Version in base suite: 4.5.0-6+deb12u2 Base version: tiff_4.5.0-6+deb12u2 Target version: tiff_4.5.0-6+deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tiff/tiff_4.5.0-6+deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tiff/tiff_4.5.0-6+deb12u3.dsc changelog | 6 ++++++ patches/CVE-2025-9900.patch | 42 ++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 49 insertions(+) gpgv: Signature made Fri Jan 3 16:34:36 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpu8vl38hz/tiff_4.5.0-6+deb12u2.dsc: no acceptable signature found gpgv: Signature made Sat Sep 27 15:49:39 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpu8vl38hz/tiff_4.5.0-6+deb12u3.dsc: no acceptable signature found diff -Nru tiff-4.5.0/debian/changelog tiff-4.5.0/debian/changelog --- tiff-4.5.0/debian/changelog 2025-01-03 13:39:11.000000000 +0000 +++ tiff-4.5.0/debian/changelog 2025-09-27 15:42:42.000000000 +0000 @@ -1,3 +1,9 @@ +tiff (4.5.0-6+deb12u3) bookworm-security; urgency=medium + + * CVE-2025-9900 + + -- Moritz Mühlenhoff Sat, 27 Sep 2025 17:42:42 +0200 + tiff (4.5.0-6+deb12u2) bookworm; urgency=medium * CVE-2023-2908 diff -Nru tiff-4.5.0/debian/patches/CVE-2025-9900.patch tiff-4.5.0/debian/patches/CVE-2025-9900.patch --- tiff-4.5.0/debian/patches/CVE-2025-9900.patch 1970-01-01 00:00:00.000000000 +0000 +++ tiff-4.5.0/debian/patches/CVE-2025-9900.patch 2025-09-27 15:42:37.000000000 +0000 @@ -0,0 +1,42 @@ +From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Wed, 11 Jun 2025 19:45:19 +0000 +Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster + rows at TIFFReadRGBAImageOriented() + +--- tiff-4.5.0.orig/libtiff/tif_getimage.c ++++ tiff-4.5.0/libtiff/tif_getimage.c +@@ -600,6 +600,22 @@ int TIFFRGBAImageGet(TIFFRGBAImage *img, + "No \"put\" routine setupl; probably can not handle image format"); + return (0); + } ++ /* Verify raster width and height against image width and height. */ ++ if (h > img->height) ++ { ++ /* Adapt parameters to read only available lines and put image at ++ * the bottom of the raster. */ ++ raster += (size_t)(h - img->height) * w; ++ h = img->height; ++ } ++ if (w > img->width) ++ { ++ TIFFWarningExtR(img->tif, TIFFFileName(img->tif), ++ "Raster width of %d shall not be larger than image " ++ "width of %d -> raster width adapted for reading", ++ w, img->width); ++ w = img->width; ++ } + return (*img->get)(img, raster, w, h); + } + +@@ -617,9 +633,7 @@ int TIFFReadRGBAImageOriented(TIFF *tif, + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) + { + img.req_orientation = (uint16_t)orientation; +- /* XXX verify rwidth and rheight against width and height */ +- ok = TIFFRGBAImageGet(&img, raster + (rheight - img.height) * rwidth, +- rwidth, img.height); ++ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight); + TIFFRGBAImageEnd(&img); + } + else diff -Nru tiff-4.5.0/debian/patches/series tiff-4.5.0/debian/patches/series --- tiff-4.5.0/debian/patches/series 2025-01-03 13:38:43.000000000 +0000 +++ tiff-4.5.0/debian/patches/series 2025-09-27 15:42:26.000000000 +0000 @@ -18,3 +18,4 @@ CVE-2023-52356.patch CVE-2023-26966.patch CVE-2024-7006.patch +CVE-2025-9900.patch