CVE-2014-8128: 
Linux Debian vulnerability analysis and mitigation

CVE-2014-8128 affects LibTIFF prior to version 4.0.4, as used in Apple iOS before 8.4 and OS X before 10.10.4 and other products. The vulnerability was discovered in January 2015 and allows remote attackers to cause a denial of service through out-of-bounds write via a crafted TIFF image (NVD, MITRE).

The vulnerability manifests as multiple out-of-bounds write conditions in various LibTIFF tools including thumbnail, tiffdither, tiffcmp, and tiff2pdf. The issue was discovered using the American Fuzzy Lop (AFL) fuzzer. The vulnerability has a CVSS 3.1 Base Score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (Conostix Advisory, NVD).

When exploited, this vulnerability allows remote attackers to cause a denial of service through out-of-bounds write operations. The impact primarily affects the availability of systems processing maliciously crafted TIFF images, with no direct impact on confidentiality or integrity (NVD).

The primary mitigation is to update LibTIFF to version 4.0.4 or later. For Apple products, updates are available through iOS 8.4 and OS X 10.10.4. Multiple patches were committed to the LibTIFF CVS HEAD to address various aspects of the vulnerability, though some specific issues in thumbnail, tiffcmp, and tiffdither tools remained unpatched in the initial fixes (Conostix Advisory).