lp:ubuntu/dapper-updates/tiff

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

14. By Marc Deslauriers on 2011-03-30

* SECURITY UPDATE: arbitrary code execution via crafted
  THUNDER_2BITDELTAS data
  - debian/patches/z_CVE-2011-1167.patch: validate bitspersample and
    make sure npixels is sane in libtiff/tif_thunder.c.
  - CVE-2011-1167

13. By Kees Cook on 2011-03-14

* debian/patches/CVE-2011-0192.patch: update for regression in
  processing of certain CCITTFAX4 files (LP: #731540).
  - http://bugzilla.maptools.org/show_bug.cgi?id=2297

12. By Marc Deslauriers on 2011-03-04

* SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite
  values
  - debian/patches/z_CVE-2010-2595.patch: validate values in
    libtiff/tif_color.c.
  - CVE-2010-2595
* SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067)
  - debian/patches/z_CVE-2010-2597.patch: properly initialize fields in
    libtiff/tif_strip.c.
  - CVE-2010-2597
  - CVE-2010-2598
* SECURITY UPDATE: denial of service via out-of-order tags
  - debian/patches/z_CVE-2010-2630.patch: correctly handle order in
    libtiff/tif_dirread.c.
  - CVE-2010-2630
* SECURITY UPDATE: denial of service and possible code exection via
  YCBCRSUBSAMPLING tag
  - debian/patches/z_CVE-2011-0191.patch: validate td_ycbcrsubsampling in
    libtiff/tif_dir.c.
  - CVE-2011-0191
* SECURITY UPDATE: denial of service and possible code execution via
  buffer overflow in Fax4Decode
  - debian/patches/z_CVE-2011-0192.patch: check length in
    libtiff/tif_fax3.h.
  - CVE-2011-0192

11. By Kees Cook on 2010-06-17

* SECURITY UPDATE: arbitrary code execution and crashes via multiple
  integer overflows. Backported upstream fixes:
  - debian/patches/CVE-2010-1411.patch
  - debian/patches/fix-unknown-tags.patch

10. By Marc Deslauriers on 2009-07-13

* SECURITY UPDATE: arbitrary code execution via integer overflows in
  tiff2rgba and rgb2ycbcr
  - debian/patches/CVE-2009-2347.patch: check for integer overflows in
    tools/rgb2ycbcr.c and tools/tiff2rgba.c.
  - CVE-2009-2347

9. By Marc Deslauriers on 2009-07-03

* SECURITY UPDATE: denial of service via buffer underflow in the
  LZWDecodeCompat function (LP: #380149)
  - debian/patches/CVE-2009-2285.patch: abort if code is bigger than
    CODE_CLEAR in libtiff/tif_lzw.c.
  - CVE-2009-2285

8. By Kees Cook on 2008-08-29

* SECURITY UPDATE: arbitrary code execution via LZW overflow.
* Add debian/patches/CVE-2008-2327.patch: thanks to Jay Berkenbilt.

7. By Martin Pitt on 2006-08-02

* SECURITY UPDATE: Arbitrary code execution with crafted TIFF files, found
  by Tavis Ormandy of the Google Security Team.
* Add debian/patches/CVE-2006-3459-3465.patch:
  - CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in
    tif_dirread.c
  - CVE-2006-3460: A heap overflow vulnerability was discovered in the
    jpeg decoder
  - CVE-2006-3461: A heap overflow exists in the PixarLog decoder
  - CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap
    overflow
  - CVE-2006-3463: An infinite loop was discovered in
    EstimateStripByteCounts()
  - CVE-2006-3464: Multiple unchecked arithmetic operations were
    uncovered, including a number of the range checking operations
    deisgned to ensure the offsets specified in tiff directories are
    legitimate.
  - A number of codepaths were uncovered where assertions did not hold
    true, resulting in the client application calling abort()
  - CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag
    support

6. By Martin Pitt on 2006-06-02

* SECURITY UPDATE: Arbitrary command execution with crafted long file names.
* Add debian/patches/tiffsplit-fname-overflow.patch:
  - tools/tiffsplit.c: Use snprintf instead of strcpy for copying the
    user-specified file name into a statically sized buffer.
  - CVE-2006-2656
* Add debian/patches/tiff2pdf-octal-printf.patch:
  - tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal
    signed char (it printed a signed integer, which overflew the buffer and
    was wrong anyway).

5. By Sebastien Bacher on 2006-05-07

* debian/patches/fix_43286_crasher.patch:
  - upstream change, fix a crasher (Ubuntu: #43286)