diff -Nru tiff-4.1.0+git191117/debian/changelog tiff-4.1.0+git191117/debian/changelog
--- tiff-4.1.0+git191117/debian/changelog	2022-05-12 15:05:25.000000000 +0000
+++ tiff-4.1.0+git191117/debian/changelog	2022-09-07 09:01:17.000000000 +0000
@@ -1,3 +1,28 @@
+tiff (4.1.0+git191117-2ubuntu0.20.04.4) focal-security; urgency=medium
+
+  * SECURITY UPDATE: NULL Pointer Dereference 
+    - debian/patches/CVE-2022-0907.patch: add checks for return value of
+    limitMalloc in tools/tiffcrop.c.
+    - debian/patches/CVE-2022-0908.patch: avoid
+    calling memcpy() with a null source pointer and size of zero in
+    libtiff/tif_dirread.c.
+    - CVE-2022-0907
+    - CVE-2022-0908
+  * SECURITY UPPDATE: floating point exception 
+    - debian/patches/CVE-2022-0909.patch: fix the FPE in tiffcrop by
+    checking if variable is Nan in libtiff/tif_dir.c.
+    - CVE-2022-0909
+  * SECURITY UPDATE: heap buffer overflow in cpContigBufToSeparateBuf
+    - debian/patches/CVE-2022-0924.patch: fix heap buffer overflow in
+    tools/tiffcp.c. 
+    - CVE-2022-0924
+  * SECURITY UPDATE: out-of-bounds with custom tag
+    - debian/patches/CVE-2022-22844.patch: fix global-buffer-overflow
+    for ASCII tags where count is required in tools/tiffset.c.
+    - CVE-2022-22844
+
+ -- David Fernandez Gonzalez <david.fernandezgonzalez@canonical.com>  Wed, 07 Sep 2022 11:01:17 +0200
+
 tiff (4.1.0+git191117-2ubuntu0.20.04.3) focal-security; urgency=medium
 
   * SECURITY UPDATE: malloc failure in TIFF2RGBA tool
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0907.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0907.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0907.patch	1970-01-01 00:00:00.000000000 +0000
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0907.patch	2022-09-07 09:01:17.000000000 +0000
@@ -0,0 +1,86 @@
+Backport of: 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001
+From: Augustus <wangdw.augustus@qq.com>
+Date: Mon, 7 Mar 2022 18:21:49 +0800
+Subject: [PATCH] add checks for return value of limitMalloc (#392)
+
+---
+ tools/tiffcrop.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+Index: tiff-4.1.0+git191117/tools/tiffcrop.c
+===================================================================
+--- tiff-4.1.0+git191117.orig/tools/tiffcrop.c
++++ tiff-4.1.0+git191117/tools/tiffcrop.c
+@@ -7317,7 +7317,11 @@ createImageSection(uint32 sectsize, unsi
+   if (!sect_buff)
+     {
+     sect_buff = (unsigned char *)_TIFFmalloc(sectsize);
+-    *sect_buff_ptr = sect_buff;
++    if (!sect_buff)
++    {
++        TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
++        return (-1);
++    }
+     _TIFFmemset(sect_buff, 0, sectsize);
+     }
+   else
+@@ -7333,15 +7337,15 @@ createImageSection(uint32 sectsize, unsi
+       else
+         sect_buff = new_buff;
+ 
++      if (!sect_buff)
++      {
++          TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
++          return (-1);
++      }
+       _TIFFmemset(sect_buff, 0, sectsize);
+       }
+     }
+ 
+-  if (!sect_buff)
+-    {
+-    TIFFError("createImageSection", "Unable to allocate/reallocate section buffer");
+-    return (-1);
+-    }
+   prev_sectsize = sectsize;
+   *sect_buff_ptr = sect_buff;
+ 
+@@ -7608,7 +7612,11 @@ createCroppedImage(struct image_data *im
+   if (!crop_buff)
+     {
+     crop_buff = (unsigned char *)_TIFFmalloc(cropsize);
+-    *crop_buff_ptr = crop_buff;
++    if (!crop_buff)
++    {
++        TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
++        return (-1);
++    }
+     _TIFFmemset(crop_buff, 0, cropsize);
+     prev_cropsize = cropsize;
+     }
+@@ -7624,15 +7632,15 @@ createCroppedImage(struct image_data *im
+         }
+       else
+         crop_buff = new_buff;
++      if (!crop_buff)
++      {
++          TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
++          return (-1);
++      }
+       _TIFFmemset(crop_buff, 0, cropsize);
+       }
+     }
+ 
+-  if (!crop_buff)
+-    {
+-    TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer");
+-    return (-1);
+-    }
+   *crop_buff_ptr = crop_buff;
+ 
+   if (crop->crop_mode & CROP_INVERT)
+@@ -9191,3 +9199,4 @@ invertImage(uint16 photometric, uint16 s
+  * fill-column: 78
+  * End:
+  */
++
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0908.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0908.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0908.patch	1970-01-01 00:00:00.000000000 +0000
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0908.patch	2022-09-07 09:01:17.000000000 +0000
@@ -0,0 +1,26 @@
+Backport of: a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Thu, 17 Feb 2022 15:28:43 +0100
+Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null
+ source pointer and size of zero (fixes #383)
+
+---
+ libtiff/tif_dirread.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+Index: tiff-4.1.0+git191117/libtiff/tif_dirread.c
+===================================================================
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dirread.c
++++ tiff-4.1.0+git191117/libtiff/tif_dirread.c
+@@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEnt
+ 								_TIFFfree(data);
+ 							return(0);
+ 						}
+-						_TIFFmemcpy(o,data,(uint32)dp->tdir_count);
++						if (dp->tdir_count > 0 )
++						{
++							_TIFFmemcpy(o,data,(uint32)dp->tdir_count);
++						}
+ 						o[(uint32)dp->tdir_count]=0;
+ 						if (data!=0)
+ 							_TIFFfree(data);
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0909.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0909.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0909.patch	1970-01-01 00:00:00.000000000 +0000
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0909.patch	2022-09-07 09:01:17.000000000 +0000
@@ -0,0 +1,29 @@
+From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 8 Mar 2022 16:22:04 +0000
+Subject: [PATCH] fix the FPE in tiffcrop (#393)
+
+---
+ libtiff/tif_dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: tiff-4.1.0+git191117/libtiff/tif_dir.c
+===================================================================
+--- tiff-4.1.0+git191117.orig/libtiff/tif_dir.c
++++ tiff-4.1.0+git191117/libtiff/tif_dir.c
+@@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va
+ 		break;
+ 	case TIFFTAG_XRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_xresolution = _TIFFClampDoubleToFloat( dblval );
+ 		break;
+ 	case TIFFTAG_YRESOLUTION:
+         dblval = va_arg(ap, double);
+-        if( dblval < 0 )
++        if( dblval != dblval || dblval < 0 )
+             goto badvaluedouble;
+ 		td->td_yresolution = _TIFFClampDoubleToFloat( dblval );
+ 		break;
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-0924.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-0924.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-0924.patch	1970-01-01 00:00:00.000000000 +0000
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-0924.patch	2022-09-07 09:01:17.000000000 +0000
@@ -0,0 +1,50 @@
+Backport of: 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Thu, 10 Mar 2022 08:48:00 +0000
+Subject: [PATCH] fix heap buffer overflow in tiffcp (#278)
+
+---
+ tools/tiffcp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+Index: tiff-4.1.0+git191117/tools/tiffcp.c
+===================================================================
+--- tiff-4.1.0+git191117.orig/tools/tiffcp.c
++++ tiff-4.1.0+git191117/tools/tiffcp.c
+@@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt
+ 	tdata_t obuf;
+ 	tstrip_t strip = 0;
+ 	tsample_t s;
++	uint16 bps = 0, bytes_per_sample;
+ 
+ 	obuf = _TIFFmalloc(stripsize);
+ 	if (obuf == NULL)
+ 		return (0);
+ 	_TIFFmemset(obuf, 0, stripsize);
+ 	(void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
++	(void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps);
++	if( bps == 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample");
++            _TIFFfree(obuf);
++            return 0;
++        }
++        if( (bps % 8) != 0 )
++        {
++            TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8");
++            _TIFFfree(obuf);
++            return 0;
++        }
++	bytes_per_sample = bps/8;
+ 	for (s = 0; s < spp; s++) {
+ 		uint32 row;
+ 		for (row = 0; row < imagelength; row += rowsperstrip) {
+@@ -1539,7 +1554,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt
+ 
+ 			cpContigBufToSeparateBuf(
+ 			    obuf, (uint8*) buf + row*rowsize + s,
+-			    nrows, imagewidth, 0, 0, spp, 1);
++			    nrows, imagewidth, 0, 0, spp, bytes_per_sample);
+ 			if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) {
+ 				TIFFError(TIFFFileName(out),
+ 				    "Error, can't write strip %u",
diff -Nru tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch
--- tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch	1970-01-01 00:00:00.000000000 +0000
+++ tiff-4.1.0+git191117/debian/patches/CVE-2022-22844.patch	2022-09-07 09:01:17.000000000 +0000
@@ -0,0 +1,45 @@
+Back 03047a26952a82daaa0792957ce211e0aa51bc64 Mon Sep 17 00:00:00 2001
+From: 4ugustus <wangdw.augustus@qq.com>
+Date: Tue, 25 Jan 2022 16:25:28 +0000
+Subject: [PATCH] tiffset: fix global-buffer-overflow for ASCII tags where
+ count is required (fixes #355)
+
+---
+ tools/tiffset.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+Index: tiff-4.1.0+git191117/tools/tiffset.c
+===================================================================
+--- tiff-4.1.0+git191117.orig/tools/tiffset.c
++++ tiff-4.1.0+git191117/tools/tiffset.c
+@@ -32,6 +32,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <stdint.h>
+ 
+ #include "tiffio.h"
+ 
+@@ -133,9 +134,19 @@ main(int argc, char* argv[])
+ 
+             arg_index++;
+             if (TIFFFieldDataType(fip) == TIFF_ASCII) {
+-                if (TIFFSetField(tiff, TIFFFieldTag(fip), argv[arg_index]) != 1)
+-                    fprintf( stderr, "Failed to set %s=%s\n",
+-                             TIFFFieldName(fip), argv[arg_index] );
++                if(TIFFFieldPassCount( fip )) {
++                    size_t len;
++                    len = strlen(argv[arg_index]) + 1;
++                    if (len > UINT16_MAX || TIFFSetField(tiff, TIFFFieldTag(fip),
++                            (uint16)len, argv[arg_index]) != 1)
++                        fprintf( stderr, "Failed to set %s=%s\n",
++                            TIFFFieldName(fip), argv[arg_index] );
++                } else {
++                    if (TIFFSetField(tiff, TIFFFieldTag(fip),
++                            argv[arg_index]) != 1)
++                        fprintf( stderr, "Failed to set %s=%s\n",
++                            TIFFFieldName(fip), argv[arg_index] );
++                }
+             } else if (TIFFFieldWriteCount(fip) > 0
+ 		       || TIFFFieldWriteCount(fip) == TIFF_VARIABLE) {
+                 int     ret = 1;
diff -Nru tiff-4.1.0+git191117/debian/patches/series tiff-4.1.0+git191117/debian/patches/series
--- tiff-4.1.0+git191117/debian/patches/series	2022-05-12 15:05:17.000000000 +0000
+++ tiff-4.1.0+git191117/debian/patches/series	2022-09-07 09:01:17.000000000 +0000
@@ -8,3 +8,8 @@
 CVE-2022-0562.patch
 CVE-2022-0865.patch
 CVE-2022-0891.patch
+CVE-2022-0907.patch
+CVE-2022-0908.patch
+CVE-2022-0909.patch
+CVE-2022-0924.patch
+CVE-2022-22844.patch