Andrey Kiselev

**Name of the Vulnerable Software and Affected Versions** kdegraphics versions 2.2.2 through 3.1.3 tiff versions prior to 3.8.1 libtiff3g versions prior to 3.8.1 libtiff3g-dev versions prior to 3.8.1 **Description** The issue involves multiple vulnerabilities in various packages, including kdegraphics, tiff, libtiff3g, and libtiff3g-dev, which can lead to disruptions in confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely, with some requiring authentication. The vulnerabilities are related to an integer overflow in the TIFFFetchData function in tif dirread.c for libtiff before 3.8.1, allowing context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted TIFF image. **Recommendations** For kdegraphics versions 2.2.2 through 3.1.3, update to a version later than 3.1.3 to resolve the issue. For tiff versions prior to 3.8.1, update to version 3.8.1 or later to fix the vulnerability. For libtiff3g versions prior to 3.8.1, update to version 3.8.1 or later to resolve the issue. For libtiff3g-dev versions prior to 3.8.1, update to version 3.8.1 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the vulnerable packages until a patch is available.

**Name of the Vulnerable Software and Affected Versions** libtiff versions prior to 3.8.1 **Description** The issue is related to a double free vulnerability in the tif jpeg.c file of libtiff, which can be triggered by a crafted TIFF image. This vulnerability may allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code. The vulnerability can be exploited remotely. **Recommendations** For libtiff versions prior to 3.8.1, update to version 3.8.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of libtiff to minimize the risk of exploitation. Avoid using libtiff to process untrusted TIFF images until the issue is resolved.