Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2596 to the following vulnerability: The OJPEGPostDecode function in tif_ojpeg.c in LibTIFF 3.9.0 and 3.9.2, as used in tiff2ps, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted TIFF image, related to "downsampled OJPEG input." References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2596 [2] http://bugzilla.maptools.org/show_bug.cgi?id=2209 [3] https://bugzilla.redhat.com/show_bug.cgi?id=583081
This issue did NOT affect the versions of the libtiff package, as shipped with Red Hat Enterprise Linux 3, 4, or 5. -- This issue affects the versions of the libtiff package, as shipped with Fedora releases of 12 and 13. This issue affects the versions of the mingw32-libtiff package, as shipped with Fedora releases of 12 and 13.
Note that we still are vulnerable to this in Fedora and RHEL6 --- I didn't try to fix this bug since it's not clear what the code should do instead.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0222 https://rhn.redhat.com/errata/RHSA-2014-0222.html
Statement: Not vulnerable. This issue did not affect the versions of libtiff as shipped with Red Hat Enterprise Linux 3, 4, or 5.