public via: http://seclists.org/oss-sec/2016/q2/33 Upstream bug: http://bugzilla.maptools.org/show_bug.cgi?id=2549
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1547 https://rhn.redhat.com/errata/RHSA-2016-1547.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1546 https://rhn.redhat.com/errata/RHSA-2016-1546.html