Hi,

The following vulnerability was published for tiff.

CVE-2026-36849[0]:
| Denial of Service via large SamplesPerPixel tag


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-36849
https://www.cve.org/CVERecord?id=CVE-2026-36849
[1] https://gitlab.com/libtiff/libtiff/-/work_items/781
[2] https://gitlab.com/libtiff/libtiff/-/commit/eedba405d3695b52faae65994c5904f228eca0bf
[3] https://www.openwall.com/lists/oss-security/2026/06/17/1

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140300@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 18 Jun 2026 19:44:21 +0200
Source: tiff
Architecture: source
Version: 4.7.1-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 1086689 1140300
Changes:
 tiff (4.7.1-3) unstable; urgency=high
 .
   [ Laszlo Boszormenyi (GCS) ]
   * Backport security fix for CVE-2026-36849, denial of service via large
     SamplesPerPixel tag (closes: #1140300).
   * Update libtiff6 symbols.
 .
   [ Helmut Grohne <helmut@subdivi.de> ]
   * Fix FTCBFS: Annotate sphinx dependency :native (closes: #1086689).
Checksums-Sha1:
 115273bf22c74210e8d9d0c336d7e1e04f1eb55d 2262 tiff_4.7.1-3.dsc
 62af53d712b6a699d3e21f7dc6b8414407466a0e 28052 tiff_4.7.1-3.debian.tar.xz
Checksums-Sha256:
 46d753c708645b5df240371ab877f5af3169f6df0a395fd8e8a17fbad19875ca 2262 tiff_4.7.1-3.dsc
 4619215f664cd3f08604e649da222d89d7f5a7ffa83c8b978dbe2d25bb7da1e1 28052 tiff_4.7.1-3.debian.tar.xz
Files:
 af4790bceb0cd9864111167c390e22e4 2262 libs optional tiff_4.7.1-3.dsc
 d97dded10ef227a671ae5323af1e9acc 28052 libs optional tiff_4.7.1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmo0RmQACgkQ3OMQ54ZM
yL/qQQ//bsidN1kDHtCnduko+jS7LTYnYM2ylJOHtOQWeRhc3iTf+m5yfSF0Iy/X
3lr9ys588TEdMFnZzeyXvobO3tNx08Jgmf8WaiRlZHVEiqVeyFDBp+ziyiJI5aRa
25tqn7UKW3JCHMgDWV9nKfoG/U109XZPWA/4kada/YQwsy4S7TzkiiEXjt+XFy1x
MJH/hhXgYMXuMWqm1BDjoePVr6uyxhSsJkBov9ofRU2t5aQrkqpfrmuf/Al6PZ6A
6bUJelN23cd+fxtQz4AvTbsLGqtf95iGEtSR4VAvtp0JFqogksctCVqB3qhuy//r
TdxI9g4r+2D0NatK2vnAA56THeglTYlSJyiK/73ckqtzGemRoMZXPZLowO0wAm0Q
VlRmSsmNM16DfAwQ6NypeKt33Y81797I82bWuaBefSTxhC+MPtJLZPTJUN8w7suC
GcK/J907r0tAtOrFPZEpubg3IlaxLgKg+dlQQoLQj+Zfuh483IW/vw42e/vvRq4m
4adyadJ0gzQpV64EKSnzHro1hyAa1CxstScImyHCa9b2Auoz9BaDMc543D3CkBqo
gJG5Rj11o1F6QR9J4HzQ/CvwN/j0jO1WoC/GeVv8R22yTJhRMItBvtD2pYCyoRpw
d3O1qeK7QkfEq0Pqs4PLh1RVpufKcif0nvCWxA8Aqk44F9nQu28=
=MLVo
-----END PGP SIGNATURE-----