Version in base suite: 4.5.0-6+deb12u3

Base version: tiff_4.5.0-6+deb12u3
Target version: tiff_4.5.0-6+deb12u4
Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tiff/tiff_4.5.0-6+deb12u3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tiff/tiff_4.5.0-6+deb12u4.dsc

 changelog                   |    6 ++++++
 patches/CVE-2026-4775.patch |   44 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 +
 3 files changed, 51 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp31x8ccai/tiff_4.5.0-6+deb12u3.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp31x8ccai/tiff_4.5.0-6+deb12u4.dsc: no acceptable signature found
diff -Nru tiff-4.5.0/debian/changelog tiff-4.5.0/debian/changelog
--- tiff-4.5.0/debian/changelog	2025-09-27 15:42:42.000000000 +0000
+++ tiff-4.5.0/debian/changelog	2026-04-07 17:22:16.000000000 +0000
@@ -1,3 +1,9 @@
+tiff (4.5.0-6+deb12u4) bookworm-security; urgency=medium
+
+  * CVE-2026-4775 (Closes: #1132632)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 07 Apr 2026 19:22:16 +0200
+
 tiff (4.5.0-6+deb12u3) bookworm-security; urgency=medium
 
   * CVE-2025-9900
diff -Nru tiff-4.5.0/debian/patches/CVE-2026-4775.patch tiff-4.5.0/debian/patches/CVE-2026-4775.patch
--- tiff-4.5.0/debian/patches/CVE-2026-4775.patch	1970-01-01 00:00:00.000000000 +0000
+++ tiff-4.5.0/debian/patches/CVE-2026-4775.patch	2026-04-07 17:22:12.000000000 +0000
@@ -0,0 +1,44 @@
+From 782a11d6b5b61c6dc21e714950a4af5bf89f023c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 22 Feb 2026 23:32:47 +0100
+Subject: [PATCH] TIFFReadRGBAImage(): prevent integer overflow and later heap
+ overflow on images with huge width in YCbCr tile decoding functions
+
+--- tiff-4.5.0.orig/libtiff/tif_getimage.c
++++ tiff-4.5.0/libtiff/tif_getimage.c
+@@ -2082,7 +2082,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+     uint32_t *cp1 = cp + w + toskew;
+     uint32_t *cp2 = cp1 + w + toskew;
+     uint32_t *cp3 = cp2 + w + toskew;
+-    int32_t incr = 3 * w + 4 * toskew;
++    const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew;
+ 
+     (void)y;
+     /* adjust fromskew */
+@@ -2222,7 +2222,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+ {
+     uint32_t *cp1 = cp + w + toskew;
+-    int32_t incr = 2 * toskew + w;
++    const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ 
+     (void)y;
+     fromskew = (fromskew / 4) * (4 * 2 + 2);
+@@ -2378,7 +2378,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+     uint32_t *cp2;
+-    int32_t incr = 2 * toskew + w;
++    const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+     (void)y;
+     fromskew = (fromskew / 2) * (2 * 2 + 2);
+     cp2 = cp + w + toskew;
+@@ -2481,7 +2481,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr2
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+     uint32_t *cp2;
+-    int32_t incr = 2 * toskew + w;
++    const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+     (void)y;
+     fromskew = (fromskew / 1) * (1 * 2 + 2);
+     cp2 = cp + w + toskew;
diff -Nru tiff-4.5.0/debian/patches/series tiff-4.5.0/debian/patches/series
--- tiff-4.5.0/debian/patches/series	2025-09-27 15:42:26.000000000 +0000
+++ tiff-4.5.0/debian/patches/series	2026-04-07 17:21:56.000000000 +0000
@@ -19,3 +19,4 @@
 CVE-2023-26966.patch
 CVE-2024-7006.patch
 CVE-2025-9900.patch
+CVE-2026-4775.patch