The libtiff packages contain a library of functions for manipulating TaggedImage File Format (TIFF) files.Several integer overflow flaws, leading to heap-based buffer overflows,were found in various libtiff color space conversion tools. An attackercould create a specially-crafted TIFF file, which once opened by anunsuspecting user, would cause the conversion tool to crash or,potentially, execute arbitrary code with the privileges of the user runningthe tool. (CVE-2009-2347)A buffer underwrite flaw was found in libtiff's Lempel-Ziv-Welch (LZW)compression algorithm decoder. An attacker could create a specially-craftedLZW-encoded TIFF file, which once opened by an unsuspecting user, wouldcause an application linked with libtiff to access an out-of-bounds memorylocation, leading to a denial of service (application crash).(CVE-2009-2285)The CVE-2009-2347 flaws were discovered by Tielei Wang from ICST-ERCIS,Peking University.All libtiff users should upgrade to these updated packages, which containbackported patches to correct these issues. After installing this update,all applications linked with the libtiff library (such as Konqueror) mustbe restarted for the update to take effect.