Version in base suite: 4.7.0-3+deb13u1

Base version: tiff_4.7.0-3+deb13u1
Target version: tiff_4.7.0-3+deb13u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/t/tiff/tiff_4.7.0-3+deb13u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/t/tiff/tiff_4.7.0-3+deb13u2.dsc

 changelog                   |    6 ++++++
 patches/CVE-2026-4775.patch |   44 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 +
 3 files changed, 51 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp8jtslp0e/tiff_4.7.0-3+deb13u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp8jtslp0e/tiff_4.7.0-3+deb13u2.dsc: no acceptable signature found
diff -Nru tiff-4.7.0/debian/changelog tiff-4.7.0/debian/changelog
--- tiff-4.7.0/debian/changelog	2025-09-27 15:34:45.000000000 +0000
+++ tiff-4.7.0/debian/changelog	2026-04-06 22:05:59.000000000 +0000
@@ -1,3 +1,9 @@
+tiff (4.7.0-3+deb13u2) trixie-security; urgency=medium
+
+  * CVE-2026-4775 (Closes: #1132632)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 07 Apr 2026 00:05:59 +0200
+
 tiff (4.7.0-3+deb13u1) trixie-security; urgency=medium
 
   * CVE-2024-13978 (Closes: #1111323)
diff -Nru tiff-4.7.0/debian/patches/CVE-2026-4775.patch tiff-4.7.0/debian/patches/CVE-2026-4775.patch
--- tiff-4.7.0/debian/patches/CVE-2026-4775.patch	1970-01-01 00:00:00.000000000 +0000
+++ tiff-4.7.0/debian/patches/CVE-2026-4775.patch	2026-04-06 22:05:59.000000000 +0000
@@ -0,0 +1,44 @@
+From 782a11d6b5b61c6dc21e714950a4af5bf89f023c Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 22 Feb 2026 23:32:47 +0100
+Subject: [PATCH] TIFFReadRGBAImage(): prevent integer overflow and later heap
+ overflow on images with huge width in YCbCr tile decoding functions
+
+--- tiff-4.7.0.orig/libtiff/tif_getimage.c
++++ tiff-4.7.0/libtiff/tif_getimage.c
+@@ -2105,7 +2105,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+     uint32_t *cp1 = cp + w + toskew;
+     uint32_t *cp2 = cp1 + w + toskew;
+     uint32_t *cp3 = cp2 + w + toskew;
+-    int32_t incr = 3 * w + 4 * toskew;
++    const tmsize_t incr = 3 * (tmsize_t)w + 4 * (tmsize_t)toskew;
+ 
+     (void)y;
+     /* adjust fromskew */
+@@ -2245,7 +2245,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr42tile)
+ {
+     uint32_t *cp1 = cp + w + toskew;
+-    int32_t incr = 2 * toskew + w;
++    const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+ 
+     (void)y;
+     fromskew = (fromskew / 4) * (4 * 2 + 2);
+@@ -2401,7 +2401,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr4
+ DECLAREContigPutFunc(putcontig8bitYCbCr22tile)
+ {
+     uint32_t *cp2;
+-    int32_t incr = 2 * toskew + w;
++    const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+     (void)y;
+     fromskew = (fromskew / 2) * (2 * 2 + 2);
+     cp2 = cp + w + toskew;
+@@ -2504,7 +2504,7 @@ DECLAREContigPutFunc(putcontig8bitYCbCr2
+ DECLAREContigPutFunc(putcontig8bitYCbCr12tile)
+ {
+     uint32_t *cp2;
+-    int32_t incr = 2 * toskew + w;
++    const tmsize_t incr = 2 * (tmsize_t)toskew + w;
+     (void)y;
+     fromskew = (fromskew / 1) * (1 * 2 + 2);
+     cp2 = cp + w + toskew;
diff -Nru tiff-4.7.0/debian/patches/series tiff-4.7.0/debian/patches/series
--- tiff-4.7.0/debian/patches/series	2025-09-27 15:33:54.000000000 +0000
+++ tiff-4.7.0/debian/patches/series	2026-04-06 22:05:59.000000000 +0000
@@ -3,3 +3,4 @@
 CVE-2025-8961.patch
 CVE-2025-9165.patch
 CVE-2025-9900.patch
+CVE-2026-4775.patch