This post has been republished via RSS; it originally appeared at: MSRC Security Update Guide.
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka "Predictor heap-buffer-overflow." MITRE created this CVE on their behalf. The documented Windows updates incorporate updates in LibTIFF which address this vulnerability. Please see [Security Update Guide Supports CVEs Assigned by Industry Partners](https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/) for more information.
Opinions, tips, and news orbiting Microsoft