Security update for tiff SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02770-1 Final 1 1 2025-08-12T13:50:14Z current 2025-08-12T13:50:14Z 2025-08-12T13:50:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tiff This update for tiff fixes the following issues: - Updated TIFFMergeFieldInfo() with read_count=write_count=0 for FIELD_IGNORE (bsc#1243503) - CVE-2025-8176: Fixed heap use-after-free in tools/tiffmedian.c (bsc#1247108) - CVE-2025-8177: Fixed possible buffer overflow in tools/thumbnail.c:setrow() when processing malformed TIFF files (bsc#1247106) - Add -DCMAKE_POLICY_VERSION_MINIMUM=3.5 to fix FTBFS with cmake4 - Add %check section - Remove Group: declarations, no longer used The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container containers/open-webui:0-2025-2770,Container suse/kiosk/firefox-esr:latest-2025-2770,Container suse/kiosk/xorg:latest-2025-2770,SUSE-2025-2770,SUSE-SLE-Module-Basesystem-15-SP6-2025-2770,SUSE-SLE-Module-Basesystem-15-SP7-2025-2770,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-2770,SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-2770,openSUSE-SLE-15.6-2025-2770 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502770-1/ Link for SUSE-SU-2025:02770-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041172.html E-Mail link for SUSE-SU-2025:02770-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1243503 SUSE Bug 1243503 https://bugzilla.suse.com/1247106 SUSE Bug 1247106 https://bugzilla.suse.com/1247108 SUSE Bug 1247108 https://www.suse.com/security/cve/CVE-2025-8176/ SUSE CVE CVE-2025-8176 page https://www.suse.com/security/cve/CVE-2025-8177/ SUSE CVE CVE-2025-8177 page Container containers/open-webui:0 Container suse/kiosk/firefox-esr:latest Container suse/kiosk/xorg:latest SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Module for Package Hub 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP7 openSUSE Leap 15.6 libtiff6-4.7.0-150600.3.13.1 libtiff-devel-4.7.0-150600.3.13.1 libtiff-devel-32bit-4.7.0-150600.3.13.1 libtiff-devel-64bit-4.7.0-150600.3.13.1 libtiff-devel-docs-4.7.0-150600.3.13.1 libtiff6-32bit-4.7.0-150600.3.13.1 libtiff6-64bit-4.7.0-150600.3.13.1 tiff-4.7.0-150600.3.13.1 tiff-docs-4.7.0-150600.3.13.1 libtiff6-4.7.0-150600.3.13.1 as a component of Container containers/open-webui:0 libtiff6-4.7.0-150600.3.13.1 as a component of Container suse/kiosk/firefox-esr:latest libtiff6-4.7.0-150600.3.13.1 as a component of Container suse/kiosk/xorg:latest libtiff-devel-4.7.0-150600.3.13.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libtiff6-4.7.0-150600.3.13.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libtiff6-32bit-4.7.0-150600.3.13.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libtiff-devel-4.7.0-150600.3.13.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libtiff6-4.7.0-150600.3.13.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 libtiff6-32bit-4.7.0-150600.3.13.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP7 tiff-4.7.0-150600.3.13.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 tiff-4.7.0-150600.3.13.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP7 libtiff-devel-4.7.0-150600.3.13.1 as a component of openSUSE Leap 15.6 libtiff-devel-32bit-4.7.0-150600.3.13.1 as a component of openSUSE Leap 15.6 libtiff6-4.7.0-150600.3.13.1 as a component of openSUSE Leap 15.6 libtiff6-32bit-4.7.0-150600.3.13.1 as a component of openSUSE Leap 15.6 tiff-4.7.0-150600.3.13.1 as a component of openSUSE Leap 15.6 A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue. CVE-2025-8176 Container containers/open-webui:0:libtiff6-4.7.0-150600.3.13.1 Container suse/kiosk/firefox-esr:latest:libtiff6-4.7.0-150600.3.13.1 Container suse/kiosk/xorg:latest:libtiff6-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff-devel-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff6-32bit-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff6-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libtiff-devel-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libtiff6-32bit-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libtiff6-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:tiff-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:tiff-4.7.0-150600.3.13.1 openSUSE Leap 15.6:libtiff-devel-32bit-4.7.0-150600.3.13.1 openSUSE Leap 15.6:libtiff-devel-4.7.0-150600.3.13.1 openSUSE Leap 15.6:libtiff6-32bit-4.7.0-150600.3.13.1 openSUSE Leap 15.6:libtiff6-4.7.0-150600.3.13.1 openSUSE Leap 15.6:tiff-4.7.0-150600.3.13.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502770-1/ https://www.suse.com/security/cve/CVE-2025-8176.html CVE-2025-8176 https://bugzilla.suse.com/1247108 SUSE Bug 1247108 A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer. CVE-2025-8177 Container containers/open-webui:0:libtiff6-4.7.0-150600.3.13.1 Container suse/kiosk/firefox-esr:latest:libtiff6-4.7.0-150600.3.13.1 Container suse/kiosk/xorg:latest:libtiff6-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff-devel-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff6-32bit-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff6-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libtiff-devel-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libtiff6-32bit-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Basesystem 15 SP7:libtiff6-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:tiff-4.7.0-150600.3.13.1 SUSE Linux Enterprise Module for Package Hub 15 SP7:tiff-4.7.0-150600.3.13.1 openSUSE Leap 15.6:libtiff-devel-32bit-4.7.0-150600.3.13.1 openSUSE Leap 15.6:libtiff-devel-4.7.0-150600.3.13.1 openSUSE Leap 15.6:libtiff6-32bit-4.7.0-150600.3.13.1 openSUSE Leap 15.6:libtiff6-4.7.0-150600.3.13.1 openSUSE Leap 15.6:tiff-4.7.0-150600.3.13.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502770-1/ https://www.suse.com/security/cve/CVE-2025-8177.html CVE-2025-8177 https://bugzilla.suse.com/1247106 SUSE Bug 1247106