Security update for tiff SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02771-1 Final 1 1 2025-08-12T13:50:53Z current 2025-08-12T13:50:53Z 2025-08-12T13:50:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tiff This update for tiff fixes the following issues: - CVE-2025-8176: Fixed heap use-after-free in tools/tiffmedian.c (bsc#1247108) - CVE-2025-8177: Fixed possible buffer overflow in tools/thumbnail.c:setrow() when processing malformed TIFF files (bsc#1247106) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-2771,SUSE-SLE-SERVER-12-SP5-LTSS-2025-2771,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2771 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502771-1/ Link for SUSE-SU-2025:02771-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041171.html E-Mail link for SUSE-SU-2025:02771-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1247106 SUSE Bug 1247106 https://bugzilla.suse.com/1247108 SUSE Bug 1247108 https://www.suse.com/security/cve/CVE-2025-8176/ SUSE CVE CVE-2025-8176 page https://www.suse.com/security/cve/CVE-2025-8177/ SUSE CVE CVE-2025-8177 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libtiff-devel-4.0.9-44.89.1 libtiff-devel-32bit-4.0.9-44.89.1 libtiff-devel-64bit-4.0.9-44.89.1 libtiff5-4.0.9-44.89.1 libtiff5-32bit-4.0.9-44.89.1 libtiff5-64bit-4.0.9-44.89.1 tiff-4.0.9-44.89.1 libtiff-devel-4.0.9-44.89.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libtiff5-4.0.9-44.89.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libtiff5-32bit-4.0.9-44.89.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS tiff-4.0.9-44.89.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS libtiff-devel-4.0.9-44.89.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libtiff5-4.0.9-44.89.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 libtiff5-32bit-4.0.9-44.89.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tiff-4.0.9-44.89.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue. CVE-2025-8176 SUSE Linux Enterprise Server 12 SP5-LTSS:libtiff-devel-4.0.9-44.89.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libtiff5-32bit-4.0.9-44.89.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libtiff5-4.0.9-44.89.1 SUSE Linux Enterprise Server 12 SP5-LTSS:tiff-4.0.9-44.89.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libtiff-devel-4.0.9-44.89.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libtiff5-32bit-4.0.9-44.89.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libtiff5-4.0.9-44.89.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tiff-4.0.9-44.89.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502771-1/ https://www.suse.com/security/cve/CVE-2025-8176.html CVE-2025-8176 https://bugzilla.suse.com/1247108 SUSE Bug 1247108 A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer. CVE-2025-8177 SUSE Linux Enterprise Server 12 SP5-LTSS:libtiff-devel-4.0.9-44.89.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libtiff5-32bit-4.0.9-44.89.1 SUSE Linux Enterprise Server 12 SP5-LTSS:libtiff5-4.0.9-44.89.1 SUSE Linux Enterprise Server 12 SP5-LTSS:tiff-4.0.9-44.89.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libtiff-devel-4.0.9-44.89.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libtiff5-32bit-4.0.9-44.89.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:libtiff5-4.0.9-44.89.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tiff-4.0.9-44.89.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502771-1/ https://www.suse.com/security/cve/CVE-2025-8177.html CVE-2025-8177 https://bugzilla.suse.com/1247106 SUSE Bug 1247106