A flaw was reported in libtiff's thunder decoder. The thunder decoder assumes 4bits per pixel, but if a file has bitpersample set to a smaller value, or defaulted (1) then the allocated strip buffer will be too small, and a heap-based buffer overlow may occur. This could be used to crash an application linked to libtiff, or execute arbitrary code with the privileges of the application opening a malicious TIFF file.
This is CVE-2011-1167. Disclosure is set for March 21st.
This is now public: http://bugzilla.maptools.org/show_bug.cgi?id=2300 http://www.zerodayinitiative.com/advisories/ZDI-11-107/
Created libtiff tracking bugs for this issue Affects: fedora-all [bug 689574]
Created mingw32-libtiff tracking bugs for this issue Affects: fedora-all [bug 689575]
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:0392 https://rhn.redhat.com/errata/RHSA-2011-0392.html