lp:ubuntu/hoary-security/tiff
- Get this branch:
- bzr branch lp:ubuntu/hoary-security/tiff
Branch merges
Branch information
Recent revisions
- 6. By Martin Pitt
-
* SECURITY UPDATE: Arbitrary code execution with crafted TIFF files, found
by Tavis Ormandy of the Google Security Team.
* CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in
tif_dirread.c
* CVE-2006-3460: A heap overflow vulnerability was discovered in the
jpeg decoder
* CVE-2006-3461: A heap overflow exists in the PixarLog decoder
* CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap
overflow
* CVE-2006-3463: An infinite loop was discovered in
EstimateStripByteCounts( )
* CVE-2006-3464: Multiple unchecked arithmetic operations were
uncovered, including a number of the range checking operations
deisgned to ensure the offsets specified in tiff directories are
legitimate.
* A number of codepaths were uncovered where assertions did not hold
true, resulting in the client application calling abort()
* CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag
support - 5. By Martin Pitt
-
* SECURITY UPDATE: Arbitrary command execution with crafted long file names.
* tools/tiffsplit.c: Use snprintf instead of strcpy for copying the
user-specified file name into a statically sized buffer. [CVE-2006-2656]
* tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal
signed char (it printed a signed integer, which overflew the buffer and
was wrong anyway). - 4. By Martin Pitt
-
* SECURITY UPDATE: DoS and arbitrary code execution with crafted TIFF files.
* Backported security relevant fixes from stable 3.8.1 release. See
http://bugzilla. remotesensing. org/show_ bug.cgi? id=1102 for reproducer
images.
* libtiff/tif_dirread. c: Fix error reporting in TIFFFetchAnyArray()
(%d in format string without corresponding integer argument).
[CVE-2006-2024]
* libtiff/{tif_pixarlog. c, tif_fax3.c, tif_zip.c}: Properly
restore setfield/getfield methods in cleanup functions to avoid crash on
invalid files. [CVE-2006-2024]
* libtiff/{tif_predict. c, tif_predict.h}: Added new function
TIFFPredictorCleanup( ) to restore parent decode/encode/field methods.
[CVE-2006-2024]
* libtiff/tif_dirread. c: Check for integer overflow in TIFFFetchData().
[CVE-2006-2025]
* libtiff/tif_jpeg.c: Properly restore setfield/getfield methods in
cleanup functions to avoid double free(). [CVE-2006-2026]
* libtiff/tif_color. c: Check for out-of-bounds values in TIFFXYZToRGB().
[CVE-2006-2120]
* Added CVE to previous changelog. - 3. By Martin Pitt
-
* SECURITY UPDATE: Fix Denial of Service vulnerability.
* libtiff/tif_strip. c, libtiff/tif_tile.c:
- Check for zero YCbCr subsampling values which cause a division by zero
crash.
- Applied upstream patch from 3.7.1.
- Ubuntu #12008. - 2. By Jay Berkenbilt
-
* New maintainer (thanks Joy!)
* Applied patch by Dmitry V. Levin to fix a segmentation fault
[tools/tiffdump. c, CAN-2004-1183]
Thanks to Martin Schulze for forwarding the patch.
* Fixed section of -dev package (devel -> libdevel)
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/karmic/tiff