Frank Warmerdam

**Name of the Vulnerable Software and Affected Versions** libtiff versions prior to 4.0.3 libtiff-debuginfo versions 3.8.2, 3.9.4 libtiff-static version 3.9.4 libtiff-devel version 3.9.4 **Description** The issue concerns multiple vulnerabilities in the libtiff package, which can lead to a disruption of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. The LZW decompressor in the gif2tiff tool in libtiff allows context-dependent attackers to cause a denial of service or possibly execute arbitrary code via a crafted GIF image. **Recommendations** For libtiff versions prior to 4.0.3, update to version 4.0.3 or later. For libtiff-debuginfo versions 3.8.2, 3.9.4, update to a version that is not affected by the vulnerability. For libtiff-static version 3.9.4, update to a version that is not affected by the vulnerability. For libtiff-devel version 3.9.4, update to a version that is not affected by the vulnerability. As a temporary workaround, consider restricting access to the gif2tiff tool until a patch is available.