CVE-2016-10093 Libtiff CVE debrief

Who should care

Administrators, package maintainers, and developers who deploy LibTIFF or software that parses TIFF images, especially if those systems handle untrusted files or include the tiffcp utility.

Technical summary

The CVE description says the bug is an integer overflow in tools/tiffcp.c that can trigger a heap-based buffer overflow from a crafted image. NVD maps the issue to CWE-119 and CWE-190 and lists CVSS v3.0 as AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H in the supplied record. The corpus also names a bug tracker entry, an upstream patch commit, and downstream advisories as references.

Defensive priority

High. This is a memory-corruption issue in image-processing code, so patching and version validation should be prioritized on any system that processes untrusted TIFF files.

Recommended defensive actions

• Apply the upstream fix referenced in the corpus or a vendor package that includes it.
• Check your operating-system or distribution advisories, including the Debian security advisory cited in the corpus, for backported remediation.
• Inventory applications and services that parse TIFF files or invoke LibTIFF utilities, and prioritize any exposed to untrusted input.
• Temporarily restrict or sandbox TIFF conversion workflows until patched if immediate remediation is not possible.
• Verify installed package versions against vendor notices and the CVE record before declaring systems remediated.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus. The record states an integer overflow in tools/tiffcp.c leading to heap-based buffer overflow, with NVD weakness mappings CWE-119 and CWE-190 and the supplied CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The source corpus also includes references to a bug tracker issue, an upstream GitHub patch commit, Gentoo and Debian advisories, OSS-security mailing-list posts, and a SecurityFocus entry. The CVE was published on 2017-03-01 and later modified on 2026-05-13.

Official resources