Public bug reported: Scheduled-For: ubuntu-25.11 Ubuntu: 4.7.0-3ubuntu3 Debian Unstable: 4.7.1-1
A new release of tiff is available for merging from Debian Unstable. If it turns out this needs a sync rather than a merge, please change the tagging from ['dcr-merge'] to ['dcr-sync'], and (optionally) update the title as desired. If this merge pulls in a new upstream version, also consider adding an entry to the resolute Release Notes: https://discourse.ubuntu.com/t/resolute-raccoon-release-notes/ ### New Debian Changes ### tiff (4.7.1-1) unstable; urgency=medium * New upstream release. * Update libtiff6 symbols. -- Laszlo Boszormenyi (GCS) <[email protected]> Sun, 21 Sep 2025 14:39:50 +0200 tiff (4.7.0-5) unstable; urgency=high * Backport security fix for CVE-2025-8961, double free and memory leak in the tiffcrop tool (closes: #1111317). * Update watch file. * Update Standards-Version to 4.7.2 . -- Laszlo Boszormenyi (GCS) <[email protected]> Wed, 10 Sep 2025 16:53:31 +0200 tiff (4.7.0-4) unstable; urgency=high * Backport security fix for CVE-2025-9165, tiffcmp memory leak when second file cannot be opened (closes: #1111878). * Backport security fix for CVE-2024-13978, potential division-by-zero in the tiff2pdf tool (closes: #1111323). * Fix fax2ps regression where TIFFTAG_FAXFILLFUNC is being used rather than an output buffer. -- Laszlo Boszormenyi (GCS) <[email protected]> Sun, 24 Aug 2025 11:28:17 +0200 ### Old Ubuntu Delta ### tiff (4.7.0-3ubuntu3) questing; urgency=medium * SECURITY UPDATE: Memory corruption. - debian/patches/CVE-2025-8961.patch: Add _TIFFfree and extra read_buff check in tools/tiffcrop.c. - CVE-2025-8961 * SECURITY UPDATE: Memory leak. - debian/patches/CVE-2025-9165.patch: Add TIFFClose in tools/tiffcmp.c. - CVE-2025-9165 * SECURITY UPDATE: Out of bounds write when processing specially crafted TIFF files. - debian/patches/CVE-2025-9900.patch: Add img->height and img->width checks in libtiff/tif_getimage.c. - CVE-2025-9900 -- Hlib Korzhynskyy <[email protected]> Mon, 29 Sep 2025 11:21:14 -0230 tiff (4.7.0-3ubuntu2) questing; urgency=medium * SECURITY UPDATE: null-pointer dereference - d/p/CVE-2024-13978.patch: fix in fax2ps caused by regression where TIFFTAG_FAXFILLFUNC is being used rather than an output buffer. - d/p/CVE-2025-8534.patch: tiff2ps: check return of TIFFGetFiled() to fix - CVE-2024-13978 - CVE-2025-8534 * SECURITY UPDATE: use-after-free issue - d/p/CVE-2025-8176.patch: fix heap use-after-free in tiffmedian - CVE-2025-8176 -- Nishit Majithia <[email protected]> Wed, 20 Aug 2025 15:42:44 +0530 tiff (4.7.0-3ubuntu1) questing; urgency=medium * Merge from Debian unstable. Remaining changes: - Don't build with LERC on i386 because it requires numpy (Closes: #1017958) -- Jeremy BĂcha <[email protected]> Wed, 30 Apr 2025 14:29:33 -0400 ** Affects: tiff (Ubuntu) Importance: Undecided Status: New ** Tags: dcr-merge ** Changed in: tiff (Ubuntu) Milestone: None => ubuntu-25.11 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2130087 Title: Merge tiff from Debian Unstable for resolute To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/2130087/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
