Ubuntu
tiff package

lp:ubuntu/hoary-security/tiff

  1. Hoary (5.04)
  2. hoary-security
Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/hoary-security/tiff
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Development

Recent revisions

6. By Martin Pitt

* SECURITY UPDATE: Arbitrary code execution with crafted TIFF files, found
  by Tavis Ormandy of the Google Security Team.
* CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in
  tif_dirread.c
* CVE-2006-3460: A heap overflow vulnerability was discovered in the
  jpeg decoder
* CVE-2006-3461: A heap overflow exists in the PixarLog decoder
* CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap
  overflow
* CVE-2006-3463: An infinite loop was discovered in
  EstimateStripByteCounts()
* CVE-2006-3464: Multiple unchecked arithmetic operations were
  uncovered, including a number of the range checking operations
  deisgned to ensure the offsets specified in tiff directories are
  legitimate.
* A number of codepaths were uncovered where assertions did not hold
  true, resulting in the client application calling abort()
* CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag
  support

5. By Martin Pitt

* SECURITY UPDATE: Arbitrary command execution with crafted long file names.
* tools/tiffsplit.c: Use snprintf instead of strcpy for copying the
  user-specified file name into a statically sized buffer. [CVE-2006-2656]
* tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal
  signed char (it printed a signed integer, which overflew the buffer and
  was wrong anyway).

4. By Martin Pitt

* SECURITY UPDATE: DoS and arbitrary code execution with crafted TIFF files.
* Backported security relevant fixes from stable 3.8.1 release. See
  http://bugzilla.remotesensing.org/show_bug.cgi?id=1102 for reproducer
  images.
* libtiff/tif_dirread.c: Fix error reporting in TIFFFetchAnyArray()
  (%d in format string without corresponding integer argument).
  [CVE-2006-2024]
* libtiff/{tif_pixarlog.c, tif_fax3.c, tif_zip.c}: Properly
  restore setfield/getfield methods in cleanup functions to avoid crash on
  invalid files. [CVE-2006-2024]
* libtiff/{tif_predict.c, tif_predict.h}: Added new function
  TIFFPredictorCleanup() to restore parent decode/encode/field methods.
  [CVE-2006-2024]
* libtiff/tif_dirread.c: Check for integer overflow in TIFFFetchData().
  [CVE-2006-2025]
* libtiff/tif_jpeg.c: Properly restore setfield/getfield methods in
  cleanup functions to avoid double free(). [CVE-2006-2026]
* libtiff/tif_color.c: Check for out-of-bounds values in TIFFXYZToRGB().
  [CVE-2006-2120]
* Added CVE to previous changelog.

3. By Martin Pitt

* SECURITY UPDATE: Fix Denial of Service vulnerability.
* libtiff/tif_strip.c, libtiff/tif_tile.c:
  - Check for zero YCbCr subsampling values which cause a division by zero
    crash.
  - Applied upstream patch from 3.7.1.
  - Ubuntu #12008.

2. By Jay Berkenbilt

* New maintainer (thanks Joy!)
* Applied patch by Dmitry V. Levin to fix a segmentation fault
  [tools/tiffdump.c, CAN-2004-1183]
  Thanks to Martin Schulze for forwarding the patch.
* Fixed section of -dev package (devel -> libdevel)

1. By Fabio Massimo Di Nitto

Import upstream version 3.6.1

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/karmic/tiff
This branch contains Public information 
Everyone can see this information.

Subscribers