Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libtiff | Libtiff | * | 3.9.4 (including) |
| Libtiff | Libtiff | 3.4 (including) | 3.4 (including) |
| Libtiff | Libtiff | 3.4-beta18 (including) | 3.4-beta18 (including) |
| Libtiff | Libtiff | 3.4-beta24 (including) | 3.4-beta24 (including) |
| Libtiff | Libtiff | 3.4-beta28 (including) | 3.4-beta28 (including) |
| Libtiff | Libtiff | 3.4-beta29 (including) | 3.4-beta29 (including) |
| Libtiff | Libtiff | 3.4-beta31 (including) | 3.4-beta31 (including) |
| Libtiff | Libtiff | 3.4-beta32 (including) | 3.4-beta32 (including) |
| Libtiff | Libtiff | 3.4-beta34 (including) | 3.4-beta34 (including) |
| Libtiff | Libtiff | 3.4-beta35 (including) | 3.4-beta35 (including) |
| Libtiff | Libtiff | 3.4-beta36 (including) | 3.4-beta36 (including) |
| Libtiff | Libtiff | 3.4-beta37 (including) | 3.4-beta37 (including) |
| Libtiff | Libtiff | 3.5.1 (including) | 3.5.1 (including) |
| Libtiff | Libtiff | 3.5.2 (including) | 3.5.2 (including) |
| Libtiff | Libtiff | 3.5.3 (including) | 3.5.3 (including) |
| Libtiff | Libtiff | 3.5.4 (including) | 3.5.4 (including) |
| Libtiff | Libtiff | 3.5.5 (including) | 3.5.5 (including) |
| Libtiff | Libtiff | 3.5.6 (including) | 3.5.6 (including) |
| Libtiff | Libtiff | 3.5.6-beta (including) | 3.5.6-beta (including) |
| Libtiff | Libtiff | 3.5.7 (including) | 3.5.7 (including) |
| Libtiff | Libtiff | 3.5.7-alpha (including) | 3.5.7-alpha (including) |
| Libtiff | Libtiff | 3.5.7-alpha2 (including) | 3.5.7-alpha2 (including) |
| Libtiff | Libtiff | 3.5.7-alpha3 (including) | 3.5.7-alpha3 (including) |
| Libtiff | Libtiff | 3.5.7-alpha4 (including) | 3.5.7-alpha4 (including) |
| Libtiff | Libtiff | 3.5.7-beta (including) | 3.5.7-beta (including) |
| Libtiff | Libtiff | 3.6.0 (including) | 3.6.0 (including) |
| Libtiff | Libtiff | 3.6.0-beta (including) | 3.6.0-beta (including) |
| Libtiff | Libtiff | 3.6.0-beta2 (including) | 3.6.0-beta2 (including) |
| Libtiff | Libtiff | 3.6.1 (including) | 3.6.1 (including) |
| Libtiff | Libtiff | 3.7.0 (including) | 3.7.0 (including) |
| Libtiff | Libtiff | 3.7.0-alpha (including) | 3.7.0-alpha (including) |
| Libtiff | Libtiff | 3.7.0-beta (including) | 3.7.0-beta (including) |
| Libtiff | Libtiff | 3.7.0-beta2 (including) | 3.7.0-beta2 (including) |
| Libtiff | Libtiff | 3.7.1 (including) | 3.7.1 (including) |
| Libtiff | Libtiff | 3.7.2 (including) | 3.7.2 (including) |
| Libtiff | Libtiff | 3.7.3 (including) | 3.7.3 (including) |
| Libtiff | Libtiff | 3.7.4 (including) | 3.7.4 (including) |
| Libtiff | Libtiff | 3.8.0 (including) | 3.8.0 (including) |
| Libtiff | Libtiff | 3.8.1 (including) | 3.8.1 (including) |
| Libtiff | Libtiff | 3.8.2 (including) | 3.8.2 (including) |
| Libtiff | Libtiff | 3.9 (including) | 3.9 (including) |
| Libtiff | Libtiff | 3.9.0 (including) | 3.9.0 (including) |
| Libtiff | Libtiff | 3.9.0-beta (including) | 3.9.0-beta (including) |
| Libtiff | Libtiff | 3.9.1 (including) | 3.9.1 (including) |
| Libtiff | Libtiff | 3.9.2 (including) | 3.9.2 (including) |
| Libtiff | Libtiff | 3.9.2-5.2.1 (including) | 3.9.2-5.2.1 (including) |
| Libtiff | Libtiff | 3.9.3 (including) | 3.9.3 (including) |
| Red Hat Enterprise Linux 5 | RedHat | libtiff-0:3.8.2-15.el5_8 | * |
| Red Hat Enterprise Linux 6 | RedHat | libtiff-0:3.9.4-6.el6_3 | * |
| Tiff | Ubuntu | devel | * |
| Tiff | Ubuntu | hardy | * |
| Tiff | Ubuntu | lucid | * |
| Tiff | Ubuntu | natty | * |
| Tiff | Ubuntu | oneiric | * |
| Tiff | Ubuntu | precise | * |