Security update for tiff

Announcement ID:	SUSE-SU-2025:21009-1
Release Date:	2025-11-19T09:40:24Z
Rating:	important
References:	bsc#1243503 bsc#1247106 bsc#1247108 bsc#1247581 bsc#1247582 bsc#1248117 bsc#1248330 bsc#1250413
Cross-References:	CVE-2024-13978 CVE-2025-8176 CVE-2025-8177 CVE-2025-8534 CVE-2025-8961 CVE-2025-9165 CVE-2025-9900
CVSS scores:	CVE-2024-13978 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVE-2024-13978 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2024-13978 ( NVD ): 2.0 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2024-13978 ( NVD ): 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2025-8176 ( SUSE ): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVE-2025-8176 ( SUSE ): 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L CVE-2025-8176 ( NVD ): 1.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-8176 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-8176 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2025-8177 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-8177 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2025-8177 ( NVD ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-8177 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVE-2025-8177 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-8534 ( SUSE ): 2.0 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-8534 ( SUSE ): 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2025-8534 ( NVD ): 1.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-8534 ( NVD ): 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2025-8961 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-8961 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2025-8961 ( NVD ): 1.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-8961 ( NVD ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2025-9165 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2025-9165 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2025-9165 ( NVD ): 1.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-9165 ( NVD ): 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2025-9900 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVE-2025-9900 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-9900 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP Applications 16.0

An update that solves seven vulnerabilities and has one fix can now be installed.

Description:

This update for tiff fixes the following issues:

tiff was updated to 4.7.1:

• Software configuration changes:

• Define HAVE_JPEGTURBO_DUAL_MODE_8_12 and LERC_STATIC in tif_config.h.

• CMake: define WORDS_BIGENDIAN via tif_config.h
• doc/CMakeLists.txt: remove useless cmake_minimum_required()
• CMake: fix build with LLVM/Clang 17 (fixes issue #651)
• CMake: set CMP0074 new policy
• Set LINKER_LANGUAGE for C targets with C deps
• Export tiffxx cmake target (fixes issue #674)
• autogen.sh: Enable verbose wget.
• configure.ac: Syntax updates for Autoconf 2.71
• autogen.sh: Re-implement based on autoreconf. Failure to update config.guess/config.sub does not return error (fixes issue #672)
• CMake: fix CMake 4.0 warning when minimum required version is < 3.10.
• CMake: Add build option tiff-static (fixes issue #709) Library changes:
• Add TIFFOpenOptionsSetWarnAboutUnknownTags() for explicit control about emitting warnings for unknown tags. No longer emit warnings about unknown tags by default

• tif_predict.c: speed-up decompression in some cases.

• Bug fixes:

• tif_fax3: For fax group 3 data if no EOL is detected, reading is retried without synchronisation for EOLs. (fixes issue #54)

• Updating TIFFMergeFieldInfo() with read_count=write_count=0 for FIELD_IGNORE. Updating TIFFMergeFieldInfo() with read_count=write_count=0 for FIELD_IGNORE. Improving handling when field_name = NULL. (fixes issue #532)
• tiff.h: add COMPRESSION_JXL_DNG_1_7=52546 as used for JPEGXL compression in the DNG 1.7 specification
• TIFFWriteDirectorySec: Increment string length for ASCII tags for codec tags defined with FIELD_xxx bits, as it is done for FIELD_CUSTOM tags. (fixes issue #648)
• Do not error out on a tag whose tag count value is zero, just issue a warning. Fix parsing a private tag 0x80a6 (fixes issue #647)
• TIFFDefaultTransferFunction(): give up beyond td_bitspersample = 24 Fixes https://github.com/OSGeo/gdal/issues/10875)
• tif_getimage.c: Remove unnecessary calls to TIFFRGBAImageOK() (fixes issue #175)
• Fix writing a Predictor=3 file with non-native endianness
• _TIFFVSetField(): fix potential use of unallocated memory (out-of-bounds
• read / nullptr dereference) in case of out-of-memory situation when dealing with custom tags (fixes issue #663)
• tif_fax3.c: Error out for CCITT fax encoding if SamplesPerPixel is not equal 1 and PlanarConfiguration = Contiguous (fixes issue #26)
• tif_fax3.c: error out after a number of times end-of-line or unexpected bad code words have been reached. (fixes issue #670)
• Fix memory leak in TIFFSetupStrips() (fixes issue #665)
• tif_zip.c: Provide zlib allocation functions. Otherwise for zlib built with -DZ_SOLO inflating will fail.
• Fix memory leak in _TIFFSetDefaultCompressionState. (fixes issue #676)
• tif_predict.c: Don’t overwrite input buffer of TIFFWriteScanline() if "prediction" is enabled. Use extra working buffer in PredictorEncodeRow(). (fixes issue #5)
• tif_getimage.c: update some integer overflow checks (fixes issue #79)
• tif_getimage.c: Fix buffer underflow crash for less raster rows at TIFFReadRGBAImageOriented() (fixes issue #704, bsc#1250413, CVE-2025-9900)
• TIFFReadRGBAImage(): several fixes to avoid buffer overflows.
• Correct passing arguments to TIFFCvtIEEEFloatToNative() and TIFFCvtIEEEDoubleToNative() if HAVE_IEEEFP is not defined. (fixes issue #699)
• LZWDecode(): avoid nullptr dereference when trying to read again after EOI marker has been found with remaining output bytes (fixes issue #698)
• TIFFSetSubDirectory(): check _TIFFCheckDirNumberAndOffset() return.
• TIFFUnlinkDirectory() and TIFFWriteDirectorySec(): clear tif_rawcp when clearing tif_rawdata (fixes issue #711)
• JPEGEncodeRaw(): error out if a previous scanline failed to be written, to avoid out-of-bounds access (fixes issue #714)
• tif_jpeg: Fix bug in JPEGDecodeRaw() if JPEG_LIB_MK1_OR_12BIT is defined for 8/12bit dual mode, introduced in libjpeg-turbo 2.2, which was actually released as 3.0. Fixes issue #717
• add assert for TIFFReadCustomDirectory infoarray check.
• ppm2tiff: Fix bug in pack_words trailing bytes, where last two bytes of each line were written wrongly. (fixes issue #467)
• fax2ps: fix regression of commit 28c38d648b64a66c3218778c4745225fe3e3a06d where TIFFTAG_FAXFILLFUNC is being used rather than an output buffer (fixes issue #649)
• tiff2pdf: Check TIFFTAG_TILELENGTH and TIFFTAGTILEWIDTH (fixes issue #650)
• tiff2pdf: check h_samp and v_samp for range 1 to 4 to avoid division by zero. Fixes issue #654
• tiff2pdf: avoid null pointer dereference. (fixes issue #741)
• Improve non-secure integer overflow check (comparison of division result with multiplicant) at compiler optimisation in tiffcp, rgb2ycbcr and tiff2rgba. Fixes issue #546
• tiff2rgba: fix some "a partial expression can generate an overflow before it is assigned to a broader type" warnings. (fixes issue #682)
• tiffdither/tiffmedian: Don't skip the first line of the input image. (fixes issue #703)
• tiffdither: avoid out-of-bounds read identified in issue #733
• tiffmedian: error out if TIFFReadScanline() fails (fixes issue #707)
• tiffmedian: close input file. (fixes issue #735)
• thumbail: avoid potential out of bounds access (fixes issue #715)
• tiffcrop: close open TIFF files and release allocated buffers before exiting in case of error to avoid memory leaks. (fixes issue #716)
• tiffcrop: fix double-free and memory leak exposed by issue #721
• tiffcrop: avoid buffer overflow. (fixes issue #740)
• tiffcrop: avoid nullptr dereference. (fixes issue #734)
• tiffdump: Fix coverity scan issue CID 1373365: Passing tainted expression *datamem to PrintData, which uses it as a divisor or modulus.
• tiff2ps: check return of TIFFGetFiled() for TIFFTAG_STRIPBYTECOUNTS and TIFFTAG_TILEBYTECOUNTS to avoid NULL pointer dereference. (fixes issue #718)
• tiffcmp: fix memory leak when second file cannot be opened. (fixes issue #718 and issue #729)
• tiffcp: fix setting compression level for lossless codecs. (fixes issue #730)
• raw2tiff: close input file before exit (fixes issue #742) Tools changes:
• tiffinfo: add a -W switch to warn about unknown tags.

• tiffdither: process all pages in input TIFF file.

• Documentation:

• TIFFRGBAImage.rst note added for incorrect saving of images with TIFF orientation from 5 (LeftTop) to 8 (LeftBottom) in the raster.

• TIFFRGBAImage.rst note added about un-associated alpha handling (fixes issue #67)
• Update "Defining New TIFF Tags" description. (fixes issue #642)
• Fix return type of TIFFReadEncodedTile()
• Update the documentation to reflect deprecated typedefs.
• TIFFWriteDirectory.rst: Clarify TIFFSetWriteOffset() only sets offset for image data and not for IFD data.
• Update documentation on re-entrancy and thread safety.
• Remove dead links to no more existing Awaresystems web-site.
• Updating BigTIFF specification and some miscelaneous editions.
• Replace some last links and remove last todos.
• Added hints for correct allocation of TIFFYCbCrtoRGB structure and its associated buffers. (fixes issue #681)
• Added chapter to "Using the TIFF Library" with links to handling multi-page TIFF and custom directories. (fixes issue #43)
• update TIFFOpen.rst with the return values of mapproc and unmapproc. (fixes issue #12)

Security issues fixed:

• CVE-2025-8961: Fix segmentation fault via main function of tiffcrop utility [bsc#1248117]
• CVE-2025-8534: Fix null pointer dereference in function PS_Lvl2page [bsc#1247582]
• CVE-2025-9165: Fix local execution manipulation can lead to memory leak [bsc#1248330]
• CVE-2024-13978: Fix null pointer dereference in tiff2pdf [bsc#1247581]
• CVE-2025-8176: Fix heap use-after-free in tools/tiffmedian.c [bsc#1247108]

• CVE-2025-8177: Fix possible buffer overflow in tools/thumbnail.c:setrow() [bsc#1247106]

• Fix TIFFMergeFieldInfo() read_count=write_count=0 (bsc#1243503)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 16.0
  zypper in -t patch SUSE-SLES-16.0-23=1
• SUSE Linux Enterprise Server for SAP Applications 16.0
  zypper in -t patch SUSE-SLES-16.0-23=1

Package List:

• SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
  • tiff-debuginfo-4.7.1-160000.1.1
  • tiff-4.7.1-160000.1.1
  • libtiff-devel-4.7.1-160000.1.1
  • libtiff6-debuginfo-4.7.1-160000.1.1
  • libtiff6-4.7.1-160000.1.1
  • tiff-debugsource-4.7.1-160000.1.1
• SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
  • tiff-debuginfo-4.7.1-160000.1.1
  • tiff-4.7.1-160000.1.1
  • libtiff-devel-4.7.1-160000.1.1
  • libtiff6-debuginfo-4.7.1-160000.1.1
  • libtiff6-4.7.1-160000.1.1
  • tiff-debugsource-4.7.1-160000.1.1

References:

• https://www.suse.com/security/cve/CVE-2024-13978.html
• https://www.suse.com/security/cve/CVE-2025-8176.html
• https://www.suse.com/security/cve/CVE-2025-8177.html
• https://www.suse.com/security/cve/CVE-2025-8534.html
• https://www.suse.com/security/cve/CVE-2025-8961.html
• https://www.suse.com/security/cve/CVE-2025-9165.html
• https://www.suse.com/security/cve/CVE-2025-9900.html
• https://bugzilla.suse.com/show_bug.cgi?id=1243503
• https://bugzilla.suse.com/show_bug.cgi?id=1247106
• https://bugzilla.suse.com/show_bug.cgi?id=1247108
• https://bugzilla.suse.com/show_bug.cgi?id=1247581
• https://bugzilla.suse.com/show_bug.cgi?id=1247582
• https://bugzilla.suse.com/show_bug.cgi?id=1248117
• https://bugzilla.suse.com/show_bug.cgi?id=1248330
• https://bugzilla.suse.com/show_bug.cgi?id=1250413