lp:ubuntu/breezy-security/tiff
- Get this branch:
- bzr branch lp:ubuntu/breezy-security/tiff
Branch merges
Branch information
Recent revisions
- 6. By Martin Pitt
-
* SECURITY UPDATE: Arbitrary code execution with crafted TIFF files, found
by Tavis Ormandy of the Google Security Team.
* Add debian/patches/ CVE-2006- 3459-3465. patch:
- CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in
tif_dirread.c
- CVE-2006-3460: A heap overflow vulnerability was discovered in the
jpeg decoder
- CVE-2006-3461: A heap overflow exists in the PixarLog decoder
- CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap
overflow
- CVE-2006-3463: An infinite loop was discovered in
EstimateStripByteCounts( )
- CVE-2006-3464: Multiple unchecked arithmetic operations were
uncovered, including a number of the range checking operations
deisgned to ensure the offsets specified in tiff directories are
legitimate.
- A number of codepaths were uncovered where assertions did not hold
true, resulting in the client application calling abort()
- CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag
support - 5. By Martin Pitt
-
* SECURITY UPDATE: Arbitrary command execution with crafted long file names.
* Add debian/patches/ tiffsplit- fname-overflow. patch:
- tools/tiffsplit.c: Use snprintf instead of strcpy for copying the
user-specified file name into a statically sized buffer.
- CVE-2006-2656
* Add debian/patches/ tiff2pdf- octal-printf. patch:
- tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal
signed char (it printed a signed integer, which overflew the buffer and
was wrong anyway). - 4. By Martin Pitt
-
* SECURITY UPDATE: DoS and arbitrary code execution with crafted TIFF files.
* Add debian/patches/ 3.8.1-security- fixes.patch: Backported security
relevant fixes from stable 3.8.1 release:
- libtiff/tif_dirread. c: Fix error reporting in TIFFFetchAnyArray()
(%d in format string without corresponding integer argument).
[CVE-2006-2024]
- libtiff/{tif_pixarlog. c, tif_fax3.c, tif_zip.c}: Properly
restore setfield/getfield methods in cleanup functions to avoid crash on
invalid files. [CVE-2006-2024]
- libtiff/{tif_predict. c, tif_predict.h}: Added new function
TIFFPredictorCleanup( ) to restore parent decode/encode/field methods.
[CVE-2006-2024]
- libtiff/tif_dirread. c: Check for integer overflow in TIFFFetchData().
[CVE-2006-2025]
- libtiff/tif_jpeg.c: Properly restore setfield/getfield methods in
cleanup functions to avoid double free(). [CVE-2006-2026]
- libtiff/tif_color. c: Check for out-of-bounds values in TIFFXYZToRGB().
[CVE-2006-2120]
* See http://bugzilla. remotesensing. org/show_ bug.cgi? id=1102 for reproducer
images. - 2. By Jay Berkenbilt
-
* New maintainer (thanks Joy!)
* Applied patch by Dmitry V. Levin to fix a segmentation fault
[tools/tiffdump. c, CAN-2004-1183]
Thanks to Martin Schulze for forwarding the patch.
* Fixed section of -dev package (devel -> libdevel)
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/karmic/tiff