Version in base suite: 4.7.0-3 Base version: tiff_4.7.0-3 Target version: tiff_4.7.0-3+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tiff/tiff_4.7.0-3.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tiff/tiff_4.7.0-3+deb13u1.dsc changelog | 9 +++ patches/CVE-2024-13978.patch | 101 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2025-8961.patch | 64 +++++++++++++++++++++++++++ patches/CVE-2025-9165.patch | 28 +++++++++++ patches/CVE-2025-9900.patch | 42 +++++++++++++++++ patches/series | 4 + 6 files changed, 248 insertions(+) gpgv: Signature made Sat Sep 27 15:40:11 2025 UTC gpgv: using RSA key B6E62F3D12AC38495C0DA90510C293B6C37C4E36 gpgv: Note: signatures using the SHA1 algorithm are rejected gpgv: Can't check signature: Bad public key dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmptj5rihst/tiff_4.7.0-3+deb13u1.dsc: no acceptable signature found diff -Nru tiff-4.7.0/debian/changelog tiff-4.7.0/debian/changelog --- tiff-4.7.0/debian/changelog 2025-04-05 05:48:49.000000000 +0000 +++ tiff-4.7.0/debian/changelog 2025-09-27 15:34:45.000000000 +0000 @@ -1,3 +1,12 @@ +tiff (4.7.0-3+deb13u1) trixie-security; urgency=medium + + * CVE-2024-13978 (Closes: #1111323) + * CVE-2025-8961 (Closes: #1111317) + * CVE-2025-9165 (Closes: #1111878) + * CVE-2025-9900 + + -- Moritz Mühlenhoff Sat, 27 Sep 2025 18:03:27 +0200 + tiff (4.7.0-3) unstable; urgency=medium [ Santiago Vila ] diff -Nru tiff-4.7.0/debian/patches/CVE-2024-13978.patch tiff-4.7.0/debian/patches/CVE-2024-13978.patch --- tiff-4.7.0/debian/patches/CVE-2024-13978.patch 1970-01-01 00:00:00.000000000 +0000 +++ tiff-4.7.0/debian/patches/CVE-2024-13978.patch 2025-09-19 14:37:15.000000000 +0000 @@ -0,0 +1,101 @@ +From 7be20ccaab97455f192de0ac561ceda7cd9e12d1 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 27 Sep 2024 11:21:57 -0700 +Subject: [PATCH] Fix issue #649 in fax2ps caused by regression in commit + https://gitlab.com/libtiff/libtiff/-/commit/28c38d648b64a66c3218778c4745225fe3e3a06d + where TIFFTAG_FAXFILLFUNC is being used rather than an output buffer. + +and + +From 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Sat, 5 Oct 2024 09:45:30 -0700 +Subject: [PATCH] Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH for valid + input, addresses issue #650 + + +--- tiff-4.7.0.orig/libtiff/tif_read.c ++++ tiff-4.7.0/libtiff/tif_read.c +@@ -466,7 +466,9 @@ int TIFFReadScanline(TIFF *tif, void *bu + } + else + { +- memset(buf, 0, (size_t)tif->tif_scanlinesize); ++ /* See TIFFReadEncodedStrip comment regarding TIFFTAG_FAXFILLFUNC. */ ++ if (buf) ++ memset(buf, 0, (size_t)tif->tif_scanlinesize); + } + return (e > 0 ? 1 : -1); + } +@@ -554,7 +556,10 @@ tmsize_t TIFFReadEncodedStrip(TIFF *tif, + stripsize = size; + if (!TIFFFillStrip(tif, strip)) + { +- memset(buf, 0, (size_t)stripsize); ++ /* The output buf may be NULL, in particular if TIFFTAG_FAXFILLFUNC ++ is being used. Thus, memset must be conditional on buf not NULL. */ ++ if (buf) ++ memset(buf, 0, (size_t)stripsize); + return ((tmsize_t)(-1)); + } + if ((*tif->tif_decodestrip)(tif, buf, stripsize, plane) <= 0) +@@ -976,7 +981,9 @@ tmsize_t TIFFReadEncodedTile(TIFF *tif, + size = tilesize; + if (!TIFFFillTile(tif, tile)) + { +- memset(buf, 0, (size_t)size); ++ /* See TIFFReadEncodedStrip comment regarding TIFFTAG_FAXFILLFUNC. */ ++ if (buf) ++ memset(buf, 0, (size_t)size); + return ((tmsize_t)(-1)); + } + else if ((*tif->tif_decodetile)(tif, (uint8_t *)buf, size, +@@ -1569,7 +1576,9 @@ int TIFFReadFromUserBuffer(TIFF *tif, ui + if (!TIFFStartTile(tif, strile)) + { + ret = 0; +- memset(outbuf, 0, (size_t)outsize); ++ /* See related TIFFReadEncodedStrip comment. */ ++ if (outbuf) ++ memset(outbuf, 0, (size_t)outsize); + } + else if (!(*tif->tif_decodetile)( + tif, (uint8_t *)outbuf, outsize, +@@ -1596,7 +1605,9 @@ int TIFFReadFromUserBuffer(TIFF *tif, ui + if (!TIFFStartStrip(tif, strile)) + { + ret = 0; +- memset(outbuf, 0, (size_t)outsize); ++ /* See related TIFFReadEncodedStrip comment. */ ++ if (outbuf) ++ memset(outbuf, 0, (size_t)outsize); + } + else if (!(*tif->tif_decodestrip)( + tif, (uint8_t *)outbuf, outsize, +--- tiff-4.7.0.orig/tools/tiff2pdf.c ++++ tiff-4.7.0/tools/tiff2pdf.c +@@ -1371,8 +1371,24 @@ void t2p_read_tiff_init(T2P *t2p, TIFF * + t2p->pdf_xrefcount += (t2p->tiff_tiles[i].tiles_tilecount - 1) * 2; + TIFFGetField(input, TIFFTAG_TILEWIDTH, + &(t2p->tiff_tiles[i].tiles_tilewidth)); ++ if (t2p->tiff_tiles[i].tiles_tilewidth < 1) ++ { ++ TIFFError(TIFF2PDF_MODULE, "Invalid tile width (%d), %s", ++ t2p->tiff_tiles[i].tiles_tilewidth, ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + TIFFGetField(input, TIFFTAG_TILELENGTH, + &(t2p->tiff_tiles[i].tiles_tilelength)); ++ if (t2p->tiff_tiles[i].tiles_tilelength < 1) ++ { ++ TIFFError(TIFF2PDF_MODULE, "Invalid tile length (%d), %s", ++ t2p->tiff_tiles[i].tiles_tilelength, ++ TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ return; ++ } + t2p->tiff_tiles[i].tiles_tiles = (T2P_TILE *)_TIFFmalloc( + TIFFSafeMultiply(tmsize_t, t2p->tiff_tiles[i].tiles_tilecount, + sizeof(T2P_TILE))); diff -Nru tiff-4.7.0/debian/patches/CVE-2025-8961.patch tiff-4.7.0/debian/patches/CVE-2025-8961.patch --- tiff-4.7.0/debian/patches/CVE-2025-8961.patch 1970-01-01 00:00:00.000000000 +0000 +++ tiff-4.7.0/debian/patches/CVE-2025-8961.patch 2025-09-19 14:37:55.000000000 +0000 @@ -0,0 +1,64 @@ +From 0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5 Mon Sep 17 00:00:00 2001 +From: Lee Howard +Date: Fri, 5 Sep 2025 21:42:35 +0000 +Subject: [PATCH] tiffcrop: fix double-free and memory leak exposed by issue + #721 + +--- tiff-4.7.0.orig/tools/tiffcrop.c ++++ tiff-4.7.0/tools/tiffcrop.c +@@ -1072,6 +1072,7 @@ static int readContigTilesIntoBuffer(TIF + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1086,6 +1087,7 @@ static int readContigTilesIntoBuffer(TIF + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1098,6 +1100,7 @@ static int readContigTilesIntoBuffer(TIF + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1110,6 +1113,7 @@ static int readContigTilesIntoBuffer(TIF + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; +@@ -1124,12 +1128,14 @@ static int readContigTilesIntoBuffer(TIF + "Unable to extract row %" PRIu32 + " from tile %" PRIu32, + row, TIFFCurrentTile(in)); ++ _TIFFfree(tilebuf); + return 1; + } + break; + default: + TIFFError("readContigTilesIntoBuffer", + "Unsupported bit depth %" PRIu16, bps); ++ _TIFFfree(tilebuf); + return 1; + } + } +@@ -2901,7 +2907,7 @@ int main(int argc, char *argv[]) + } + + /* If we did not use the read buffer as the crop buffer */ +- if (read_buff) ++ if (read_buff && read_buff != crop_buff) + _TIFFfree(read_buff); + + if (crop_buff) diff -Nru tiff-4.7.0/debian/patches/CVE-2025-9165.patch tiff-4.7.0/debian/patches/CVE-2025-9165.patch --- tiff-4.7.0/debian/patches/CVE-2025-9165.patch 1970-01-01 00:00:00.000000000 +0000 +++ tiff-4.7.0/debian/patches/CVE-2025-9165.patch 2025-09-21 15:34:36.000000000 +0000 @@ -0,0 +1,28 @@ +From ed141286a37f6e5ddafb5069347ff5d587e7a4e0 Mon Sep 17 00:00:00 2001 +From: Su_Laus +Date: Fri, 8 Aug 2025 21:35:30 +0200 +Subject: [PATCH] tiffcmp: fix memory leak when second file cannot be opened. + +Closes #728, #729 +--- + tools/tiffcmp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/tiffcmp.c b/tools/tiffcmp.c +index 529c1cdc7..88d9470f5 100644 +--- a/tools/tiffcmp.c ++++ b/tools/tiffcmp.c +@@ -105,7 +105,10 @@ int main(int argc, char *argv[]) + return (2); + tif2 = TIFFOpen(argv[optind + 1], "r"); + if (tif2 == NULL) ++ { ++ TIFFClose(tif1); + return (2); ++ } + dirnum = 0; + while (tiffcmp(tif1, tif2)) + { +-- +GitLab + diff -Nru tiff-4.7.0/debian/patches/CVE-2025-9900.patch tiff-4.7.0/debian/patches/CVE-2025-9900.patch --- tiff-4.7.0/debian/patches/CVE-2025-9900.patch 1970-01-01 00:00:00.000000000 +0000 +++ tiff-4.7.0/debian/patches/CVE-2025-9900.patch 2025-09-27 15:34:05.000000000 +0000 @@ -0,0 +1,42 @@ +From 3e0dcf0ec651638b2bd849b2e6f3124b36890d99 Mon Sep 17 00:00:00 2001 +From: Su Laus +Date: Wed, 11 Jun 2025 19:45:19 +0000 +Subject: [PATCH] tif_getimage.c: Fix buffer underflow crash for less raster + rows at TIFFReadRGBAImageOriented() + +--- tiff-4.7.0.orig/libtiff/tif_getimage.c ++++ tiff-4.7.0/libtiff/tif_getimage.c +@@ -600,6 +600,22 @@ int TIFFRGBAImageGet(TIFFRGBAImage *img, + "No \"put\" routine setupl; probably can not handle image format"); + return (0); + } ++ /* Verify raster width and height against image width and height. */ ++ if (h > img->height) ++ { ++ /* Adapt parameters to read only available lines and put image at ++ * the bottom of the raster. */ ++ raster += (size_t)(h - img->height) * w; ++ h = img->height; ++ } ++ if (w > img->width) ++ { ++ TIFFWarningExtR(img->tif, TIFFFileName(img->tif), ++ "Raster width of %d shall not be larger than image " ++ "width of %d -> raster width adapted for reading", ++ w, img->width); ++ w = img->width; ++ } + return (*img->get)(img, raster, w, h); + } + +@@ -617,9 +633,7 @@ int TIFFReadRGBAImageOriented(TIFF *tif, + if (TIFFRGBAImageOK(tif, emsg) && TIFFRGBAImageBegin(&img, tif, stop, emsg)) + { + img.req_orientation = (uint16_t)orientation; +- /* XXX verify rwidth and rheight against width and height */ +- ok = TIFFRGBAImageGet(&img, raster + (rheight - img.height) * rwidth, +- rwidth, img.height); ++ ok = TIFFRGBAImageGet(&img, raster, rwidth, rheight); + TIFFRGBAImageEnd(&img); + } + else diff -Nru tiff-4.7.0/debian/patches/series tiff-4.7.0/debian/patches/series --- tiff-4.7.0/debian/patches/series 2025-03-27 17:15:28.000000000 +0000 +++ tiff-4.7.0/debian/patches/series 2025-09-27 15:33:54.000000000 +0000 @@ -1 +1,5 @@ fix-test_directory.patch +CVE-2024-13978.patch +CVE-2025-8961.patch +CVE-2025-9165.patch +CVE-2025-9900.patch