CVE-2016-10094 Libtiff CVE debrief

Who should care

Administrators, packaging teams, and application owners using LibTIFF 4.0.7—especially any workflow that processes untrusted TIFF input or uses tiff2pdf to convert images—should review exposure and apply the available fix or vendor backport.

Technical summary

The NVD record identifies a CWE-189 numeric/off-by-one style weakness in LibTIFF 4.0.7, specifically in t2p_readwrite_pdf_image_tile inside tools/tiff2pdf.c. The documented trigger is a crafted image. The corpus includes a CVSS 3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, so NVD indicates user interaction is required even though the short description says remote attackers may be able to trigger the bug.

Defensive priority

High

Recommended defensive actions

• Inventory systems that ship or embed LibTIFF 4.0.7, including image conversion pipelines that call tiff2pdf.
• Apply the upstream fix or a trusted vendor backport corresponding to the referenced libtiff patch commit.
• Restrict processing of untrusted image files and isolate conversion jobs in sandboxes or low-privilege environments.
• Review downstream advisories and package updates from your distribution, including the Debian and Gentoo references in the corpus.

Evidence notes

Primary evidence comes from the NVD record and its linked references. The corpus ties the flaw to Bugzilla issue 2640, an upstream patch commit in the libtiff repository, and third-party advisories from Debian, Gentoo, and OSS-security. One important nuance is that the short description says 'remote attackers,' while the NVD CVSS vector includes UI:R; this debrief preserves both statements without reconciling beyond the supplied sources.

Official resources