tiff (4.1.0+git191117-2~deb10u9) buster-security; urgency=medium * Non-maintainer upload by the Debian LTS Team. * Fix CVE-2023-3576, CVE-2023-52356 -- Abhijith PA Fri, 01 Mar 2024 13:47:02 +0530 tiff (4.1.0+git191117-2~deb10u8) buster-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * CVE-2023-2908: NULL pointer dereference in tif_dir.c * CVE-2023-3316: NULL pointer dereference in TIFFClose() * CVE-2023-3618: Buffer overflow in tiffcrop * CVE-2023-25433: Buffer overflow in tiffcrop * CVE-2023-26965: Use after free in tiffcrop * CVE-2023-26966: Buffer overflow in uv_encode() * CVE-2023-38288: Integer overflow in tiffcp * CVE-2023-38289: Integer overflow in raw2tiff -- Adrian Bunk Mon, 31 Jul 2023 21:39:33 +0300 tiff (4.1.0+git191117-2~deb10u7) buster-security; urgency=high * Non-maintainer upload by the LTS team. * Several flaws were found in tiffcrop, a program distributed by tiff, a library and tools providing support for the Tag Image File Format (TIFF). A specially crafted tiff file can lead to an out-of-bounds write or read resulting in a denial of service. -- Markus Koschany Tue, 21 Feb 2023 20:40:34 +0100 tiff (4.1.0+git191117-2~deb10u6) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * Add patch to correct simple copy paste error in tiffcrop. (Fixes: CVE-2022-48281) (Closes: #1029653) -- Utkarsh Gupta Sat, 28 Jan 2023 14:22:59 +0530 tiff (4.1.0+git191117-2~deb10u5) buster-security; urgency=high * Non-maintainer upload by the LTS Security Team. * CVE-2022-1354: A heap buffer overflow flaw was found in Libtiffs' tiffinfo.c in TIFFReadRawDataStriped() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffinfo tool, triggering a heap buffer overflow issue and causing a crash that leads to a denial of service. * CVE-2022-1355: A stack buffer overflow flaw was found in Libtiffs' tiffcp.c in main() function. This flaw allows an attacker to pass a crafted TIFF file to the tiffcp tool, triggering a stack buffer overflow issue, possibly corrupting the memory, and causing a crash that leads to a denial of service. (Closes: #1011160) * CVE-2022-2056, CVE-2022-2057, CVE-2022-2058: Divide By Zero error in tiffcrop allows attackers to cause a denial-of-service via a crafted tiff file. (Closes: #1014494) * CVE-2022-2867, CVE-2022-2868, CVE-2022-2869: libtiff's tiffcrop utility has underflow and input validation flaw that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation. * CVE-2022-3570, CVE-2022-3598: multiple heap buffer overflows in tiffcrop.c utility in libtiff allows attacker to trigger unsafe or out of bounds memory access via crafted TIFF image file which could result into application crash, potential information disclosure or any other context-dependent impact (Closes: #1022555) * CVE-2022-3597, CVE-2022-3626, CVE-2022-3627: out-of-bounds write, allowing attackers to cause a denial-of-service via a crafted tiff file. (Closes: #1022555) * CVE-2022-3599: out-of-bounds read in writeSingleSection in tools/tiffcrop.c, allowing attackers to cause a denial-of-service via a crafted tiff file. (Closes: #1022555) * CVE-2022-3970: affects the function TIFFReadRGBATileExt of the file libtiff/tif_getimage.c. The manipulation leads to integer overflow. (Closes: #1024737) * CVE-2022-34526: a stack overflow was discovered in the _TIFFVGetField function of Tiffsplit. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted TIFF file parsed by the "tiffsplit" or "tiffcrop" utilities. -- Sylvain Beucler Tue, 17 Jan 2023 20:27:50 +0100 tiff (4.1.0+git191117-2~deb10u4) buster-security; urgency=high [ Thorsten Alteholz ] * CVE-2022-22844 out-of-bounds read in _TIFFmemcpy in certain situations involving a custom tag and 0x0200 as the second word of the DE field. * CVE-2022-0562 Null source pointer passed as an argument to memcpy() function within TIFFReadDirectory(). This could result in a Denial of Service via crafted TIFF files. * CVE-2022-0561 Null source pointer passed as an argument to memcpy() function within TIFFFetchStripThing(). This could result in a Denial of Service via crafted TIFF files. [ Laszlo Boszormenyi (GCS) ] * Backport security fix for CVE-2022-0865, crash when reading a file with multiple IFD in memory-mapped mode and when bit reversal is needed. * Backport security fix for CVE-2022-0908, null source pointer passed as an argument to memcpy() function within TIFFFetchNormalTag(). * Backport security fix for CVE-2022-0907, unchecked return value to null pointer dereference in tiffcrop. * Backport security fix for CVE-2022-0909, divide by zero error in tiffcrop. * Backport security fix for CVE-2022-0891, heap buffer overflow in ExtractImageSection function in tiffcrop. * Backport security fix for CVE-2022-0924, heap buffer overflow in tiffcp. -- Laszlo Boszormenyi (GCS) Sun, 13 Mar 2022 16:03:21 +0100 tiff (4.1.0+git191117-2~deb10u3) buster-security; urgency=high * Non-maintainer upload by the Security Team. * TIFFTAG_PREDICTOR is not supported for WebP (CVE-2020-19143) -- Salvatore Bonaccorso Sun, 31 Oct 2021 09:31:11 +0100 tiff (4.1.0+git191117-2~deb10u2) buster-security; urgency=medium * CVE-2020-35523 / CVE-2020-35524 -- Moritz Mühlenhoff Thu, 11 Mar 2021 19:01:39 +0100 tiff (4.1.0+git191117-2~deb10u1) buster-security; urgency=high * Security backport for Buster. * Relax Standards-Version to 4.3.0 . -- Laszlo Boszormenyi (GCS) Sun, 12 Jan 2020 17:28:54 +0000 tiff (4.1.0+git191117-2) unstable; urgency=medium * Backport upstream fix for rowsperstrip parse regression in OJPEGReadHeaderInfo() (closes: #945402). -- Laszlo Boszormenyi (GCS) Wed, 08 Jan 2020 15:47:02 +0000 tiff (4.1.0+git191117-1) unstable; urgency=medium * Git snapshot, fixing the following issues: - missing TIFFClose in rgb2ycbcr tool, - missing checks on TIFFGetField in tiffcrop tool, - broken sanity check in OJPEG, - missing generated .sh files for tests. -- Laszlo Boszormenyi (GCS) Mon, 18 Nov 2019 18:02:46 +0000 tiff (4.1.0-1) unstable; urgency=medium * New upstream release. * Update Standards-Version to 4.4.1 . -- Laszlo Boszormenyi (GCS) Tue, 05 Nov 2019 16:26:48 +0000 tiff (4.0.10+git191003-1) unstable; urgency=high * Git snapshot, fixing the following security issue: - TIFFReadAndRealloc(): avoid too large memory allocation attempts. -- Laszlo Boszormenyi (GCS) Thu, 03 Oct 2019 22:00:39 +0000 tiff (4.0.10+git190903-1) unstable; urgency=high * Git snapshot, fixing the following security issues: - setByteArray(): avoid potential signed integer overflow, - EstimateStripByteCounts(): avoid several unsigned integer overflows, - tif_ojpeg: avoid two unsigned integer overflows, - OJPEGWriteHeaderInfo(): avoid unsigned integer overflow on strile dimensions close to UINT32_MAX, - _TIFFPartialReadStripArray(): avoid unsigned integer overflow, - JPEG: avoid use of uninitialized memory on corrupted files, - TIFFFetchDirectory(): fix invalid cast from uint64 to tmsize_t, - allocChoppedUpStripArrays(): avoid unsigned integer overflow, - tif_ojpeg: avoid use of uninitialized memory on edge/broken file, - ByteCountLooksBad and EstimateStripByteCounts: avoid unsigned integer overflows. -- Laszlo Boszormenyi (GCS) Tue, 17 Sep 2019 22:07:35 +0000 tiff (4.0.10+git190818-1) unstable; urgency=high * Git snapshot, fixing the following security issues: - RGBA interface: fix integer overflow potentially causing write heap buffer overflow, - setByteArray(): avoid potential signed integer overflow. -- Laszlo Boszormenyi (GCS) Sun, 18 Aug 2019 11:25:27 +0000 tiff (4.0.10+git190814-1) unstable; urgency=high * Git snapshot, fixing the following security issues: - TryChopUpUncompressedBigTiff(): avoid potential division by zero, - fix vulnerability introduced by defer strile loading, - fix vulnerability in 'D' (DeferStrileLoad) mode, - return infinite distance when denominator is zero, - OJPEG: avoid use of uninitialized memory on corrupted files, - OJPEG: fix integer division by zero on corrupted subsampling factors, - OJPEGReadBufferFill(): avoid very long processing time on corrupted files, - TIFFClientOpen(): fix memory leak if one of the required callbacks is not provided, - CVE-2019-14973, fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (closes: #934780). * Update libtiff5 symbols. * Update Standards-Version to 4.4.0 . -- Laszlo Boszormenyi (GCS) Wed, 14 Aug 2019 19:24:22 +0000 tiff (4.0.10-4) unstable; urgency=high * Backport security fixes: - CVE-2018-12900: heap-based buffer overflow in cpSeparateBufToContigBuf() cause remote DoS (closes: #902718), - CVE-2018-17000: NULL pointer dereference in _TIFFmemcmp() cause DoS (closes: #908778), - CVE-2018-19210: NULL pointer dereference in TIFFWriteDirectorySec() cause DoS (closes: #913675), - CVE-2019-6128: TIFFFdOpen() memory leak (closes: #921157). * Update watch file. * Update Standards-Version to 4.3.0 . -- Laszlo Boszormenyi (GCS) Sat, 02 Feb 2019 18:34:29 +0000 tiff (4.0.10-3) unstable; urgency=medium * Backport fix for lossless WebP compression config. -- Laszlo Boszormenyi (GCS) Thu, 22 Nov 2018 17:01:04 +0000 tiff (4.0.10-2) unstable; urgency=medium * Add libegl1-mesa-dev as build dependency until mesa-common-dev is fixed. -- Laszlo Boszormenyi (GCS) Tue, 20 Nov 2018 00:24:26 +0000 tiff (4.0.10-1) unstable; urgency=high * New upstream release. * Fix CVE-2018-18661: NULL pointer dereference in LZWDecode() (closes: #912012). * Move libtiff5-dev contents to libtiff-dev . * Mark libtiff-dev as Multi-Arch same (closes: #884978). * Mark libtiff-{tools,opengl} as Multi-Arch foreign (closes: #904165). * Mark libtiff-doc as Multi-Arch foreign (closes: #907794). * Fix TIFFReadRawStrip man page typo (closes: #672858). * Update Standards-Version to 4.2.1 . -- Laszlo Boszormenyi (GCS) Mon, 19 Nov 2018 17:16:05 +0000 tiff (4.0.9+git181026-1) unstable; urgency=high * Git snapshot, fixing the following security issues: - CVE-2018-17100, int32 overflow in multiply_ms() which can cause a DoS or possibly have unspecified other impact via a crafted image file (closes: #909038), - CVE-2018-17101, two out-of-bounds writes in cpTags() which can cause a DoS or possibly have unspecified other impact via a crafted image file (closes: #909037), - CVE-2018-18557, out-of-bounds write in JBIGDecode() (closes: #911635). * Remove previously backported security patches. * Build with Zstandard, a fast lossless compression algorithm. * Build with WebP, the modern VP8 compression format. * Update libtiff5 symbols. -- Laszlo Boszormenyi (GCS) Sun, 28 Oct 2018 11:04:14 +0000 tiff (4.0.9-6) unstable; urgency=high * Fix CVE-2018-8905: eap-based buffer overflow in LZWDecodeCompat() (closes: #893806). * Fix CVE-2018-10963: remote denial of service (closes: #898348). -- Laszlo Boszormenyi (GCS) Sun, 01 Jul 2018 19:46:23 +0000 tiff (4.0.9-5) unstable; urgency=high * Fix CVE-2017-11613: avoid memory exhaustion in ChopUpSingleUncompressedStrip() (closes: #869823). * Fix CVE-2018-7456: NULL pointer dereference in TIFFPrintDirectory() (closes: #891288). * Fix CVE-2017-17095: heap-based buffer overflow in pal2rgb tool (closes: #883320). * Don't specify parallel to debhelper. * Update Standards-Version to 4.1.4 . -- Laszlo Boszormenyi (GCS) Sun, 15 Apr 2018 18:13:42 +0000 tiff (4.0.9-4) unstable; urgency=high * Fix CVE-2018-5784: uncontrolled resource consumption in TIFFSetDirectory() (closes: #890441). -- Laszlo Boszormenyi (GCS) Wed, 14 Feb 2018 20:07:21 +0000 tiff (4.0.9-3) unstable; urgency=high * Fix CVE-2017-18013: NULL pointer dereference in TIFFPrintDirectory() (closes: #885985). -- Laszlo Boszormenyi (GCS) Mon, 01 Jan 2018 16:26:47 +0000 tiff (4.0.9-2) unstable; urgency=high * Fix CVE-2017-9935: heap-based buffer overflow in the t2p_write_pdf() function (closes: #866109). * Update debhelper level to 11 . * Update Standards-Version to 4.1.2 . -- Laszlo Boszormenyi (GCS) Fri, 15 Dec 2017 17:45:42 +0000 tiff (4.0.9-1) unstable; urgency=medium * New upstream release. * Remove previously backported security patches. * Update libtiff5 symbols. * Make -dev recommend pkg-config (closes: #814417). * Update debhelper level to 10: - don't need to specify 'with autotools-dev' anymore, - remove autotools-dev build dependency, - remove dh-autoreconf build dependency. [ Helmut Grohne ] * Turn libtiff-dev into a real package (closes: #780807). -- Laszlo Boszormenyi (GCS) Sat, 02 Dec 2017 09:24:59 +0000 tiff (4.0.8-6) unstable; urgency=high * Backport security fixes: - prevent OOM in gtTileContig() , - prevent OOM in TIFFFetchStripThing() , - CVE-2017-12944, OOM prevention in TIFFReadDirEntryArray() (closes: #872607), - avoid floating point division by zero in initCIELabConversion() . -- Laszlo Boszormenyi (GCS) Sun, 29 Oct 2017 13:29:44 +0000 tiff (4.0.8-5) unstable; urgency=high * Backport security fixes: - CVE-2017-13726, reachable assertion abort in TIFFWriteDirectorySec() (closes: #873880), - CVE-2017-13727, reachable assertion abort in TIFFWriteDirectoryTagSubifd() (closes: #873879). -- Laszlo Boszormenyi (GCS) Thu, 31 Aug 2017 21:09:59 +0000 tiff (4.0.8-4) unstable; urgency=high * Fix regression in the decoding of old-style LZW compressed files. * Fix CVE-2017-11335: heap based buffer write overflow in tiff2pdf (closes: #868513). -- Laszlo Boszormenyi (GCS) Sun, 16 Jul 2017 11:07:56 +0000 tiff (4.0.8-3) unstable; urgency=high * Backport security fixes: - CVE-2017-9936, memory leak in error code path of JBIGDecode() (closes: #866113), - prevent out of memory in gtTileContig() on corrupted files, - CVE-2017-10688, assertion failure in TIFFWriteDirectoryTagCheckedXXXX() (closes: #866611). * Add required _TIFFReadEncodedStripAndAllocBuffer@LIBTIFF_4.0 symbol to the libtiff5 package. * Update Standards-Version to 4.0.0 . -- Laszlo Boszormenyi (GCS) Sat, 01 Jul 2017 18:13:15 +0000 tiff (4.0.8-2) unstable; urgency=high * Backport security fixes: - TIFFYCbCrToRGBInit(): stricter clamping to avoid int32 overflow in TIFFYCbCrtoRGB(), - initYCbCrConversion(): stricter validation for refBlackWhite coefficients values - to avoid invalid float->int32 conversion, - CVE-2016-10095 and CVE-2017-9147: add _TIFFCheckFieldIsValidForCodec() and use it in TIFFReadDirectory() (closes: #850316, #863185). * Add required _TIFFCheckFieldIsValidForCodec@LIBTIFF_4.0 symbol to the libtiff5 package. -- Laszlo Boszormenyi (GCS) Thu, 01 Jun 2017 17:56:08 +0000 tiff (4.0.8-1) unstable; urgency=high * New upstream release of merged security fixes. * Add required TIFFReadRGBAStripExt@LIBTIFF_4.0 and TIFFReadRGBATileExt@LIBTIFF_4.0 symbols to the libtiff5 package. -- Laszlo Boszormenyi (GCS) Wed, 24 May 2017 19:49:04 +0000 tiff (4.0.7-7) unstable; urgency=high * Backport security fix for CVE-2016-10371 (closes: #862929). * Backport security fix for CVE-2015-7554 (closes: #809066, #842043). -- Laszlo Boszormenyi (GCS) Sat, 20 May 2017 16:35:43 +0000 tiff (4.0.7-6) unstable; urgency=high * Backport security fixes: - CVE-2017-7595, divide-by-zero in JPEGSetupEncode (closes: #860003), - CVE-2017-7596, CVE-2017-7597, CVE-2017-7598,CVE-2017-7599 CVE-2017-7600, CVE-2017-7601 and CVE-2017-7602, multiple UBSAN crashes, - CVE-2017-7592, left-shift undefined behavior issue in putagreytile (closes: #859998), - CVE-2017-7593, unitialized-memory access from tif_rawdata (closes: #860000), - CVE-2017-7594, leak in OJPEGReadHeaderInfoSecTablesAcTable (closes: #860001). * Add required _TIFFcalloc@LIBTIFF_4.0 symbol to the libtiff5 package. -- Laszlo Boszormenyi (GCS) Fri, 14 Apr 2017 07:21:47 +0000 tiff (4.0.7-5) unstable; urgency=high * Fix CVE-2017-5225: heap buffer overflow via a crafted BitsPerSample value (closes: #851297). -- Laszlo Boszormenyi (GCS) Sun, 15 Jan 2017 16:49:05 +0000 tiff (4.0.7-4) unstable; urgency=high * Fix CVE-2016-10094: heap-based overflow in t2p_readwrite_pdf_image_tile(). -- Laszlo Boszormenyi (GCS) Sun, 01 Jan 2017 19:03:49 +0000 tiff (4.0.7-3) unstable; urgency=medium * Backport upstream fix of TIFFFaxTabEnt structure. -- Laszlo Boszormenyi (GCS) Tue, 13 Dec 2016 19:02:25 +0000 tiff (4.0.7-2) unstable; urgency=high * Backport security fixes: - fix uint32 overflow in TIFFReadEncodedStrip() that caused an integer division by zero, - avoid uint32 underflow in cpDecodedStrips that can cause various issues, such as buffer overflows in the library, - fix heap-based buffer overflow on generation of PixarLog / LUV compressed files, with ColorMap, TransferFunction attached and nasty plays with bitspersample, - fix ChopUpSingleUncompressedStrip() in reading outside of the StripByCounts/StripOffsets arrays when using TIFFReadScanline() (closes: #846837), - make OJPEGDecode() early exit in case of failure in OJPEGPreDecode() to avoid a divide by zero, and potential other issues, - fix readContigStripsIntoBuffer() in -i (ignore) mode so that the output buffer is correctly incremented to avoid write outside bounds, - add 3 extra bytes at end of strip buffer in readSeparateStripsIntoBuffer() to avoid read outside of heap allocated buffer, - fix integer division by zero when BitsPerSample is missing (closes: #846838), - fix null pointer dereference in -r mode when the image has no StripByteCount tag, - avoid potential division by zero if BitsPerSamples tag is missing, - limit the return number of inks to SamplesPerPixel in TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) , so that code that parses ink names doesn't go past the end of the buffer, - avoid another potential division by zero if BitsPerSamples tag is missing, - fix uint32 underflow/overflow that can cause heap-based buffer overflow, - replace assert( (bps % 8) == 0 ) by a non assert check. * Remove thumbnail and rgb2ycbcr documentations, these tools no longer present. -- Laszlo Boszormenyi (GCS) Sun, 04 Dec 2016 12:24:44 +0000 tiff (4.0.7-1) unstable; urgency=high * New upstream release. * Fixes the following vulnerabilities: - CVE-2015-7313, OOM when parsing crafted tiff files (closes: #800124), - CVE-2016-3622, denial of service (divide-by-zero error) via the fpAcc function in tif_predict.c (closes: #820365), - CVE-2016-3945, multiple integer overflows in the tiff2rgba tool, - CVE-2016-3990, write buffer overflow in PixarLogEncode, - CVE-2016-3991 and CVE-2016-5322, heap-based buffer overflow in the loadImage function, - CVE-2016-9273, heap-buffer-overflow in cpStrips (closes: #844013), - CVE-2016-9297, segfault in _TIFFPrintField() (closes: #844226), - CVE-2016-9448, in TIFFFetchNormalTag(), do not dereference NULL pointer (regression of CVE-2016-9297), - heap buffer overflow via writeBufferToSeparateStrips() in tiffcrop. * Remove backported vulnerability fixes, this release contains those. * Update libtiff5 symbols. -- Laszlo Boszormenyi (GCS) Sat, 19 Nov 2016 18:05:24 +0000 tiff (4.0.6-3) unstable; urgency=high * Fix architecture independent only build (closes: #806118). * Fix CVE-2015-8668 , CVE-2016-3619 , CVE-2016-3620 (closes: #820363), CVE-2016-3621 (closes: #820364) and CVE-2016-5319 with removing bmp2tiff (closes: #820364). * Fix CVE-2016-3186 and CVE-2016-5102 with removing gif2tiff. * Fix CVE-2016-3631 (closes: #820366), CVE-2016-3632 , CVE-2016-3633 , CVE-2016-3634 and CVE-2016-8331 with removing thumbnail. * Backport upstream fix for CVE-2016-3623 and CVE-2016-3624 . * Backport upstream fix for CVE-2016-5652 (closes: #842361). * Backport upstream fix for CVE-2016-3658 . * Removed vulnerable, unsupported tools (closes: #827484, #842046). * Comment out Vcs fields for now. -- Laszlo Boszormenyi (GCS) Mon, 31 Oct 2016 15:56:56 +0000 tiff (4.0.6-2) unstable; urgency=high * Backport fix for the following vulnerabilities: - CVE-2016-5314, PixarLogDecode() heap-based buffer overflow (closes: #830700), - CVE-2016-5316, PixarLogCleanup() Segmentation fault, - CVE-2016-5320, rgb2ycbcr: command excution, - CVE-2016-5875, heap-based buffer overflow when using the PixarLog compression format, - CVE-2016-6223, information leak in libtiff/tif_read.c , - CVE-2016-5321, DumpModeDecode(): Ddos, - CVE-2016-5323, tiffcrop _TIFFFax3fillruns(): NULL pointer dereference. * Be primary maintainer and keep Ondřej as uploader. * Update Standards-Version to 3.9.8 . -- Laszlo Boszormenyi (GCS) Sat, 16 Jul 2016 11:45:21 +0000 tiff (4.0.6-1) unstable; urgency=high * New upstream release. * Backport upstream fixes for: - CVE-2015-8665 an out-of-bound read in TIFFRGBAImage interface, - CVE-2015-8683 an out-of-bounds read in CIE Lab image format. * Backport fix for potential out-of-bound writes in decode. * Backport fix for potential out-of-bound write in NeXTDecode(). -- Laszlo Boszormenyi (GCS) Thu, 31 Dec 2015 16:22:24 +0100 tiff (4.0.5-1) unstable; urgency=medium * Update László Böszörményi to Laszlo Boszormenyi (GCS) * Add Vcs URLs to debian/control * Imported Upstream version 4.0.5 * Remove all patches - they have been merged upstream * Convert the package to pure debhelper and remove some legacy stuff -- Ondřej Surý Tue, 01 Sep 2015 13:10:55 +0200 tiff (4.0.3-13) unstable; urgency=medium * Thanks Jay for maintaining tiff for so long * Add me as a new maintainer, and add László Böszörményi to Uploaders * Cleanup debian a bit: - Run wrap-and-sortize -a) - Update d/copyright to Copyright Format 1.0 - Remove files related to libtiff4->libtiff5 transition * Add C++ symbols file for libtiffxx5 -- Ondřej Surý Tue, 05 May 2015 08:37:59 +0200 tiff (4.0.3-12.3) unstable; urgency=medium * Add another (final) patch for CVE-2014-8128 (Bug #2499). Thanks to Petr Gajdos -- Moritz Muehlenhoff Mon, 23 Mar 2015 18:26:40 +0100 tiff (4.0.3-12.2) unstable; urgency=medium * Add another patch for CVE-2014-8128 (Bug #2501) -- Moritz Muehlenhoff Fri, 13 Mar 2015 23:54:02 +0100 tiff (4.0.3-12.1) unstable; urgency=medium * NMU as discussed with Ondrej, the future adopter of tiff * Fix multiple security issues, exact details will be recorded in the Debian security tracker -- Moritz Muehlenhoff Sat, 21 Feb 2015 13:06:08 +0100 tiff (4.0.3-12) unstable; urgency=high * Fix integer overflow in bmp2tiff. CVE-2014-9330. (Closes: #773987) -- Jay Berkenbilt Tue, 30 Dec 2014 11:32:04 -0500 tiff (4.0.3-11) unstable; urgency=medium * Don't crash on JPEG => non-JPEG conversion (Closes: #741451) * Thanks Tomasz Buchert for preparing the fix! -- Jay Berkenbilt Tue, 23 Dec 2014 15:51:40 -0500 tiff (4.0.3-10) unstable; urgency=medium * Remove libtiff4-dev, completing the tiff transition. Packages that still declare build dependencies on libtiff4-dev must now build depend on libtiff-dev instead, or if a versioned dependency is required, libtiff5-dev with a specific version. -- Jay Berkenbilt Sun, 29 Jun 2014 17:32:18 -0400 tiff (4.0.3-9) unstable; urgency=medium * Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes: #742917) -- Jay Berkenbilt Sat, 21 Jun 2014 18:12:40 -0400 tiff (4.0.3-8) unstable; urgency=medium * Remove libtiff5-alt-dev transitional package now that no one is build-depending on it anymore. -- Jay Berkenbilt Sat, 01 Mar 2014 09:36:51 -0500 tiff (4.0.3-7) unstable; urgency=medium * Use dh-autoreconf to support new architectures in Ubuntu. -- Jay Berkenbilt Mon, 23 Dec 2013 09:58:47 -0500 tiff (4.0.3-6) unstable; urgency=low * Update standards to 3.9.5. No changes required. * libtiff4 -> libtiff5 transition. libtiff5-dev now provides libtiff-dev. libtiff5-alt-dev and libtiff4-dev are transitional packages that depend on libtiff5-dev. They will both be removed before jessie. -- Jay Berkenbilt Wed, 04 Dec 2013 14:36:36 -0500 tiff (4.0.3-5) unstable; urgency=low * Replace shlibs file with symbols file * Update standards to 3.9.4 -- Jay Berkenbilt Sun, 15 Sep 2013 08:31:41 -0400 tiff (4.0.3-4) unstable; urgency=low * Complete Multi-Arch conversion for dev packages. (Closes: #689085) -- Jay Berkenbilt Sat, 24 Aug 2013 11:50:20 -0400 tiff (4.0.3-3) unstable; urgency=high * Incorporated fixes to security issues CVE-2013-4244. -- Jay Berkenbilt Sat, 24 Aug 2013 11:20:00 -0400 tiff (4.0.3-2) unstable; urgency=high * Incorporated fixes to security issues CVE-2013-4231, CVE-2013-4232. (Closes: #719303) -- Jay Berkenbilt Thu, 22 Aug 2013 11:52:58 -0400 tiff (4.0.3-1) unstable; urgency=low * Acknowledge/incorporate NMU. Thanks! * New upstream version. Patches incorporated: CVE-2012-3401.patch CVE-2012-4447.patch * Add build dependency on autotools-dev to help porters. -- Jay Berkenbilt Sun, 23 Jun 2013 10:39:04 -0400 tiff (4.0.2-6+nmu1) unstable; urgency=high * Non-maintainer upload by the Security Team. * Fix cve-2013-1960: heap-based buffer overlow in tiff2pdf (closes: #706675). * Fix cve-2013-1961: stack-based buffer overflow in tiff2pdf (closes: #706674). -- Michael Gilbert Mon, 17 Jun 2013 01:27:17 +0000 tiff (4.0.2-6) unstable; urgency=high * Fix /usr/share/doc symlink to directory transition. When upgrading from very old versions (pre 3.8.2-8), /usr/share/doc may contain symbolic links that should be removed. (Closes: #687645) -- Jay Berkenbilt Sat, 26 Jan 2013 12:28:19 -0500 tiff (4.0.2-5) unstable; urgency=high * Add fix for CVE-2012-4564, a heap-buffer overflow. Thanks Adrian La Duca for doing all the work to prepare this upload. (Closes: #692345) -- Jay Berkenbilt Sat, 17 Nov 2012 12:40:25 -0500 tiff (4.0.2-4) unstable; urgency=high * Previous change was uploaded with the wrong CVE number. I updated the last changelog entry. The correct CVE number is CVE-2012-4447. -- Jay Berkenbilt Fri, 05 Oct 2012 17:33:44 -0400 tiff (4.0.2-3) unstable; urgency=high * Add fix for CVE-2012-4447, a buffer overrun. (Closes: #688944) -- Jay Berkenbilt Fri, 05 Oct 2012 17:04:38 -0400 tiff (4.0.2-2) unstable; urgency=high * SECURITY UPDATE: possible arbitrary code execution via heap overflow in tiff2pdf. (Closes: #682115) - debian/patches/CVE-2012-3401.patch: properly set t2p->t2p_error in tools/tiff2pdf.c. - CVE-2012-3401 Changes prepared by Marc Deslauriers for Ubuntu. Thanks! -- Jay Berkenbilt Sat, 21 Jul 2012 21:27:34 -0400 tiff (4.0.2-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Sun, 24 Jun 2012 13:45:42 -0400 tiff (4.0.1-8) unstable; urgency=low * Call glFlush() in tiffgt to fix display problems. From https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/797166. -- Jay Berkenbilt Sat, 16 Jun 2012 21:20:04 -0400 tiff (4.0.1-7) unstable; urgency=low * Add new temporary package libtiff5-alt-dev, which provides libtiff5 development files in a location that doesn't conflict with libtiff4-dev. See README.Debian for details. -- Jay Berkenbilt Thu, 24 May 2012 15:24:36 -0400 tiff (4.0.1-6) unstable; urgency=low * Include pkg-config files -- Jay Berkenbilt Sun, 13 May 2012 12:53:38 -0400 tiff (4.0.1-5) unstable; urgency=low * Fix shlibs again. -- Jay Berkenbilt Sun, 22 Apr 2012 11:41:44 -0400 tiff (4.0.1-4) unstable; urgency=low * Use >= instead of > in shlibs file. -- Jay Berkenbilt Sun, 22 Apr 2012 10:57:02 -0400 tiff (4.0.1-3) unstable; urgency=low * Support JBIG now that patents have expired. (Closes: #667835) * Support LZMA. -- Jay Berkenbilt Sat, 14 Apr 2012 19:03:04 -0400 tiff (4.0.1-2) unstable; urgency=high * Incorporated fix to CVE-2012-1173, a problem in the parsing of the TileSize entry, which could result in the execution of arbitrary code if a malformed image is opened. * Updated standards to 3.9.3 -- Jay Berkenbilt Fri, 06 Apr 2012 10:10:48 -0400 tiff (4.0.1-1) unstable; urgency=low * New upstream release * Point watch file to new download location -- Jay Berkenbilt Mon, 20 Feb 2012 09:43:54 -0500 tiff (4.0.0-2) experimental; urgency=low * Rename libtiff-dev -> libtiff5-dev to avoid premature transition for packages that explicitly depend on libtiff-dev. At some future time, libtiff5-dev will provide or be renamed back to libtiff-dev. -- Jay Berkenbilt Sat, 04 Feb 2012 09:41:19 -0500 tiff (4.0.0-1) experimental; urgency=low * New upstream release * Enable versioned symbols -- Jay Berkenbilt Sat, 28 Jan 2012 10:56:23 -0500 tiff (4.0.0~beta7-2) experimental; urgency=low * Incorporated changes from 3.9.5-2: security hardening and multiarch -- Jay Berkenbilt Sat, 17 Sep 2011 10:28:53 -0400 tiff (4.0.0~beta7-1) experimental; urgency=low * New upstream release including many security fixes and other improvements * Updated changelog with changes from 3.x series. * Updated standards version to 3.9.2. No changes required. -- Jay Berkenbilt Sat, 16 Apr 2011 13:45:33 -0400 tiff (4.0.0~beta6-3) experimental; urgency=low * Incorporated fix to CVE-2010-2483, "fix crash on OOB reads in putcontig8bitYCbCr11tile", from 3.9.4-4. -- Jay Berkenbilt Sat, 02 Oct 2010 13:31:41 -0400 tiff (4.0.0~beta6-2) experimental; urgency=low * Incorporate changes from 3.9.4-{2,3} including updating standards version to 3.9.1 along with associated fixes. (CVE-2010-2233 was already fixed in this version.) -- Jay Berkenbilt Sat, 14 Aug 2010 16:36:44 -0400 tiff (4.0.0~beta6-1) experimental; urgency=low * New upstream release -- Jay Berkenbilt Fri, 18 Jun 2010 21:42:57 -0400 tiff (4.0.0~beta5-2) experimental; urgency=low * Depend on libjpeg-dev instead of libjpeg62-dev. * Change source format to '3.0 (quilt)' * Update standards version to 3.8.4. No changes required. -- Jay Berkenbilt Wed, 10 Feb 2010 19:36:43 -0500 tiff (4.0.0~beta5-1) experimental; urgency=low * New upstream release -- Jay Berkenbilt Fri, 06 Nov 2009 22:58:07 -0500 tiff (4.0.0~beta4-1) experimental; urgency=low * New upstream release. All debian patches incorporated among many other fixes and enhancements. -- Jay Berkenbilt Fri, 28 Aug 2009 11:30:09 -0400 tiff (4.0.0~beta3-2) experimental; urgency=low * Fixed previously incorrect patch to lzw problem. -- Jay Berkenbilt Mon, 24 Aug 2009 14:45:10 -0400 tiff (4.0.0~beta3-1) experimental; urgency=low * New upstream release. This version is not binary compatible with the 3.x series, nor is it entirely source compatible, but most applications should port easily. -- Jay Berkenbilt Fri, 21 Aug 2009 13:39:37 -0400 tiff (3.9.5-2) unstable; urgency=low * Implemented mulitarch and and PIE build for security hardening by integrating the changes from the Ubuntu tiff packages. Thanks to Marc Deslauriers and anyone else who did the actual work. -- Jay Berkenbilt Sat, 17 Sep 2011 10:15:39 -0400 tiff (3.9.5-1) unstable; urgency=low * New upstream release. All security patches are fully incorporated into this version, as are many other bug fixes. * Updated standards version to 3.9.2. No changes needed. -- Jay Berkenbilt Sat, 16 Apr 2011 13:15:51 -0400 tiff (3.9.4-9) unstable; urgency=high * CVE-2011-1167: correct potential buffer overflow with thunder encoded files with wrong bitspersample set. (Closes: #619614) -- Jay Berkenbilt Sat, 02 Apr 2011 10:59:38 -0400 tiff (3.9.4-8) unstable; urgency=low * Enable PIE (position independent executable) build for security hardening. Patch from Ubuntu. (Closes: #613759) -- Jay Berkenbilt Sat, 19 Mar 2011 10:22:32 -0400 tiff (3.9.4-7) unstable; urgency=high * Incorporate revised fix to CVE-2011-0192. -- Jay Berkenbilt Sun, 13 Mar 2011 14:33:38 -0400 tiff (3.9.4-6) unstable; urgency=high * Incorporated fix to CVE-2011-0192, "Buffer overflow in Fax4Decode". -- Jay Berkenbilt Sat, 26 Feb 2011 18:44:23 -0500 tiff (3.9.4-5) unstable; urgency=high * Incorporated fix to CVE-2010-3087, a potential denial of service exploitable with a specially crafted TIFF file. (Closes: #600188) -- Jay Berkenbilt Sun, 17 Oct 2010 16:44:08 -0400 tiff (3.9.4-4) unstable; urgency=high * Incorporated fix to CVE-2010-2483, "fix crash on OOB reads in putcontig8bitYCbCr11tile". (Closes: #595064) -- Jay Berkenbilt Sat, 02 Oct 2010 13:17:12 -0400 tiff (3.9.4-3) unstable; urgency=low * Updated control file to remove obsolete Conflicts/Replaces for ancient packages. * Empty dependency_libs in all .la files as part of the .la file. This also resolves the problem of having hard-coded paths in the .la file. (Closes: #509016) * Updated standards version to 3.9.1. -- Jay Berkenbilt Sat, 14 Aug 2010 16:28:49 -0400 tiff (3.9.4-2) unstable; urgency=high * Incorporated patch to fix CVE-2010-2233, which fixes a specific failure of tif_getimage on 64-bit platforms. -- Jay Berkenbilt Fri, 13 Aug 2010 20:16:29 -0400 tiff (3.9.4-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Fri, 18 Jun 2010 21:28:11 -0400 tiff (3.9.2-3) unstable; urgency=low * Depend on libjpeg-dev instead of libjpeg62-dev. (Closes: #569242) * Change source format to '3.0 (quilt)' * Update standards version to 3.8.4. No changes required. -- Jay Berkenbilt Wed, 10 Feb 2010 19:20:20 -0500 tiff (3.9.2-2) unstable; urgency=low * Include patch from upstream to fix problems with TIFFReadScanline() and ycbcr-encoded JPEG images. (Closes: #510792) * Fix some manual page spelling errors found by lintian. -- Jay Berkenbilt Sun, 10 Jan 2010 10:56:32 -0500 tiff (3.9.2-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Fri, 06 Nov 2009 22:52:06 -0500 tiff (3.9.1-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Fri, 28 Aug 2009 15:44:23 -0400 tiff (3.9.0-2) unstable; urgency=low * Fix critical bug that could cause corrupt files to be written in some cases. (Closes: #543079) -- Jay Berkenbilt Fri, 28 Aug 2009 13:38:03 -0400 tiff (3.9.0-1) unstable; urgency=low * New upstream release. All previous security patches have been integrated. -- Jay Berkenbilt Fri, 21 Aug 2009 11:40:49 -0400 tiff (3.9.0beta+deb1-1) experimental; urgency=low * New upstream release (binary compatible with 3.8.2) -- release based on 3.9 branch from upstream CVS; see README.Debian for details. (Closes: #537118) * Updated standards to 3.8.3; no changes required. * Stopped using tarball in tarball packaging. (Closes: #538565) -- Jay Berkenbilt Wed, 19 Aug 2009 20:33:10 -0400 tiff (3.8.2-13) unstable; urgency=high * Apply patches to fix CVE-2009-2347, which covers two integer overflow conditions. * LZW patch from last update addressed CVE-2009-2285. Renamed the patch to make this clearer. -- Jay Berkenbilt Sun, 12 Jul 2009 18:03:33 -0400 tiff (3.8.2-12) unstable; urgency=low * Apply patch to fix crash in lzw decoder that can be caused by certain invalid image files. (Closes: #534137) * No longer ignore errors in preinst * Fixed new lintian warnings; updated standards version to 3.8.2. -- Jay Berkenbilt Sun, 28 Jun 2009 13:17:44 -0400 tiff (3.8.2-11) unstable; urgency=high * Apply security patches (CVE-2008-2327) * Convert patch system to quilt * Create README.source * Set standards version to 3.8.0 -- Jay Berkenbilt Sun, 17 Aug 2008 13:16:37 -0400 tiff (3.8.2-10+lenny1) testing-security; urgency=high * Apply patches from Drew Yao of Apple Product Security to fix CVE-2008-2327, a potential buffer underflow in the LZW decoder (tif_lzw.c). -- Jay Berkenbilt Sun, 17 Aug 2008 11:56:01 -0400 tiff (3.8.2-10) unstable; urgency=low * Fix segmentation fault on subsequent parts of a file with an invalid directory tag. (Closes: #475489) -- Jay Berkenbilt Mon, 09 Jun 2008 11:02:53 -0400 tiff (3.8.2-9) unstable; urgency=low * Backported tiff2pdf from 4.0.0 beta 2. This fixes many tiff2pdf bugs, though unfortunately none of the ones opened in the debian bug database! * Added upstream homepage to debian control file. -- Jay Berkenbilt Sat, 07 Jun 2008 22:52:27 -0400 tiff (3.8.2-8) unstable; urgency=low * Accepted tmpfile patch tiff2pdf to fix bug that has been fixed upstream since upstream release appears stalled. Thanks Jesse Long. (Closes: #419773) * Update standards version to 3.7.3; no changes required. * ${Source-Version} -> ${binary:Version} in control * Split documentation into separate libtiff-doc package. (Closes: #472189) -- Jay Berkenbilt Sat, 22 Mar 2008 12:30:38 -0400 tiff (3.8.2-7+etch1) stable-security; urgency=high * Apply patches from Drew Yao of Apple Product Security to fix CVE-2008-2327, a potential buffer underflow in the LZW decoder (tif_lzw.c). -- Jay Berkenbilt Sun, 17 Aug 2008 11:56:01 -0400 tiff (3.8.2-7) unstable; urgency=high * Replace empty directories in /usr/share/doc with links during package upgrade. (Closes: #404631) -- Jay Berkenbilt Tue, 2 Jan 2007 15:50:50 -0500 tiff (3.8.2-6) unstable; urgency=high * Add watch file * Tavis Ormandy of the Google Security Team discovered several problems in the TIFF library. The Common Vulnerabilities and Exposures project identifies the following issues: - CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in tif_dirread.c - CVE-2006-3460: A heap overflow vulnerability was discovered in the jpeg decoder - CVE-2006-3461: A heap overflow exists in the PixarLog decoder - CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap overflow - CVE-2006-3463: An infinite loop was discovered in EstimateStripByteCounts() - CVE-2006-3464: Multiple unchecked arithmetic operations were uncovered, including a number of the range checking operations deisgned to ensure the offsets specified in tiff directories are legitimate. - A number of codepaths were uncovered where assertions did not hold true, resulting in the client application calling abort() - CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag support -- Jay Berkenbilt Mon, 31 Jul 2006 18:14:59 -0400 tiff (3.8.2-5) unstable; urgency=low * Fix logic error that caused -q flag to be ignored when doing jpeg compression with tiff2pdf. (Closes: #373102) -- Jay Berkenbilt Mon, 19 Jun 2006 18:55:38 -0400 tiff (3.8.2-4) unstable; urgency=high * SECURITY UPDATE: Arbitrary command execution with crafted TIF files. Thanks to Martin Pitt. (Closes: #371064) * Add debian/patches/tiff2pdf-octal-printf.patch: - tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal signed char (it printed a signed integer, which overflew the buffer and was wrong anyway). - CVE-2006-2193 -- Jay Berkenbilt Wed, 7 Jun 2006 17:52:12 -0400 tiff (3.8.2-3) unstable; urgency=high * SECURITY UPDATE: Arbitrary command execution with crafted long file names. Thanks to Martin Pitt for forwarding this. Add debian/patches/tiffsplit-fname-overflow.patch: - tools/tiffsplit.c: Use snprintf instead of strcpy for copying the user-specified file name into a statically sized buffer. CVE-2006-2656. (Closes: #369819) * Update standards version to 3.7.2. No changes required. * Moved doc-base information to libtiff4 instead of libtiff4-dev. -- Jay Berkenbilt Thu, 1 Jun 2006 21:24:21 -0400 tiff (3.8.2-2) unstable; urgency=low * Fix build dependencies to get OpenGL utility libraries after new Xorg packaging. (Closes: #365722) * Updated standards version to 3.7.0; no changes required to package. -- Jay Berkenbilt Tue, 2 May 2006 10:10:45 -0400 tiff (3.8.2-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Tue, 28 Mar 2006 21:42:33 -0500 tiff (3.8.0-3) unstable; urgency=low * Switched build dependency from xlibmesa-gl-dev to libgl1-mesa-dev (incorporating Ubunutu patch) * Incorporated patch from upstream to fix handling of RGBA tiffs in tiff2pdf. (Closes: #352849) -- Jay Berkenbilt Sun, 26 Feb 2006 13:21:17 -0500 tiff (3.8.0-2) unstable; urgency=low * Applied fixes from upstream to address a memory access violation [CVE-2006-0405]. (Closes: #350715, #351223) -- Jay Berkenbilt Fri, 3 Feb 2006 21:48:39 -0500 tiff (3.8.0-1) unstable; urgency=low * New upstream release. (Closes: #349921) * NOTE: The debian version of 3.8.0 includes a patch to correct a binary incompatibility in the original 3.8.0 release. This libtiff package is binary compatible with 3.7.4 and will be binary compatible with the upcoming 3.8.1 release. -- Jay Berkenbilt Fri, 27 Jan 2006 21:38:58 -0500 tiff (3.7.4-1) unstable; urgency=low * New upstream release * Fix typos in manual page (Closes: #327921, #327922, #327923, #327924) -- Jay Berkenbilt Fri, 7 Oct 2005 10:25:49 -0400 tiff (3.7.3-1) unstable; urgency=low * New upstream release * g++ 4.0 transition: libtiffxx0 is now libtiffxx0c2. -- Jay Berkenbilt Sat, 9 Jul 2005 12:00:44 -0400 tiff (3.7.2-3) unstable; urgency=high * Fix for exploitable segmentation fault on files with bad BitsPerSample values. (Closes: #309739) [libtiff/tif_dirread.c, CAN-2005-1544] Thanks to Martin Pitt for the report. -- Jay Berkenbilt Thu, 19 May 2005 05:41:28 -0400 tiff (3.7.2-2) unstable; urgency=high * Fix zero pagesize bug with tiff2ps -a2 and tiff2ps -a3. Thanks to Patrice Fournier for the patch. (Closes: #303583) * Note: uploading with urgency=high since this very small fix impacts tools only (not the library), and we don't want to block tiff's many reverse dependencies from transitioning to sarge. -- Jay Berkenbilt Sun, 10 Apr 2005 10:12:37 -0400 tiff (3.7.2-1) unstable; urgency=low * New upstream release -- Jay Berkenbilt Sat, 19 Mar 2005 14:51:06 -0500 tiff (3.7.1-4) unstable; urgency=low * Fix from upstream: include a better workaround for tiff files with invalid strip byte counts. (Closes: #183268) -- Jay Berkenbilt Tue, 22 Feb 2005 19:20:14 -0500 tiff (3.7.1-3) unstable; urgency=low * Disable C++ new experimental interfaces for now; will reappear in a future version in the separate libtiffxx0 package. -- Jay Berkenbilt Sat, 29 Jan 2005 13:32:37 -0500 tiff (3.7.1+pre3.7.2-1) experimental; urgency=low * New upstream release * Separate experimental C++ interface into separate libtiffxx library. -- Jay Berkenbilt Sat, 29 Jan 2005 13:03:19 -0500 tiff (3.7.1-2) unstable; urgency=low * Make -dev package depend upon other -dev packages referenced in the .la file created by libtool. (Closes: #291136) * tiff2ps: Allow one of -w and -h without the other. (Closes: #244247) -- Jay Berkenbilt Wed, 19 Jan 2005 10:45:00 -0500 tiff (3.7.1-1) unstable; urgency=low * New upstream release * Correct error in doc-base file (Closes: #285652) -- Jay Berkenbilt Wed, 5 Jan 2005 16:54:12 -0500 tiff (3.7.0-2) experimental; urgency=low * Replace hard-coded libc6-dev dependency with something friendlier to porters (libc6-dev | libc-dev). (Closes: #179727) * Fixed upstream: proper netbsdelf*-gnu support in configure. Actually fixed in 3.7.0-1 but left out of changelog. (Closes: #179728) * Include opengl support; adds new libtiff-opengl package. (Closes: #219456) * Fixed upstream: fax2ps now allows access to first page. (Closes: #244251) -- Jay Berkenbilt Sat, 11 Dec 2004 09:51:52 -0500 tiff (3.7.0-1) experimental; urgency=low * New upstream release (Closes: #276996) * New maintainer (Thanks Joy!) * Repackage using cdbs and simple-patchsys to fix some errors and simplify patch management * Fixed upstream: tiff2pdf ignores -z and -j (Closes: #280682) * Fixed upstream: Memory leak in TIFFClientOpen (Closes: #256657) -- Jay Berkenbilt Fri, 26 Nov 2004 13:50:13 -0500 tiff (3.6.1-5) unstable; urgency=high * New maintainer (thanks Joy!) * Applied patch by Dmitry V. Levin to fix a segmentation fault [tools/tiffdump.c, CAN-2004-1183] Thanks to Martin Schulze for forwarding the patch. * Fixed section of -dev package (devel -> libdevel) -- Jay Berkenbilt Wed, 5 Jan 2005 16:27:26 -0500 tiff (3.6.1-4) unstable; urgency=high * Fix heap overflow security bug [CAN-2004-1308]. (Closes: #286815) -- Jay Berkenbilt Wed, 22 Dec 2004 10:20:52 -0500 tiff (3.6.1-3) unstable; urgency=medium * Patches from upstream to fix zero-size tile and integer overflow problems created by previous security patches, closes: #276783. * Added Jay Berkenbilt as co-maintainer. Jay thanks Joy for letting him help and eventually take over maintenance of these packages! -- Josip Rodin Mon, 01 Nov 2004 12:28:27 +0100 tiff (3.6.1-2) unstable; urgency=low * Included security fixes for: + CAN-2004-0803 - libtiff/tif_luv.c - libtiff/tif_next.c - libtiff/tif_thunder.c + CAN-2004-0804 (but this one is already applied upstream, it seems) - libtiff/tif_dirread.c + CAN-2004-0886 - libtiff/tif_aux.c - libtiff/tif_compress.c - libtiff/tif_dir.c - libtiff/tif_dirinfo.c - libtiff/tif_dirread.c - libtiff/tif_dirwrite.c - libtiff/tif_extension.c - libtiff/tif_fax3.c - libtiff/tiffiop.h - libtiff/tif_getimage.c - libtiff/tif_luv.c - libtiff/tif_pixarlog.c - libtiff/tif_strip.c - libtiff/tif_tile.c - libtiff/tif_write.c Thanks to Martin Schulze for forwarding the patches. -- Josip Rodin Thu, 14 Oct 2004 16:13:11 +0200 tiff (3.6.1-1.1) unstable; urgency=medium * Non-maintainer upload; thanks to Jay Berkenbilt for preparing the patches * Rename shared library and development packages to resolve accidental upstream ABI change. Closes: #236247 * Include patch from upstream to fix multistrip g3 fax bug. Closes: #243405 * Include LZW support. Closes: #260242, #248490 * Fix URL in copyright file. Closes: #261357 * Install missing documentation files. Closes: #261356 -- Steve Langasek Sun, 25 Jul 2004 10:28:06 -0400 tiff (3.6.1-1) unstable; urgency=low * New upstream version, closes: #231977. * Slightly fixed up the static lib build rules so that the build process does the normal stuff for the dynamic lib and then does the static with the same tiffvers.h. -- Josip Rodin Mon, 23 Feb 2004 18:23:34 +0100 tiff (3.5.7-2) unstable; urgency=high * Added back the patch that used -src static/libtiff.a in the install rule. Wonder how that disappeared... closes: #170914. * Fake it's a GNU system in order for the configure script to use our toolchain stuff on the NetBSD port, thanks to Joel Baker, closes: #130636. -- Josip Rodin Tue, 10 Dec 2002 17:18:28 +0100 tiff (3.5.7-1) unstable; urgency=low * New upstream version, closes: #144940. * A whole new set of patches for the breakage in the build system :) -- Josip Rodin Sun, 6 Oct 2002 22:54:08 +0200 tiff (3.5.5-6) unstable; urgency=low * It appears that the general 64-bit detection code, isn't. We have to include all of those three conditions, feh. This really closes: #106706. -- Josip Rodin Wed, 8 Aug 2001 23:09:55 +0200 tiff (3.5.5-5) unstable; urgency=low * Changed two Alpha/Mips-isms into general 64-bit detection code, patch from John Daily , closes: #106706. * Patched man/Makefile.in to generate a manual page file for TIFFClientOpen(3t), as a .so link to TIFFOpen(3t), closes: #99577. * Used /usr/share/doc in the doc-base file, closes: #74122. * Changed libtiff3g-dev's section back to devel, since graphics was, according to elmo, "hysterical raisins". :)) -- Josip Rodin Fri, 27 Jul 2001 01:43:04 +0200 tiff (3.5.5-4) unstable; urgency=low * Updated config.* files, closes: #94696. * Fixed libtiff3g-dev's section, closes: #85533. -- Josip Rodin Wed, 20 Jun 2001 18:29:24 +0200 tiff (3.5.5-3) unstable; urgency=low * Build shared library on Hurd, too, closes: #72482. * Upped Standards-Version to 3.5.0. -- Josip Rodin Sat, 30 Sep 2000 17:42:13 +0200 tiff (3.5.5-2) unstable; urgency=low * Make `dynamic shared object' on Linux unconditionally, fixes the problem with libc.so.6.1 on alpha, thanks Chris C. Chimelis. -- Josip Rodin Wed, 13 Sep 2000 21:44:00 +0200 tiff (3.5.5-1) unstable; urgency=low * New upstream version. * The upstream build system sucks. There, I said it. Back to work now. :) * Added a build dependencies on make (>= 3.77) (closes: #67747) and debhelper. * Standards-Version: 3.2.1: + added DEB_BUILD_OPTIONS checks in debian/rules -- Josip Rodin Tue, 29 Aug 2000 14:06:02 +0200 tiff (3.5.4-5) frozen unstable; urgency=low * Fixed 16-bit/32-bit values bug in fax2ps from libtiff-tools, that also breaks printing from hylafax, using provided oneliner patch from Bernd Herd (accepted upstream), closes: #49232 and probably #62235. -- Josip Rodin Mon, 27 Mar 2000 17:12:10 +0200 tiff (3.5.4-4) frozen unstable; urgency=low * Weird dpkg-shlibdeps from dpkg 1.6.8-pre has done it again, this time with libz.so, making the packages depend on zlib1 (instead of zlib1g). Closes: #56134, #56137, #56140, #56155. -- Josip Rodin Tue, 25 Jan 2000 18:05:28 +0100 tiff (3.5.4-3) frozen unstable; urgency=low * Included libtiff.so file in libtiff3g-dev, dammit :( My eye hurts, a lot, but this was easy to fix, thank goodness :) (closes: #55814). This bugfix deserves to get into frozen because the bug cripples libtiff3g-dev, a lot. -- Josip Rodin Fri, 21 Jan 2000 19:02:22 +0100 tiff (3.5.4-2) unstable; urgency=low * Fixed upstream build system to use ${DESTDIR}, and with that working, created install: rule in debian/rules and used it. * Fixed the way rules file gets the version from upstream sources, and fixed dist/tiff.alpha, it didn't work. * Removed README file from libtiff3g binary package, useless. * Fixed configure script not to emit the wrong warning about zlib/jpeg dirs not specified (they're in /usr/include, stupid :). -- Josip Rodin Thu, 30 Dec 1999 01:17:32 +0100 tiff (3.5.4-1) unstable; urgency=low * New upstream version, closes: #50338. * Disabled libc5 build, it wouldn't compile. :( -- Josip Rodin Fri, 3 Dec 1999 20:49:25 +0100 tiff (3.5.2-4) unstable; urgency=low * Castrated the rules file, to make it actually work on !(i386 m68k). Closes: #49316. -- Josip Rodin Sat, 6 Nov 1999 13:22:54 +0100 tiff (3.5.2-3) unstable; urgency=low * Removed sparc from the libtiff3 arches list, as BenC advised. -- Josip Rodin Fri, 29 Oct 1999 23:29:23 +0200 tiff (3.5.2-2) unstable; urgency=low * Changed Architecture: line for libtiff3 from "any" to "i386 m68k sparc" as it is actually only built on those. Changed description a little bit. * Minor fixes to the rules file. -- Josip Rodin Thu, 28 Oct 1999 14:00:02 +0200 tiff (3.5.2-1) unstable; urgency=low * New upstream version. * Renamed source package to just "tiff", like upstream tarball name. * New maintainer (thanks Guy!). Renewed packaging, with debhelper, using Joey's nifty multi2 example, with several adjustments. * Ditched libtiff3-altdev, nobody's using that and nobody should be using that. Packaging for it still exists, it's just commented out. * Uses doc-base for -dev docs now. Uncompressed HTML docs, 100kb space saved is pointless when you can't use any links between documents. -- Josip Rodin Tue, 26 Oct 1999 16:20:46 +0200 libtiff3 (3.4beta037-8) unstable; urgency=low * Argh, same bug in the prerm, closes: #36990, #36850, #36855, #36866, #36988. -- Guy Maor Sat, 1 May 1999 10:12:23 -0700 libtiff3 (3.4beta037-7) unstable; urgency=low * Don't error when dhelp is not installed, closes: #36879, #36922. -- Guy Maor Thu, 29 Apr 1999 19:17:55 -0700 libtiff3 (3.4beta037-6) unstable; urgency=low * Only build libc5 packages on appropriate archs, closes: #27083, #32007. * Apply NMU patch, closes: #26413, #26887. * Add dhelp support, closes: #35154. * Recompile removes invalid dependency, closes: #30961. -- Guy Maor Sat, 24 Apr 1999 15:17:51 -0700 libtiff3 (3.4beta037-5.1) frozen unstable; urgency=low * NMU to not use install -s to strip static .a libraries. Fixes: #26413 * Build with recent libjpeg. Fixes: #26887 * Add Section: and Priority: headers to debian/control. -- Ben Gertzfield Mon, 26 Oct 1998 22:44:33 -0800 libtiff3 (3.4beta037-5) unstable; urgency=low * Explicit link with -lm (and don't need -lc now), fixes: #19167, #22180. -- Guy Maor Tue, 11 Aug 1998 22:27:56 -0700 libtiff3 (3.4beta037-4) unstable; urgency=low * libtiff3-tools conflicts & replaces with libtiff3-gif (13521,15107). -- Guy Maor Sun, 11 Jan 1998 13:09:28 -0800 libtiff3 (3.4beta037-3) unstable; urgency=low * New libjpegg contains shlibs file, so don't need shlibs.local. * Compile with -D_REENTRANT. * Add shlibs for libtiff3g (13423). -- Guy Maor Sat, 27 Sep 1997 13:17:45 -0500 libtiff3 (3.4beta037-2) unstable; urgency=low * Add libjpegg6a to shlibs.local to correct for broken dependency. -- Guy Maor Fri, 26 Sep 1997 11:23:55 -0500 libtiff3 (3.4beta037-1) unstable; urgency=low * New upstream version, libc6 compile, policy 2.3.0.0 (5136, 7470, 7627, 8166 8312, 9479, 9492, 9531, 11700, 11702). * Fix check for shared lib support (10805). -- Guy Maor Tue, 23 Sep 1997 16:55:56 -0500