------------------------------------------------------------------------- Debian LTS Advisory DLA-3758-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Abhijith PA March 11, 2024 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : tiff Version : 4.1.0+git191117-2~deb10u9 CVE ID : CVE-2023-3576 CVE-2023-52356 Two vulnerabilities were discovered in tiff, Tag Image File Format library. CVE-2023-3576 A memory leak flaw was found in Libtiff's tiffcrop utility. This issue occurs when tiffcrop operates on a TIFF image file, allowing an attacker to pass a crafted TIFF image file to tiffcrop utility, which causes this memory leak issue, resulting an application crash, eventually leading to a denial of service CVE-2023-52356 A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. For Debian 10 buster, these problems have been fixed in version 4.1.0+git191117-2~deb10u9. We recommend that you upgrade your tiff packages. For the detailed security status of tiff please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tiff Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature