Your message dated Fri, 03 Jul 2026 16:22:47 +0000
with message-id <[email protected]>
and subject line Bug#1141320: fixed in tiff 4.7.2-1
has caused the Debian Bug report #1141320,
regarding tiff: CVE-2026-12912
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141320: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141320
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tiff
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerability was published for tiff.

CVE-2026-12912[0]:
| A flaw was found in libtiff. A remote attacker could exploit this
| vulnerability by providing a specially crafted PixarLog-compressed
| TIFF image. This issue occurs when decoding Pixarlog codec images
| with the PIXARLOGDATAFMT_8BITABGR output format and a specific
| stride value, leading to a heap-based buffer overflow. This could
| potentially result in arbitrary code execution or a denial of
| service (DoS).

https://gitlab.com/libtiff/libtiff/-/work_items/824
https://gitlab.com/libtiff/libtiff/-/merge_requests/873
https://gitlab.com/libtiff/libtiff/-/commit/ba2b04b114c5dd945107ccc613cedfcca3af73bb
 (v4.7.2rc2)
https://gitlab.com/libtiff/libtiff/-/commit/51fa6dfe93f20da0d38f079fbc61c7c960bcbc16
 (v4.7.2rc2)

https://gitlab.com/libtiff/libtiff/-/work_items/828
https://gitlab.com/libtiff/libtiff/-/merge_requests/883
https://gitlab.com/libtiff/libtiff/-/commit/f9bda11bf2fc819b971517582666d56f18b1bc3f
 (v4.7.2rc2)
https://gitlab.com/libtiff/libtiff/-/commit/90601d9a23382d98f3695ec14441145c37a77574
 (v4.7.2rc2)


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-12912
    https://www.cve.org/CVERecord?id=CVE-2026-12912

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message ---
Source: tiff
Source-Version: 4.7.2-1
Done: Laszlo Boszormenyi (GCS) <[email protected]>

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 03 Jul 2026 16:47:16 +0200
Source: tiff
Architecture: source
Version: 4.7.2-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1141320
Changes:
 tiff (4.7.2-1) unstable; urgency=high
 .
   * New upstream release:
     - fixes CVE-2026-12912: heap buffer-overflow in PixarLogDecode()
       (closes: #1141320).
   * Update libtiff6 symbols.
Checksums-Sha1:
 fbe722d3eedd056c635174608ebbf8c1191d9a4f 2262 tiff_4.7.2-1.dsc
 9f8282e8c7a411d6b9acb0b9e24c453ae157b522 2250440 tiff_4.7.2.orig.tar.bz2
 ae05a47a2f40b6e268eb2f0e9e15673297bd601c 22532 tiff_4.7.2-1.debian.tar.xz
Checksums-Sha256:
 26ce045ca8ffdb562ff2978834f79f067a552e95276deba1dc686aaffd580ad3 2262 
tiff_4.7.2-1.dsc
 c5086d8f7c5ba51ca98241f24a8bd1cb66218c399077aeccbf6a236cf3152acc 2250440 
tiff_4.7.2.orig.tar.bz2
 7b71ad0b032022ec533171cad96c7823845d3c09254f1c073f03853801ca1c80 22532 
tiff_4.7.2-1.debian.tar.xz
Files:
 09106a93f648d02a8be1e166d006f5d0 2262 libs optional tiff_4.7.2-1.dsc
 0583ebcf555533106a0f50b3a6b92833 2250440 libs optional tiff_4.7.2.orig.tar.bz2
 02cccf5ff5dda385b242993fb90fc56e 22532 libs optional tiff_4.7.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmpH2RIACgkQ3OMQ54ZM
yL+T5Q//ae6eGPRL6o6G4eGWIub/px/6GKQd1tOKz5vdKZSDg2F3Uf5kKaMF5P/0
s21T6xFr27bOuG587CNQHx/ugAzwWM9+oJVZMCmnyXMs/eSv0xq+fHHxsIeMdf/v
mV1b95vaSg50AIRvr7WTiO6YhZleLHOKpybHMueGy5KCf3tBTpnTKvSOE/lVAlRa
2S+13mGCMHXTUMo1XHz5AN9Dhw4MnY8o/vGmNxonz2yaRHaHQg0noHUZh2HADEz8
EchezdnpvDMGzU60ZHRl8bJ3ObhUDlgiiKyDBrfnYaztuLdyXncnBo8wbJnT9GDl
G1BtUSmgvGdA/z0HLd/rSsQTerUcQsOgq6V+vMfMnjaRKl9WPxZdEtSITtBFwiE8
A2ZnA9gM7u4Zm++rAFJDdSoWIbW6VRd/jOwZQ3dquxnA8KxHTnTFA05o33zab+mz
QQefTuDGSgB+WAyyDwyZVwToEbpO99Yp3AcRpudO4tXBHwnHGUKbnkK+18+8XhKg
wwwCtPVKDFGVRJ9Hk9BTO/HUMF+TevjT0VMe8bymI/n/wVRlt0gzmB06ZNNImqsu
yXuoiG7oCAvIcGvSo8Uryn6NcdEAYU6xEpBTVki/ySe2LF0PVbYKmkoqcejG5wo1
IECOZwe6f8Une7RzAPG+yE2FIn3WxKO/I4joKq1W56kNXjA+0Ps=
=OF/l
-----END PGP SIGNATURE-----

Attachment: pgpG7K4D0ePJ7.pgp
Description: PGP signature


--- End Message ---

Reply via email to