Your message dated Thu, 18 Jun 2026 19:49:23 +0000
with message-id <[email protected]>
and subject line Bug#1140300: fixed in tiff 4.7.1-3
has caused the Debian Bug report #1140300,
regarding tiff: CVE-2026-36849
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140300: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140300
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tiff
Version: 4.7.1-2
Severity: important
Tags: security upstream
Forwarded: https://gitlab.com/libtiff/libtiff/-/work_items/781
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for tiff.
CVE-2026-36849[0]:
| Denial of Service via large SamplesPerPixel tag
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-36849
https://www.cve.org/CVERecord?id=CVE-2026-36849
[1] https://gitlab.com/libtiff/libtiff/-/work_items/781
[2]
https://gitlab.com/libtiff/libtiff/-/commit/eedba405d3695b52faae65994c5904f228eca0bf
[3] https://www.openwall.com/lists/oss-security/2026/06/17/1
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tiff
Source-Version: 4.7.1-3
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 18 Jun 2026 19:44:21 +0200
Source: tiff
Architecture: source
Version: 4.7.1-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1086689 1140300
Changes:
tiff (4.7.1-3) unstable; urgency=high
.
[ Laszlo Boszormenyi (GCS) ]
* Backport security fix for CVE-2026-36849, denial of service via large
SamplesPerPixel tag (closes: #1140300).
* Update libtiff6 symbols.
.
[ Helmut Grohne <[email protected]> ]
* Fix FTCBFS: Annotate sphinx dependency :native (closes: #1086689).
Checksums-Sha1:
115273bf22c74210e8d9d0c336d7e1e04f1eb55d 2262 tiff_4.7.1-3.dsc
62af53d712b6a699d3e21f7dc6b8414407466a0e 28052 tiff_4.7.1-3.debian.tar.xz
Checksums-Sha256:
46d753c708645b5df240371ab877f5af3169f6df0a395fd8e8a17fbad19875ca 2262
tiff_4.7.1-3.dsc
4619215f664cd3f08604e649da222d89d7f5a7ffa83c8b978dbe2d25bb7da1e1 28052
tiff_4.7.1-3.debian.tar.xz
Files:
af4790bceb0cd9864111167c390e22e4 2262 libs optional tiff_4.7.1-3.dsc
d97dded10ef227a671ae5323af1e9acc 28052 libs optional tiff_4.7.1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmo0RmQACgkQ3OMQ54ZM
yL/qQQ//bsidN1kDHtCnduko+jS7LTYnYM2ylJOHtOQWeRhc3iTf+m5yfSF0Iy/X
3lr9ys588TEdMFnZzeyXvobO3tNx08Jgmf8WaiRlZHVEiqVeyFDBp+ziyiJI5aRa
25tqn7UKW3JCHMgDWV9nKfoG/U109XZPWA/4kada/YQwsy4S7TzkiiEXjt+XFy1x
MJH/hhXgYMXuMWqm1BDjoePVr6uyxhSsJkBov9ofRU2t5aQrkqpfrmuf/Al6PZ6A
6bUJelN23cd+fxtQz4AvTbsLGqtf95iGEtSR4VAvtp0JFqogksctCVqB3qhuy//r
TdxI9g4r+2D0NatK2vnAA56THeglTYlSJyiK/73ckqtzGemRoMZXPZLowO0wAm0Q
VlRmSsmNM16DfAwQ6NypeKt33Y81797I82bWuaBefSTxhC+MPtJLZPTJUN8w7suC
GcK/J907r0tAtOrFPZEpubg3IlaxLgKg+dlQQoLQj+Zfuh483IW/vw42e/vvRq4m
4adyadJ0gzQpV64EKSnzHro1hyAa1CxstScImyHCa9b2Auoz9BaDMc543D3CkBqo
gJG5Rj11o1F6QR9J4HzQ/CvwN/j0jO1WoC/GeVv8R22yTJhRMItBvtD2pYCyoRpw
d3O1qeK7QkfEq0Pqs4PLh1RVpufKcif0nvCWxA8Aqk44F9nQu28=
=MLVo
-----END PGP SIGNATURE-----
pgpRtiiHUsS5O.pgp
Description: PGP signature
--- End Message ---
