diff -Nru tiff-4.0.6/debian/changelog tiff-4.0.6/debian/changelog
--- tiff-4.0.6/debian/changelog	2016-01-01 10:53:14.000000000 +0000
+++ tiff-4.0.6/debian/changelog	2016-07-16 12:48:25.000000000 +0000
@@ -1,3 +1,20 @@
+tiff (4.0.6-2) unstable; urgency=high
+
+  * Backport fix for the following vulnerabilities:
+    - CVE-2016-5314, PixarLogDecode() heap-based buffer overflow
+      (closes: #830700),
+    - CVE-2016-5316, PixarLogCleanup() Segmentation fault,
+    - CVE-2016-5320, rgb2ycbcr: command excution,
+    - CVE-2016-5875, heap-based buffer overflow when using the PixarLog
+      compression format,
+    - CVE-2016-6223, information leak in libtiff/tif_read.c ,
+    - CVE-2016-5321, DumpModeDecode(): Ddos,
+    - CVE-2016-5323, tiffcrop _TIFFFax3fillruns(): NULL pointer dereference.
+  * Be primary maintainer and keep Ondřej as uploader.
+  * Update Standards-Version to 3.9.8 .
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 16 Jul 2016 11:45:21 +0000
+
 tiff (4.0.6-1) unstable; urgency=high
 
   * New upstream release.
diff -Nru tiff-4.0.6/debian/control tiff-4.0.6/debian/control
--- tiff-4.0.6/debian/control	2015-09-01 11:12:11.000000000 +0000
+++ tiff-4.0.6/debian/control	2016-07-16 12:29:54.000000000 +0000
@@ -1,8 +1,8 @@
 Source: tiff
 Section: libs
 Priority: optional
-Maintainer: Ondřej Surý <ondrej@debian.org>
-Uploaders: Laszlo Boszormenyi (GCS) <gcs@debian.org>
+Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
+Uploaders: Ondřej Surý <ondrej@debian.org>
 Build-Depends: autotools-dev,
                debhelper (>> 9),
                dh-autoreconf,
@@ -14,7 +14,7 @@
                libxi-dev,
                libxmu-dev,
                zlib1g-dev
-Standards-Version: 3.9.6
+Standards-Version: 3.9.8
 Homepage: http://libtiff.maptools.org
 Vcs-Git: git://anonscm.debian.org/collab-maint/tiff.git
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/tiff.git
diff -Nru tiff-4.0.6/debian/patches/04-CVE-2016-5314_CVE-2016-5316_CVE-2016-5320_CVE-2016-5875.patch tiff-4.0.6/debian/patches/04-CVE-2016-5314_CVE-2016-5316_CVE-2016-5320_CVE-2016-5875.patch
--- tiff-4.0.6/debian/patches/04-CVE-2016-5314_CVE-2016-5316_CVE-2016-5320_CVE-2016-5875.patch	1970-01-01 00:00:00.000000000 +0000
+++ tiff-4.0.6/debian/patches/04-CVE-2016-5314_CVE-2016-5316_CVE-2016-5320_CVE-2016-5875.patch	2016-07-16 12:37:33.000000000 +0000
@@ -0,0 +1,58 @@
+From 391e77fcd217e78b2c51342ac3ddb7100ecacdd2 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Tue, 28 Jun 2016 15:12:19 +0000
+Subject: [PATCH] * libtiff/tif_pixarlog.c: fix potential buffer write overrun
+ in PixarLogDecode() on corrupted/unexpected images (reported by Mathias
+ Svensson)
+
+---
+ ChangeLog              | 5 +++++
+ libtiff/tif_pixarlog.c | 8 ++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/ChangeLog b/ChangeLog
+index 1b0e599..dee1881 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,8 @@
++2016-06-28  Even Rouault <even.rouault at spatialys.com>
++
++	* libtiff/tif_pixarlog.c: fix potential buffer write overrun in
++	PixarLogDecode() on corrupted/unexpected images (reported by Mathias Svensson)
++
+ 2015-12-27  Even Rouault <even.rouault at spatialys.com>
+ 
+ 	* libtiff/tif_next.c: fix potential out-of-bound write in NeXTDecode()
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index 06e8af3..cc486c5 100644
+--- a/libtiff/tif_pixarlog.c
++++ b/libtiff/tif_pixarlog.c
+@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op,
+ typedef	struct {
+ 	TIFFPredictorState	predict;
+ 	z_stream		stream;
++	tmsize_t		tbuf_size; /* only set/used on reading for now */
+ 	uint16			*tbuf; 
+ 	uint16			stride;
+ 	int			state;
+@@ -692,6 +693,7 @@ PixarLogSetupDecode(TIFF* tif)
+ 	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
+ 	if (sp->tbuf == NULL)
+ 		return (0);
++	sp->tbuf_size = tbuf_size;
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+ 		sp->user_datafmt = PixarLogGuessDataFmt(td);
+ 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+@@ -781,6 +783,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
+ 		TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
+ 		return (0);
+ 	}
++	/* Check that we will not fill more than what was allocated */
++	if (sp->stream.avail_out > sp->tbuf_size)
++	{
++		TIFFErrorExt(tif->tif_clientdata, module, "sp->stream.avail_out > sp->tbuf_size");
++		return (0);
++	}
+ 	do {
+ 		int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
+ 		if (state == Z_STREAM_END) {
diff -Nru tiff-4.0.6/debian/patches/05-CVE-2016-6223.patch tiff-4.0.6/debian/patches/05-CVE-2016-6223.patch
--- tiff-4.0.6/debian/patches/05-CVE-2016-6223.patch	1970-01-01 00:00:00.000000000 +0000
+++ tiff-4.0.6/debian/patches/05-CVE-2016-6223.patch	2016-07-16 12:46:41.000000000 +0000
@@ -0,0 +1,59 @@
+From 0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Sun, 10 Jul 2016 18:00:20 +0000
+Subject: [PATCH] * libtiff/tif_read.c: Fix out-of-bounds read on memory-mapped
+ files in TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is
+ beyond tmsize_t max value (reported by Mathias Svensson)
+
+---
+ ChangeLog          | 7 +++++++
+ libtiff/tif_read.c | 7 +++++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 6f6e7c6..e98d54d 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,10 @@
++2016-07-10 Even Rouault <even.rouault at spatialys.com>
++
++	* libtiff/tif_read.c: Fix out-of-bounds read on
++	memory-mapped files in TIFFReadRawStrip1() and TIFFReadRawTile1()
++	when stripoffset is beyond tmsize_t max value (reported by
++	Mathias Svensson)
++
+ 2016-06-28  Even Rouault <even.rouault at spatialys.com>
+ 
+ 	* libtiff/tif_pixarlog.c: fix potential buffer write overrun in
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 5e39b9f..c26c55f 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -31,6 +31,9 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
+ 
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ int TIFFFillStrip(TIFF* tif, uint32 strip);
+ int TIFFFillTile(TIFF* tif, uint32 tile);
+ static int TIFFStartStrip(TIFF* tif, uint32 strip);
+@@ -401,7 +404,7 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
+ 		tmsize_t n;
+ 		ma=(tmsize_t)td->td_stripoffset[strip];
+ 		mb=ma+size;
+-		if (((uint64)ma!=td->td_stripoffset[strip])||(ma>tif->tif_size))
++		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+ 			n=0;
+ 		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+ 			n=tif->tif_size-ma;
+@@ -717,7 +720,7 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
+ 		tmsize_t n;
+ 		ma=(tmsize_t)td->td_stripoffset[tile];
+ 		mb=ma+size;
+-		if (((uint64)ma!=td->td_stripoffset[tile])||(ma>tif->tif_size))
++		if ((td->td_stripoffset[tile] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+ 			n=0;
+ 		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+ 			n=tif->tif_size-ma;
diff -Nru tiff-4.0.6/debian/patches/06-CVE-2016-5321.patch tiff-4.0.6/debian/patches/06-CVE-2016-5321.patch
--- tiff-4.0.6/debian/patches/06-CVE-2016-5321.patch	1970-01-01 00:00:00.000000000 +0000
+++ tiff-4.0.6/debian/patches/06-CVE-2016-5321.patch	2016-07-16 12:16:16.000000000 +0000
@@ -0,0 +1,41 @@
+From d9783e4a1476b6787a51c5ae9e9b3156527589f0 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 11 Jul 2016 21:26:03 +0000
+Subject: [PATCH] * tools/tiffcrop.c: Avoid access outside of stack allocated
+ array on a tiled separate TIFF with more than 8 samples per pixel. Reported
+ by Kaixiang Zhang of the Cloud Security Team, Qihoo 360 (CVE-2016-5321,
+ bugzilla #2558)
+
+---
+ ChangeLog        | 7 +++++++
+ tools/tiffcrop.c | 2 +-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index e98d54d..4e0302f 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,10 @@
++2016-07-11 Even Rouault <even.rouault at spatialys.com>
++
++	* tools/tiffcrop.c: Avoid access outside of stack allocated array
++	on a tiled separate TIFF with more than 8 samples per pixel.
++	Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
++	(CVE-2016-5321, bugzilla #2558)
++
+ 2016-07-10 Even Rouault <even.rouault at spatialys.com>
+ 
+ 	* libtiff/tif_read.c: Fix out-of-bounds read on
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index d959ae3..6fc8fc1 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -989,7 +989,7 @@ static int  readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
+     nrow = (row + tl > imagelength) ? imagelength - row : tl;
+     for (col = 0; col < imagewidth; col += tw)
+       {
+-      for (s = 0; s < spp; s++)
++      for (s = 0; s < spp && s < MAX_SAMPLES; s++)
+         {  /* Read each plane of a tile set into srcbuffs[s] */
+ 	tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
+         if (tbytes < 0  && !ignore)
diff -Nru tiff-4.0.6/debian/patches/07-CVE-2016-5323.patch tiff-4.0.6/debian/patches/07-CVE-2016-5323.patch
--- tiff-4.0.6/debian/patches/07-CVE-2016-5323.patch	1970-01-01 00:00:00.000000000 +0000
+++ tiff-4.0.6/debian/patches/07-CVE-2016-5323.patch	2016-07-16 12:08:09.000000000 +0000
@@ -0,0 +1,99 @@
+From 2f79856097f423eb33796a15fcf700d2ea41bf31 Mon Sep 17 00:00:00 2001
+From: erouault <erouault>
+Date: Mon, 11 Jul 2016 21:38:31 +0000
+Subject: [PATCH] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
+
+---
+ ChangeLog        |  2 +-
+ tools/tiffcrop.c | 16 ++++++++--------
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 4e0302f..62dc1b5 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -3,7 +3,7 @@
+ 	* tools/tiffcrop.c: Avoid access outside of stack allocated array
+ 	on a tiled separate TIFF with more than 8 samples per pixel.
+ 	Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
+-	(CVE-2016-5321, bugzilla #2558)
++	(CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
+ 
+ 2016-07-10 Even Rouault <even.rouault at spatialys.com>
+ 
+diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
+index 6fc8fc1..27abc0b 100644
+--- a/tools/tiffcrop.c
++++ b/tools/tiffcrop.c
+@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
+ 
+       matchbits = maskbits << (8 - src_bit - bps); 
+       /* load up next sample from each plane */
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         buff1 = ((*src) & matchbits) << (src_bit);
+@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (16 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (32 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (64 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+ 	{
+ 	src = in[s] + src_offset + src_byte;
+ 	if (little_endian)
+@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
+ 
+       matchbits = maskbits << (8 - src_bit - bps); 
+       /* load up next sample from each plane */
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         buff1 = ((*src) & matchbits) << (src_bit);
+@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (16 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (32 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+         {
+ 	src = in[s] + src_offset + src_byte;
+         if (little_endian)
+@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
+       src_bit  = bit_offset % 8;
+ 
+       matchbits = maskbits << (64 - src_bit - bps); 
+-      for (s = 0; s < spp; s++)
++      for (s = 0; (s < spp) && (s < MAX_SAMPLES); s++)
+ 	{
+ 	src = in[s] + src_offset + src_byte;
+ 	if (little_endian)
diff -Nru tiff-4.0.6/debian/patches/series tiff-4.0.6/debian/patches/series
--- tiff-4.0.6/debian/patches/series	2016-01-01 10:47:04.000000000 +0000
+++ tiff-4.0.6/debian/patches/series	2016-07-16 15:26:17.000000000 +0000
@@ -1,3 +1,7 @@
 01-CVE-2015-8665_and_CVE-2015-8683.patch
 02-fix_potential_out-of-bound_writes_in_decode_functions.patch
 03-fix_potential_out-of-bound_write_in_NeXTDecode.patch
+04-CVE-2016-5314_CVE-2016-5316_CVE-2016-5320_CVE-2016-5875.patch
+05-CVE-2016-6223.patch
+06-CVE-2016-5321.patch
+07-CVE-2016-5323.patch