CVE-2006-2656

Description

Stack-based buffer overflow in the tiffsplit command in libtiff 3.8.2 and earlier might might allow attackers to execute arbitrary code via a long filename. NOTE: tiffsplit is not setuid. If there is not a common scenario under which tiffsplit is called with attacker-controlled command line arguments, then perhaps this issue should not be included in CVE.

How to fix CVE-2006-2656

To remediate CVE-2006-2656, upgrade the affected package to a fixed version below.

• Debian/tiff—upgrade to 3.8.2-3 or later

Is CVE-2006-2656 being exploited?

Moderate — EPSS is 15.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 3.8.2-3

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2006-2656