CVE-2010-2595

Name of the Vulnerable Software and Affected Versions LibTIFF versions 3.9.0 through 3.9.2 tiff versions prior to 4.0.2-r1

Description The issue is related to the improper handling of invalid ReferenceBlackWhite values in the TIFFYCbCrtoRGB function, which can cause a denial of service (application crash) via a crafted TIFF image. This can be triggered by "downsampled OJPEG input." Additionally, there are multiple vulnerabilities in the tiff package that can lead to breaches of confidentiality, integrity, and availability of protected information, and these can be exploited remotely.

Recommendations For LibTIFF versions 3.9.0 and 3.9.2, consider updating to a version where the TIFFYCbCrtoRGB function is properly fixed. For tiff versions prior to 4.0.2-r1, update to version 4.0.2-r1 or later to address the multiple vulnerabilities. As a temporary workaround, consider restricting the use of the TIFFYCbCrtoRGB function or avoiding the processing of crafted TIFF images until a patch is available.