Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted tiff 4.2.0-1+deb11u7 (source) into oldoldstable-security
Date: Mon, 29 Sep 2025 15:30:22 +0000
Signed by: Jochen Sprickerhof <jspricke@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 29 Sep 2025 15:19:31 +0200
Source: tiff
Architecture: source
Version: 4.2.0-1+deb11u7
Distribution: bullseye-security
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Jochen Sprickerhof <jspricke@debian.org>
Changes:
 tiff (4.2.0-1+deb11u7) bullseye-security; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2024-13978: Affected by this vulnerability is the function
     t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps.
     The manipulation leads to null pointer dereference. The attack needs to be
     approached locally. The complexity of an attack is rather high. The
     exploitation appears to be difficult.
   * CVE-2025-9900: This vulnerability is a "write-what-where" condition, triggered
     when the library processes a specially crafted TIFF image file. By providing
     an abnormally large image height value in the file's metadata, an attacker
     can trick the library into writing attacker-controlled color data to an
     arbitrary memory location. This memory corruption can be exploited to cause a
     denial of service (application crash) or to achieve arbitrary code execution
     with the permissions of the user.
Checksums-Sha1:
 e9991450114bea3d1888333b5378bb5fb389cb84 2461 tiff_4.2.0-1+deb11u7.dsc
 5d97ec046c044190f4a5733e73ce63a9d1099578 46088 tiff_4.2.0-1+deb11u7.debian.tar.xz
 d0abd8f07c9e80e8dd45cec24e3c02c8e524048c 6823 tiff_4.2.0-1+deb11u7_source.buildinfo
Checksums-Sha256:
 81940329e678f02202facbcae460dc02a0cddbcfe80b2d96977d51a1cb70cc8c 2461 tiff_4.2.0-1+deb11u7.dsc
 50a74d0a12fc402ec425b1b0a49bc18e3cf0698cb9d43b67a81086d1f067c662 46088 tiff_4.2.0-1+deb11u7.debian.tar.xz
 d72c340d95db13af0178894d56ade5cd733b255259feaa6137a5529313a377c1 6823 tiff_4.2.0-1+deb11u7_source.buildinfo
Files:
 b7cc492acdb47942e6ff98baacce4b95 2461 libs optional tiff_4.2.0-1+deb11u7.dsc
 563ce1efa03b806b07d35cae1181b9b1 46088 libs optional tiff_4.2.0-1+deb11u7.debian.tar.xz
 4ee6d7b27d0fdb5424c99198685056d6 6823 libs optional tiff_4.2.0-1+deb11u7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEc7KZy9TurdzAF+h6W//cwljmlDMFAmjao1AACgkQW//cwljm
lDOlPw/9HffgLHj/UOzzf0y8RvCHXgsAfAGreNb29qUcBsn5h0zPaJnMYNdzJdRz
q55GSdf5rvEeRiDOSO9dJ7KxfgBlUDg/AUH/jP7GsW9u4vp1AqB2yIm2Z5zhddP0
IehkedbVdj8tRNKCo27EYGcA2ykcdYGnMxIOltceKC7GYpc9tW3uesStecw0aOB9
2Cmq8t/w0vUvHMBgmbxZLPtjDWQKC1bREILfsp/WfFr1a8N+aNF3z1g1+BB/gz8J
uSnAifvMxiNoax/fTqqCd5F1DKR4sZ2yI5mLIKsDKvA5mXznCwPTUaBSMYPhiwW+
9qGy/WntBouvc1NZRmq79mPDMtt+v6ixpWYfIEmIY6szFLiRwAVcB6l/BlbKtz9B
TrSKe2+AUJouH7kx9BEFO6ZMvoVln1LfkAoE9OcI2ZjoPkLWAT2JD3e6dQJoH3E1
cRS5Q+moGS2ZyG9cmrZ2+24jUUgPDP5/4rW6FlwXgVWY8voK9zHOXrkDscXnGniY
hum6fQOBz1bImF4ah8BKd26opXYTB7209/tvkUZhxJrNsMv5qTGGGsn0bGr99k8j
QD7DKW2eue7p5cjCSDo9vJnNcvCSPXiudwkNdEaA3V9cDUdPCluRjIQ9AXRA8pDs
SWIft7PNCXj40RAmGr8yXfSa80/U4bGr+dTQuYr/T0UxkcO+UEE=
=UVF4
-----END PGP SIGNATURE-----

News for package tiff