Stack-based buffer overflow in the TIFFFetchSubjectDistance function in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long EXIF SubjectDistance field in a TIFF file.
http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
http://marc.info/?l=oss-security&m=127731610612908&w=2
https://bugzilla.redhat.com/show_bug.cgi?id=599576
http://secunia.com/advisories/40241
http://secunia.com/advisories/40381
http://secunia.com/advisories/50726
http://security.gentoo.org/glsa/glsa-201209-02.xml