Your message dated Sun, 24 Aug 2025 11:23:49 +0000
with message-id <[email protected]>
and subject line Bug#1111323: fixed in tiff 4.7.0-4
has caused the Debian Bug report #1111323,
regarding tiff: CVE-2024-13978
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111323: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111323
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tiff
Version: 4.7.0-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for tiff.
CVE-2024-13978[0]:
| A vulnerability was found in LibTIFF up to 4.7.0. It has been
| declared as problematic. Affected by this vulnerability is the
| function t2p_read_tiff_init of the file tools/tiff2pdf.c of the
| component fax2ps. The manipulation leads to null pointer
| dereference. The attack needs to be approached locally. The
| complexity of an attack is rather high. The exploitation appears to
| be difficult. The patch is named
| 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply
| a patch to fix this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-13978
https://www.cve.org/CVERecord?id=CVE-2024-13978
[1] https://gitlab.com/libtiff/libtiff/-/issues/649
[2] https://gitlab.com/libtiff/libtiff/-/issues/650
[3] https://gitlab.com/libtiff/libtiff/-/merge_requests/667
[4]
https://gitlab.com/libtiff/libtiff/-/commit/7be20ccaab97455f192de0ac561ceda7cd9e12d1
[5]
https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tiff
Source-Version: 4.7.0-4
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 Aug 2025 11:28:17 +0200
Source: tiff
Architecture: source
Version: 4.7.0-4
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1111323 1111878
Changes:
tiff (4.7.0-4) unstable; urgency=high
.
* Backport security fix for CVE-2025-9165, tiffcmp memory leak when second
file cannot be opened (closes: #1111878).
* Backport security fix for CVE-2024-13978, potential division-by-zero in
the tiff2pdf tool (closes: #1111323).
* Fix fax2ps regression where TIFFTAG_FAXFILLFUNC is being used rather than
an output buffer.
Checksums-Sha1:
931c5212bf48f7de95c551bbd75a2ed86fefa572 2255 tiff_4.7.0-4.dsc
72f25ea7941997b5b081f582cc0a207b552d2427 25572 tiff_4.7.0-4.debian.tar.xz
Checksums-Sha256:
9e0e4bf74a2a9bb336380d5aedab154904842408aca5a585c69d4e6f975d4d62 2255
tiff_4.7.0-4.dsc
e5fc06518bafea2b271fade4089aa399c57c9750a06d7f0f1646db0342b9be90 25572
tiff_4.7.0-4.debian.tar.xz
Files:
5c4e00d12a3f701c5eede414c84f377c 2255 libs optional tiff_4.7.0-4.dsc
62059b5ee1730c19c367cb3113b9e983 25572 libs optional tiff_4.7.0-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmiq7mYACgkQ3OMQ54ZM
yL9HCQ/+L7CT3W4KsU2+kVu3tEDs8+RMllaGYZe4NxxAPmNoO9/aUhX3B/9R2NIR
Gyd66RfiqyDt94/W3GJA1yOzYk0A7iNXjkDgekSJ8tAChqZq5wkJZpG6iJOxekSx
Zu6cJL6j4fdSVCQ2iol6kKqJ7aIpZ71VJ+NH7zceloNMTaDEARESDFv7IQgLxmuK
7Vo80p0RL1gdistAK9Z1YccNb9bbZYvTl1XuzqyzURiXzdrlbYzgrHEqPmUR5D3D
xKw6aZ17TsPew7yc/zapscsV7eKfqcKg0oZ59AXC5FX2mLcds79V7yyLeq1P2hYD
bjyU/DXzwSFfPDmX8poyRRat5Zuame4bFJaugqSY3LchS5GV9bo1gNtfJsX1uYLd
EQ4016VWCPEbp/tmSqN1XA+PsfdA6Y5m0JZkOB9qQwasboWNxKNF5IVaBOxRrM3Q
FHqaUgNeQw7CUPSzuhOgdtdv0GjoRdUMEaXBFaG1/wCZNgkU0sTFCY17geAHXz0R
fKKldIj/COOJR6dRwWR9wABLKG5at/n1os7k6+SVuO3m64W0/4OJOVypir7Ic5Jp
XIVa1Cs8e4U6W0Z0A2wNeP52vdT3aphIOmRp2iEfTEU1BNhGwyGNjHJhHcdI90nw
2xuhh1IbcznJmjHBIYk2CA7U2rshJ1JG0lM+kvskpUzxUrBbpTQ=
=+8D5
-----END PGP SIGNATURE-----
pgp5t6TPO2AKX.pgp
Description: PGP signature
--- End Message ---
