-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 12 Jan 2020 17:28:54 +0000 Source: tiff Architecture: source Version: 4.1.0+git191117-2~deb10u1 Distribution: buster-security Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org> Closes: 934780 945402 Changes: tiff (4.1.0+git191117-2~deb10u1) buster-security; urgency=high . * Security backport for Buster. * Relax Standards-Version to 4.3.0 . . tiff (4.1.0+git191117-2) unstable; urgency=medium . * Backport upstream fix for rowsperstrip parse regression in OJPEGReadHeaderInfo() (closes: #945402). . tiff (4.1.0+git191117-1) unstable; urgency=medium . * Git snapshot, fixing the following issues: - missing TIFFClose in rgb2ycbcr tool, - missing checks on TIFFGetField in tiffcrop tool, - broken sanity check in OJPEG, - missing generated .sh files for tests. . tiff (4.1.0-1) unstable; urgency=medium . * New upstream release. * Update Standards-Version to 4.4.1 . . tiff (4.0.10+git191003-1) unstable; urgency=high . * Git snapshot, fixing the following security issue: - TIFFReadAndRealloc(): avoid too large memory allocation attempts. . tiff (4.0.10+git190903-1) unstable; urgency=high . * Git snapshot, fixing the following security issues: - setByteArray(): avoid potential signed integer overflow, - EstimateStripByteCounts(): avoid several unsigned integer overflows, - tif_ojpeg: avoid two unsigned integer overflows, - OJPEGWriteHeaderInfo(): avoid unsigned integer overflow on strile dimensions close to UINT32_MAX, - _TIFFPartialReadStripArray(): avoid unsigned integer overflow, - JPEG: avoid use of uninitialized memory on corrupted files, - TIFFFetchDirectory(): fix invalid cast from uint64 to tmsize_t, - allocChoppedUpStripArrays(): avoid unsigned integer overflow, - tif_ojpeg: avoid use of uninitialized memory on edge/broken file, - ByteCountLooksBad and EstimateStripByteCounts: avoid unsigned integer overflows. . tiff (4.0.10+git190818-1) unstable; urgency=high . * Git snapshot, fixing the following security issues: - RGBA interface: fix integer overflow potentially causing write heap buffer overflow, - setByteArray(): avoid potential signed integer overflow. . tiff (4.0.10+git190814-1) unstable; urgency=high . * Git snapshot, fixing the following security issues: - TryChopUpUncompressedBigTiff(): avoid potential division by zero, - fix vulnerability introduced by defer strile loading, - fix vulnerability in 'D' (DeferStrileLoad) mode, - return infinite distance when denominator is zero, - OJPEG: avoid use of uninitialized memory on corrupted files, - OJPEG: fix integer division by zero on corrupted subsampling factors, - OJPEGReadBufferFill(): avoid very long processing time on corrupted files, - TIFFClientOpen(): fix memory leak if one of the required callbacks is not provided, - CVE-2019-14973, fix integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (closes: #934780). * Update libtiff5 symbols. * Update Standards-Version to 4.4.0 . Checksums-Sha1: c09b8de32dc35900d3a1787aa6d72728e92732dd 2274 tiff_4.1.0+git191117-2~deb10u1.dsc 19d0d4f42a336cc73060a9c40c21ac45a23d4d41 1533524 tiff_4.1.0+git191117.orig.tar.xz c96a473c6259c8d96e10180c64853ba54a6ea143 19440 tiff_4.1.0+git191117-2~deb10u1.debian.tar.xz Checksums-Sha256: fc63d46d3fbc75c2f03b09b79f9297d701a2b08c968bc8b5826f9e71df5180c8 2274 tiff_4.1.0+git191117-2~deb10u1.dsc 67e1d045e994adb7144b0cca228d70dd6d520aaf8c75c342064bc0fd601e6e42 1533524 tiff_4.1.0+git191117.orig.tar.xz e9dcc77d338663f6be84efe32ae5d4ec9b48923c731aa939f37aa909e60d9f10 19440 tiff_4.1.0+git191117-2~deb10u1.debian.tar.xz Files: 8d6e86fd98221fa11826eba82a82105b 2274 libs optional tiff_4.1.0+git191117-2~deb10u1.dsc f51040d3436eedde9d3ba7d166754c3e 1533524 libs optional tiff_4.1.0+git191117.orig.tar.xz 09393b26fbbe0e1589b55b8332e405e2 19440 libs optional tiff_4.1.0+git191117-2~deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAl4c+KcACgkQ3OMQ54ZM yL+q1w//Q35ff9l5/kP5eLZdfoXVenl6iPRjJZj4P2E5WRSL6UIla/mOrhhQuxd1 z7GaSEfUjRUOf4z+hA4cPZJJK3nPxCB0NxduEijGNtZLeSe++dm2+aTa6/8g9nlZ khlAW7qRtW08yeU5sJfCm5BNLZ7DdWnp7bcf9/txGmHqXNsCynabb0ikHnfJy6Yb 9+Mh+jZ7xhT6jiDcvYmqKO1kr6L7/21VqSWHY05IvXVFulBxZzLj2zl7cY3umyrg IzaYWeLn0vlVJmGujbLJuM/iPsLFaSlCUOCycq8LBIuPLuNjona+n29QotZ7sj6f 1dLe9/QdmCeo6nF01zvGCG6i5UaKZxpsVv4/Bdje0G7C34gNEaTgg16+hzPaKCVE NNdrKERzx2Xu8rWEPpUUtNCXEjR+I2vIPXgCd8CfqHQO/afMo4dh3ZtoDQjRMs6Z xdAohOkR80PTc5wjdIFXFX9Y2BGXHgUcl4UVtXewqTmQygVv735TqRcBDecMxDss 4KCSzv7PdWUG7m5gJFN2kRz40b+ZLfOwacaksvwlcsYgdu36lxqiPukIvXg6bc2k 6vsiiJrQt4fp1AANYVocdz2iuVsRKBOdq3u4BeI9iS3FLyjZnBzPEQGkL5csy7rd cTMk1I5Sbu8siuuUFV7nQeXaFosCl32x3pO40A4NbUG7ZNLfbVY= =QZAs -----END PGP SIGNATURE-----