libtiff security update

ID CESA-2008:0863-01
Type centos
Reporter CentOS Project
Modified 2008-08-29T00:41:41


CentOS Errata and Security Advisory CESA-2008:0863-01

The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF) files.

Multiple uses of uninitialized values were discovered in libtiff's Lempel-Ziv-Welch (LZW) compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked with libtiff to crash or, possibly, execute arbitrary code. (CVE-2008-2327)

Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.

All libtiff users are advised to upgrade to these updated packages, which contain backported patches to resolve this issue.

Merged security bulletin from advisories:

Affected packages: libtiff libtiff-devel

Upstream details at: