Outdated LibTiff Sources in ITK Project (CVE-2016-9534)

[Garnik645]

Description

The master branch of the ITK project contains unpatched sources from libtiff, in which CVE-2016-9534 was reported with critical severity. The functionsTIFFFlushData1 from ITK/Modules/ThirdParty/TIFF/src/itktiff/tif_write.c does not include security patches and updates available in newer versions of libtiff, which can cause heap-buffer-overflow. The fix for CVE can be found in this commit: libtiff commit.

Possible Solution

To ensure that all security patches are applied, I strongly recommend updating the libtiff files in the ITK project to the latest version available.

Report Origin

My report was primarily based on a static analysis tool developed at CAST, which flagged the potential vulnerability due to similarities in the codebase.