Security update for tiff SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:0753-1 Final 1 1 2025-02-28T16:30:36Z current 2025-02-28T16:30:36Z 2025-02-28T16:30:36Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tiff This update for tiff fixes the following issues: - CVE-2023-25435: Heap-buffer-overflow in extractContigSamplesShifted8bits() in tiffcrop.c (bsc#1212607). - CVE-2023-52356: Segment fault in libtiff in TIFFReadRGBATileExt() leading to denial of service (bsc#1219213). Other bugfixes: - Fixed tiff build issue on s390x as test 12 test_directory fails (bsc#1236834). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container containers/open-webui:0-2025-753,SUSE-2025-753,SUSE-SLE-Module-Basesystem-15-SP6-2025-753,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-753,openSUSE-SLE-15.6-2025-753 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-20250753-1/ Link for SUSE-SU-2025:0753-1 https://lists.suse.com/pipermail/sle-security-updates/2025-February/020463.html E-Mail link for SUSE-SU-2025:0753-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1212607 SUSE Bug 1212607 https://bugzilla.suse.com/1219213 SUSE Bug 1219213 https://bugzilla.suse.com/1236834 SUSE Bug 1236834 https://www.suse.com/security/cve/CVE-2023-25435/ SUSE CVE CVE-2023-25435 page https://www.suse.com/security/cve/CVE-2023-52356/ SUSE CVE CVE-2023-52356 page Container containers/open-webui:0 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP6 openSUSE Leap 15.6 libtiff6-4.7.0-150600.3.8.1 libtiff-devel-4.7.0-150600.3.8.1 libtiff-devel-32bit-4.7.0-150600.3.8.1 libtiff-devel-64bit-4.7.0-150600.3.8.1 libtiff-devel-docs-4.7.0-150600.3.8.1 libtiff6-32bit-4.7.0-150600.3.8.1 libtiff6-64bit-4.7.0-150600.3.8.1 tiff-4.7.0-150600.3.8.1 tiff-docs-4.7.0-150600.3.8.1 libtiff6-4.7.0-150600.3.8.1 as a component of Container containers/open-webui:0 libtiff-devel-4.7.0-150600.3.8.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libtiff6-4.7.0-150600.3.8.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 libtiff6-32bit-4.7.0-150600.3.8.1 as a component of SUSE Linux Enterprise Module for Basesystem 15 SP6 tiff-4.7.0-150600.3.8.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 libtiff-devel-4.7.0-150600.3.8.1 as a component of openSUSE Leap 15.6 libtiff-devel-32bit-4.7.0-150600.3.8.1 as a component of openSUSE Leap 15.6 libtiff6-4.7.0-150600.3.8.1 as a component of openSUSE Leap 15.6 libtiff6-32bit-4.7.0-150600.3.8.1 as a component of openSUSE Leap 15.6 tiff-4.7.0-150600.3.8.1 as a component of openSUSE Leap 15.6 libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSamplesShifted8bits() at /libtiff/tools/tiffcrop.c:3753. CVE-2023-25435 Container containers/open-webui:0:libtiff6-4.7.0-150600.3.8.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff-devel-4.7.0-150600.3.8.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff6-32bit-4.7.0-150600.3.8.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff6-4.7.0-150600.3.8.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:tiff-4.7.0-150600.3.8.1 openSUSE Leap 15.6:libtiff-devel-32bit-4.7.0-150600.3.8.1 openSUSE Leap 15.6:libtiff-devel-4.7.0-150600.3.8.1 openSUSE Leap 15.6:libtiff6-32bit-4.7.0-150600.3.8.1 openSUSE Leap 15.6:libtiff6-4.7.0-150600.3.8.1 openSUSE Leap 15.6:tiff-4.7.0-150600.3.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250753-1/ https://www.suse.com/security/cve/CVE-2023-25435.html CVE-2023-25435 https://bugzilla.suse.com/1212607 SUSE Bug 1212607 A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. CVE-2023-52356 Container containers/open-webui:0:libtiff6-4.7.0-150600.3.8.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff-devel-4.7.0-150600.3.8.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff6-32bit-4.7.0-150600.3.8.1 SUSE Linux Enterprise Module for Basesystem 15 SP6:libtiff6-4.7.0-150600.3.8.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:tiff-4.7.0-150600.3.8.1 openSUSE Leap 15.6:libtiff-devel-32bit-4.7.0-150600.3.8.1 openSUSE Leap 15.6:libtiff-devel-4.7.0-150600.3.8.1 openSUSE Leap 15.6:libtiff6-32bit-4.7.0-150600.3.8.1 openSUSE Leap 15.6:libtiff6-4.7.0-150600.3.8.1 openSUSE Leap 15.6:tiff-4.7.0-150600.3.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-20250753-1/ https://www.suse.com/security/cve/CVE-2023-52356.html CVE-2023-52356 https://bugzilla.suse.com/1219213 SUSE Bug 1219213