Specific flaw exists with the installation of the Thunder Decode codec. If a malicious page or a file is executed by a user the decoder will fail to accommodate for the size of the row and can lead to a heap-based buffer overflow. More information and patch can be found here: http://bugzilla.maptools.org/show_bug.cgi?id=2300
Done in 3.9.4-r1 (patched), 3.9.5 and 4.0 fixed upstream.
Added to existing GLSA request.
CVE-2011-1167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1167): Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value.
This issue was resolved and addressed in GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml by GLSA coordinator Sean Amoss (ackle).