Specific flaw exists with the installation of the Thunder Decode codec. If a malicious page or a file is executed by a user the decoder will fail to accommodate for the size of the row and can lead to a heap-based buffer overflow.
More information and patch can be found here:
Done in 3.9.4-r1 (patched), 3.9.5 and 4.0 fixed upstream.
Added to existing GLSA request.
Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in
tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to
execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file
that has an unexpected BitsPerSample value.
This issue was resolved and addressed in
GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml
by GLSA coordinator Sean Amoss (ackle).