[SECURITY] [DSA 6023-1] tiff security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 6023-1] tiff security update
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 10 Oct 2025 18:47:04 +0000
Message-id: <[🔎] aOlUqExDJVEjLWiT@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6023-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 10, 2025                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tiff
CVE ID         : CVE-2025-9900

It was discovered that missing input sanitising in the libtiff library
could result in denial of service or potentially the execution of
arbitrary code if malformed image files are processed.

For the oldstable distribution (bookworm), this problem has been fixed
in version 4.5.0-6+deb12u3.

For the stable distribution (trixie), this problem has been fixed in
version 4.7.0-3+deb13u1.

We recommend that you upgrade your tiff packages.

For the detailed security status of tiff please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tiff

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmjpVGMACgkQEMKTtsN8
TjYsNQ/+JAb8jRMA8nNw65Yu0wTjItQNHW84HkRoZh0a2ShH+4VU//8pWhorry4O
hviqderdnuMnJv7dVwO44E07LdVZww5PdOr2dvU8ica0KGD4h5GuEeCmhoRhcltK
x3cyTPXdqOaXTC54qaq4GskDBNRJiKbZXksIQQn0AiFQtN7lVvHIPGGMpYYK6sBM
bAAl0Hs84M3N4slkDMTcnlv2eF/KL5nWI8HsyI2p7CViI2oo5CkkL14K3cX6n+Oi
9Cdz6aoUhR/H8uou/yXAnVleyipFOMmTLAEGvYB7e16euEcyiuZhWWym2X1x7yjU
lB5lNRFoOar+fPSuXxofLNe3RK18GK3HKoNcJqoZPITRLwZMv80IGRDgLuzqVI+1
ZGXkp9ZpLk7A8+cdDQSzWGhN5vWWi3MLqt7s0EhqJNI+lLDTLQCdzB2Ca4msLlIJ
k/ouNAtaw28NzFX2JV6cwWEtot/Qzj/LikaQisp1+GMiXiCGE7JZgY7NmepBytw3
7IEK5MFQ6hFDGFXBC6f4omX75oBubEbd+uQvIl/+oJnlR7uCuOj/vsyxIcv88iUn
5ihr4H+sC1Fgtp3dXxwTJybuwCvoiy9X2LTKsTvIkLmrzkL325fZzr+mrw33FkQG
NKmU8+9fcmpvOBUDq1HsAa3qWYTnvVpr9YL97+De6gyvNd+Ak7s=
=1gMt
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 6022-1] valkey security update
Next by Date: [SECURITY] [DSA 6024-1] ghostscript security update
Previous by thread: [SECURITY] [DSA 6022-1] valkey security update
Next by thread: [SECURITY] [DSA 6024-1] ghostscript security update
Index(es):
- Date
- Thread