I read this 3rd party security advisory about libtiff:

http://blog.talosintel.com/2016/10/LibTIFF-Code-Execution.html

This patch fixes CVE-2016-5652, which is a buffer overflow with
potential for remote code execution.

You can easily view the commit in this unofficial Git mirror of the
libtiff CVS repo:
https://github.com/vadz/libtiff/commit/b5d6803f0898e931cf772d3d0755704ab8488e63

Unfortunately, that's the closest thing to an "official" upstream
reference to the bug that is viewable in a web browser that I can find.

I had to also take the previous change to the affected file, since the
bug fix commit depended on those changes.

This patched libtiff does _seem_ to work properly; I viewed a TIFF file
with it.

One of the bugs in that Talos advisory, CVE-2016-8331, is apparently
still not fixed upstream. And CVE-2016-5875 appears to me to be fixed by
our patch for CVE-2016-5314 [0].

[0]
http://bugzilla.maptools.org/show_bug.cgi?id=2554