| Name | CVE-2025-8961 |
| Description | A weakness has been identified in LibTIFF 4.7.0. This affects the function main of the file tiffcrop.c of the component tiffcrop. Executing manipulation can lead to memory corruption. The attack can only be executed locally. The exploit has been made available to the public and could be exploited. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1111317 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| tiff (PTS) | bullseye | 4.2.0-1+deb11u5 | vulnerable |
| bullseye (security) | 4.2.0-1+deb11u7 | vulnerable |
| bookworm | 4.5.0-6+deb12u2 | vulnerable |
| bookworm (security) | 4.5.0-6+deb12u3 | vulnerable |
| trixie | 4.7.0-3 | vulnerable |
| trixie (security) | 4.7.0-3+deb13u1 | fixed |
| forky, sid | 4.7.1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| tiff | source | trixie | 4.7.0-3+deb13u1 | | | |
| tiff | source | (unstable) | 4.7.0-5 | unimportant | | 1111317 |
Notes
https://gitlab.com/libtiff/libtiff/-/issues/721
https://gitlab.com/libtiff/libtiff/-/commit/0ac97aa7a5bffddd88f7cdbe517264e9db3f5bd5
Crash in CLI tool, no security impact