|Reported by:||Owned by:|
Checking recent vulnerabilities, I found CVE-2009-2285. Looking at fedora and ubuntu I find they are patching tiff for rather more: CVE-2006-2193, CVE-2008-2327, and also CVE-2006-3460..65.
The mitre reports for that last group are misleading - they label them as applying "before 3.8.2" but they were reported by Travis Ormandy at gentoo and the gentoo reports say that their ebuilds up to and including 3.8.2-r1 are affected. NB trac is daft enough to think there is a link in that (ebuild) version, I've no idea how to stop that (quoting it doesn't help).
I've prepared a patch, will upload it shortly.