A flaw was reported in libtiff's thunder decoder. The thunder decoder assumes 4bits per pixel, but if a file has bitpersample set to a smaller value, or defaulted (1) then the allocated strip buffer will be too small, and a heap-based buffer overlow may occur. This could be used to crash an application linked to libtiff, or execute arbitrary code with the privileges of the application opening a malicious TIFF file.
This is CVE-2011-1167. Disclosure is set for March 21st.
This is now public:
Created libtiff tracking bugs for this issue
Affects: fedora-all [bug 689574]
Created mingw32-libtiff tracking bugs for this issue
Affects: fedora-all [bug 689575]
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2011:0392 https://rhn.redhat.com/errata/RHSA-2011-0392.html