Description** DISPUTED ** In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tiff (PTS)buster4.1.0+git191117-2~deb10u4vulnerable
buster (security)4.1.0+git191117-2~deb10u8vulnerable
bullseye (security), bullseye4.2.0-1+deb11u4vulnerable
sid, trixie4.5.1+git230720-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Details on the issue are not confirmed by the reporter after several attempts
and this does like a non-issue. More reprodicibly reports are from SUSE in claiming this might be
a duplicate of CVE-2017-9935. Unless the reporter provides more details on
upstream report go and consider this as non-issue.

Search for package or bug name: Reporting problems