-
tiff (3.7.4-1ubuntu3.11) dapper-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via crafted
THUNDER_2BITDELTAS data
- debian/patches/z_CVE-2011-1167.patch: validate bitspersample and
make sure npixels is sane in libtiff/tif_thunder.c.
- CVE-2011-1167
-- Marc Deslauriers <email address hidden> Wed, 30 Mar 2011 13:34:17 -0400
-
tiff (3.7.4-1ubuntu3.10) dapper-security; urgency=low
* debian/patches/CVE-2011-0192.patch: update for regression in
processing of certain CCITTFAX4 files (LP: #731540).
- http://bugzilla.maptools.org/show_bug.cgi?id=2297
-- Kees Cook <email address hidden> Mon, 14 Mar 2011 10:56:27 -0700
-
tiff (3.7.4-1ubuntu3.9) dapper-security; urgency=low
* SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite
values
- debian/patches/z_CVE-2010-2595.patch: validate values in
libtiff/tif_color.c.
- CVE-2010-2595
* SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067)
- debian/patches/z_CVE-2010-2597.patch: properly initialize fields in
libtiff/tif_strip.c.
- CVE-2010-2597
- CVE-2010-2598
* SECURITY UPDATE: denial of service via out-of-order tags
- debian/patches/z_CVE-2010-2630.patch: correctly handle order in
libtiff/tif_dirread.c.
- CVE-2010-2630
* SECURITY UPDATE: denial of service and possible code exection via
YCBCRSUBSAMPLING tag
- debian/patches/z_CVE-2011-0191.patch: validate td_ycbcrsubsampling in
libtiff/tif_dir.c.
- CVE-2011-0191
* SECURITY UPDATE: denial of service and possible code execution via
buffer overflow in Fax4Decode
- debian/patches/z_CVE-2011-0192.patch: check length in
libtiff/tif_fax3.h.
- CVE-2011-0192
-- Marc Deslauriers <email address hidden> Fri, 04 Mar 2011 10:09:48 -0500
-
tiff (3.7.4-1ubuntu3.8) dapper-security; urgency=low
* SECURITY UPDATE: arbitrary code execution and crashes via multiple
integer overflows. Backported upstream fixes:
- debian/patches/CVE-2010-1411.patch
- debian/patches/fix-unknown-tags.patch
-- Kees Cook <email address hidden> Thu, 17 Jun 2010 12:08:10 -0700
-
tiff (3.7.4-1ubuntu3.6) dapper-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via integer overflows in
tiff2rgba and rgb2ycbcr
- debian/patches/CVE-2009-2347.patch: check for integer overflows in
tools/rgb2ycbcr.c and tools/tiff2rgba.c.
- CVE-2009-2347
-- Marc Deslauriers <email address hidden> Mon, 13 Jul 2009 09:31:11 -0400
-
tiff (3.7.4-1ubuntu3.4) dapper-security; urgency=low
* SECURITY UPDATE: denial of service via buffer underflow in the
LZWDecodeCompat function (LP: #380149)
- debian/patches/CVE-2009-2285.patch: abort if code is bigger than
CODE_CLEAR in libtiff/tif_lzw.c.
- CVE-2009-2285
-- Marc Deslauriers <email address hidden> Fri, 03 Jul 2009 15:19:54 -0400
-
tiff (3.7.4-1ubuntu3.3) dapper-security; urgency=low
* SECURITY UPDATE: arbitrary code execution via LZW overflow.
* Add debian/patches/CVE-2008-2327.patch: thanks to Jay Berkenbilt.
-- Kees Cook <email address hidden> Fri, 29 Aug 2008 11:59:21 -0700
-
tiff (3.7.4-1ubuntu3.2) dapper-security; urgency=low
* SECURITY UPDATE: Arbitrary code execution with crafted TIFF files, found
by Tavis Ormandy of the Google Security Team.
* Add debian/patches/CVE-2006-3459-3465.patch:
- CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in
tif_dirread.c
- CVE-2006-3460: A heap overflow vulnerability was discovered in the
jpeg decoder
- CVE-2006-3461: A heap overflow exists in the PixarLog decoder
- CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap
overflow
- CVE-2006-3463: An infinite loop was discovered in
EstimateStripByteCounts()
- CVE-2006-3464: Multiple unchecked arithmetic operations were
uncovered, including a number of the range checking operations
deisgned to ensure the offsets specified in tiff directories are
legitimate.
- A number of codepaths were uncovered where assertions did not hold
true, resulting in the client application calling abort()
- CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag
support
-- Martin Pitt <email address hidden> Wed, 2 Aug 2006 13:27:14 +0200
-
tiff (3.7.4-1ubuntu3.1) dapper-security; urgency=low
* SECURITY UPDATE: Arbitrary command execution with crafted long file names.
* Add debian/patches/tiffsplit-fname-overflow.patch:
- tools/tiffsplit.c: Use snprintf instead of strcpy for copying the
user-specified file name into a statically sized buffer.
- CVE-2006-2656
* Add debian/patches/tiff2pdf-octal-printf.patch:
- tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal
signed char (it printed a signed integer, which overflew the buffer and
was wrong anyway).
-- Martin Pitt <email address hidden> Fri, 2 Jun 2006 18:15:30 +0200
-
tiff (3.7.4-1ubuntu3) dapper; urgency=low
* debian/patches/fix_43286_crasher.patch:
- upstream change, fix a crasher (Ubuntu: #43286)
-- Sebastien Bacher <email address hidden> Sun, 7 May 2006 13:21:05 +0200
-
tiff (3.7.4-1ubuntu2) dapper; urgency=low
* SECURITY UPDATE: DoS and arbitrary code execution with crafted TIFF files.
* Add debian/patches/3.8.1-security-fixes.patch: Backported security
relevant fixes from stable 3.8.1 release:
- libtiff/tif_dirread.c: Fix error reporting in TIFFFetchAnyArray()
(%d in format string without corresponding integer argument).
[CVE-2006-2024]
- libtiff/{tif_pixarlog.c, tif_fax3.c, tif_zip.c}: Properly
restore setfield/getfield methods in cleanup functions to avoid crash on
invalid files. [CVE-2006-2024]
- libtiff/{tif_predict.c, tif_predict.h}: Added new function
TIFFPredictorCleanup() to restore parent decode/encode/field methods.
[CVE-2006-2024]
- libtiff/tif_dirread.c: Check for integer overflow in TIFFFetchData().
[CVE-2006-2025]
- libtiff/tif_jpeg.c: Properly restore setfield/getfield methods in
cleanup functions to avoid double free(). [CVE-2006-2026]
- libtiff/tif_color.c: Check for out-of-bounds values in TIFFXYZToRGB().
[CVE-2006-2120]
* See http://bugzilla.remotesensing.org/show_bug.cgi?id=1102 for reproducer
images.
-- Martin Pitt <email address hidden> Wed, 3 May 2006 12:56:50 +0200
-
tiff (3.7.4-1ubuntu1) dapper; urgency=low
* Synchronize to Debian.
* Only change left: xlibmesa-gl-dev -> libgl1-mesa-dev build dependency
change.
-- Martin Pitt <email address hidden> Wed, 9 Nov 2005 18:21:15 -0500
