Ubuntu
tiff package

lp:ubuntu/breezy-security/tiff

  1. Breezy (5.10)
  2. breezy-security
Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/breezy-security/tiff
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Development

Recent revisions

6. By Martin Pitt

* SECURITY UPDATE: Arbitrary code execution with crafted TIFF files, found
  by Tavis Ormandy of the Google Security Team.
* Add debian/patches/CVE-2006-3459-3465.patch:
  - CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in
    tif_dirread.c
  - CVE-2006-3460: A heap overflow vulnerability was discovered in the
    jpeg decoder
  - CVE-2006-3461: A heap overflow exists in the PixarLog decoder
  - CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap
    overflow
  - CVE-2006-3463: An infinite loop was discovered in
    EstimateStripByteCounts()
  - CVE-2006-3464: Multiple unchecked arithmetic operations were
    uncovered, including a number of the range checking operations
    deisgned to ensure the offsets specified in tiff directories are
    legitimate.
  - A number of codepaths were uncovered where assertions did not hold
    true, resulting in the client application calling abort()
  - CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag
    support

5. By Martin Pitt

* SECURITY UPDATE: Arbitrary command execution with crafted long file names.
* Add debian/patches/tiffsplit-fname-overflow.patch:
  - tools/tiffsplit.c: Use snprintf instead of strcpy for copying the
    user-specified file name into a statically sized buffer.
  - CVE-2006-2656
* Add debian/patches/tiff2pdf-octal-printf.patch:
  - tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal
    signed char (it printed a signed integer, which overflew the buffer and
    was wrong anyway).

4. By Martin Pitt

* SECURITY UPDATE: DoS and arbitrary code execution with crafted TIFF files.
* Add debian/patches/3.8.1-security-fixes.patch: Backported security
  relevant fixes from stable 3.8.1 release:
  - libtiff/tif_dirread.c: Fix error reporting in TIFFFetchAnyArray()
    (%d in format string without corresponding integer argument).
    [CVE-2006-2024]
  - libtiff/{tif_pixarlog.c, tif_fax3.c, tif_zip.c}: Properly
    restore setfield/getfield methods in cleanup functions to avoid crash on
    invalid files. [CVE-2006-2024]
  - libtiff/{tif_predict.c, tif_predict.h}: Added new function
    TIFFPredictorCleanup() to restore parent decode/encode/field methods.
    [CVE-2006-2024]
  - libtiff/tif_dirread.c: Check for integer overflow in TIFFFetchData().
    [CVE-2006-2025]
  - libtiff/tif_jpeg.c: Properly restore setfield/getfield methods in
    cleanup functions to avoid double free(). [CVE-2006-2026]
  - libtiff/tif_color.c: Check for out-of-bounds values in TIFFXYZToRGB().
    [CVE-2006-2120]
* See http://bugzilla.remotesensing.org/show_bug.cgi?id=1102 for reproducer
  images.

3. By Adam Conrad

Update build-depends for the xorg -> mesa transition.

2. By Jay Berkenbilt

* New maintainer (thanks Joy!)
* Applied patch by Dmitry V. Levin to fix a segmentation fault
  [tools/tiffdump.c, CAN-2004-1183]
  Thanks to Martin Schulze for forwarding the patch.
* Fixed section of -dev package (devel -> libdevel)

1. By Fabio Massimo Di Nitto

Import upstream version 3.6.1

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/karmic/tiff
This branch contains Public information 
Everyone can see this information.

Subscribers