Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2443 to the following vulnerability: Unspecified vulnerability in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (application crash) via an OJPEG image with undefined strip offsets. References: http://www.remotesensing.org/libtiff/v3.9.3.html
This CVE refers to following entry in the upstream changelog: OJPEG: Report an error and avoid a crash if the input file is so broken that the strip offsets are not defined. This problem is already tracked as bug #603024. We are not handling this as security flaw, this NULL pointer dereference flaw with impact limited to application crash. Statement: Not vulnerable. This issue did not affect the versions of libtiff as shipped with Red Hat Enterprise Linux 3, 4, or 5.
CVE-2010-2482 was assigned to the related td_stripbytecount NULL deref issue. Comment #1 apply to that issue as well. Issue is not yet fixed upstream in 3.9.4. References: https://bugs.launchpad.net/bugs/597246 https://bugzilla.redhat.com/show_bug.cgi?id=603024#c9 http://bugzilla.maptools.org/show_bug.cgi?id=1996#c12
These issues are addressed in libtiff-3.9.4-1 packages.