Debian 10228 Published by

A tiff security update has been released for Debian GNU/Linux 8 Extended LTS to address several issues.



ELA-569-1 tiff security update


Package tiff
Version 4.0.3-12.3+deb8u13
Related CVEs CVE-2022-0561 CVE-2022-0562 CVE-2022-22844

Several issues have been found in tiff, a library and tools to manipulate and convert files in the Tag Image File Format (TIFF).

CVE-2022-22844

out-of-bounds read in _TIFFmemcpy in certain situations involving a
custom tag and 0x0200 as the second word of the DE field.

CVE-2022-0562

Null source pointer passed as an argument to memcpy() function within
TIFFReadDirectory(). This could result in a Denial of Service via
crafted TIFF files.

CVE-2022-0561

Null source pointer passed as an argument to memcpy() function within
TIFFFetchStripThing(). This could result in a Denial of Service via
crafted TIFF files.
For Debian 8 jessie, these problems have been fixed in version 4.0.3-12.3+deb8u13.

We recommend that you upgrade your tiff packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-569-1 tiff security update