An exploitable heap based buffer overflow exists in the handling of compressed TIFF images in LibTIFF’s PixarLogDecode api. A crafted TIFF document can lead to a heap based buffer overflow resulting in remote code execution. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality.
Created libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1389231]
Created mingw-libtiff tracking bugs for this issue:
Affects: fedora-all [bug 1389232]
Affects: epel-7 [bug 1389233]
According to TALOS-2016-0205 the actual CVE ID should be CVE-2016-5875. So is the CVE-2016-5857 alias a typo?
Thanks already for clarification.
Seem like a typo, yes. Fixing. Thank you!
This security flaw is addressed by the patch released for CVE-2016-5320. Therefore Red Hat Enterprise Linux packages are not affected.
*** Bug 1346689 has been marked as a duplicate of this bug. ***
*** Bug 1346697 has been marked as a duplicate of this bug. ***