PatchSiren cyber security CVE debrief

CVE-2016-5102 Libtiff CVE debrief

CVE-2016-5102 affects LibTIFF 4.0.6's gif2tiff tool and is described as a buffer overflow in the readgifimage function in gif2tiff.c. The practical impact recorded in the advisory is denial of service through a segmentation fault when a crafted GIF file is processed. NVD classifies the issue as Medium severity with a CVSS 3.0 score of 5.5 and CWE-20 as the associated weakness.

Vendor: Libtiff
Product: CVE-2016-5102
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-06
Original CVE updated: 2026-05-13
Advisory published: 2017-02-06
Advisory updated: 2026-05-13

Who should care

Administrators and maintainers who ship or embed LibTIFF, especially environments that use gif2tiff or process untrusted GIF content. Package maintainers for Linux distributions and downstream products should also care because the source references multiple distro advisories and bug trackers.

Technical summary

The vulnerability is a memory-safety issue in gif2tiff's GIF parsing path, specifically the readgifimage function in gif2tiff.c. According to the source record, crafted input can trigger a buffer overflow and cause a crash. The NVD entry associates the issue with libtiff versions up to and including 4.0.6. The record also shows a CVSS 3.0 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which suggests the impact is availability-focused and requires user interaction, even though the brief description mentions remote attackers.

Defensive priority

Medium. This is a crash-oriented parsing vulnerability rather than a confirmed code-execution issue in the supplied record, but it still matters for applications that automatically or routinely convert untrusted image files.

Recommended defensive actions

Upgrade LibTIFF to a version newer than 4.0.6 in affected environments.
Review whether gif2tiff is installed or exposed in your build, runtime, or image-processing workflows.
Treat untrusted GIF files as potentially dangerous until patched versions are deployed.
Monitor distro/vendor advisories referenced in the record for package-specific remediation guidance.
If immediate upgrading is not possible, remove or disable workflows that invoke gif2tiff on untrusted input.

Evidence notes

The CVE record and NVD detail page identify LibTIFF 4.0.6 as affected, cite a buffer overflow in readgifimage within gif2tiff.c, and describe denial of service via segmentation fault from a crafted GIF file. Supporting references in the source item include the Maptools bug tracker, Red Hat Bugzilla, Gentoo GLSA 201701-16, Ubuntu USN-3606-1, and SecurityFocus BID 96049. NVD also lists CWE-20 and CVSS 3.0 5.5.

Official resources

CVE-2016-5102 CVE record
CVE.org
CVE-2016-5102 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory
Source reference
[email protected]

CVE-2016-5102 was published on 2017-02-06 and last modified on 2026-05-13 in the supplied record. It is not listed as a CISA KEV item in the provided data.