LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a buffer, ignoring the buffer size, which leads to a tif_jbig.c JBIGDecode out-of-bounds write. Upstream MR: https://gitlab.com/libtiff/libtiff/merge_requests/38 References: https://bugs.chromium.org/p/project-zero/issues/detail?id=1697
Created libtiff tracking bugs for this issue: Affects: fedora-all [bug 1644230]
Statement: This issue did not affect the versions of libtiff as shipped with Red Hat Enterprise Linux 5 and 6. This issue affects the versions of libtiff as shipped with Red Hat Enterprise Linux 7.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2053 https://access.redhat.com/errata/RHSA-2019:2053
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-18557