Three LibTIFF bugs found, only two patched

Buffer overruns, remote code execution, you know the drill

LibTIFF has three bugs that let booby-trapped files pwn a target - and only two of them have been patched.

Described by Cisco Talos' Tyler Bohan, the bugs are a heap buffer overflow in compression tables (CVE-2016-5652), a parsing error (CVE-2016-8331), and a heap buffer overflow (CVE-2016-5875).

The Talos post says the company found the bugs in LibTiff – 4.0.6, released in September.

The parsing error ('8331) is in LibTIFF code for use in fax system, called BadFaxLines: a crafted image triggers an out of bounds memory error, leading to remote code execution. This hasn't yet been patched.

'5875 is a heap buffer overflow in PixarLogDecode discovered by Mathias Svensson, of Google’s Security Team. There's a fix at GitHub here by Evan Rouault of SpatialSys.

'5652 is in the library's Tiff2PDF tool: a crafted file can crash it with either an out-of-bounds write or a heap overflow.

So far so good, but as Threatpost notes, while fixes for two of the three bugs exist, they're scattered around. The long-time host for the library,, no longer offers the downloads.

The CVS is at, here, and the GitHub repo is here. ®

Keep Reading

Biting the hand that feeds IT © 1998–2021