LibTIFF has three bugs that let booby-trapped files pwn a target - and only two of them have been patched.
Described by Cisco Talos' Tyler Bohan, the bugs are a heap buffer overflow in compression tables (CVE-2016-5652), a parsing error (CVE-2016-8331), and a heap buffer overflow (CVE-2016-5875).
The Talos post says the company found the bugs in LibTiff – 4.0.6, released in September.
The parsing error ('8331) is in LibTIFF code for use in fax system, called
BadFaxLines: a crafted image triggers an out of bounds memory error, leading to remote code execution. This hasn't yet been patched.
'5875 is a heap buffer overflow in PixarLogDecode discovered by Mathias Svensson, of Google’s Security Team. There's a fix at GitHub here by Evan Rouault of SpatialSys.
'5652 is in the library's Tiff2PDF tool: a crafted file can crash it with either an out-of-bounds write or a heap overflow.
So far so good, but as Threatpost notes, while fixes for two of the three bugs exist, they're scattered around. The long-time host for the library, remotesensing.org, no longer offers the downloads.