--- tiff-3.7.4.orig/debian/libtiff4.install +++ tiff-3.7.4/debian/libtiff4.install @@ -0,0 +1,2 @@ +debian/tmp/usr/lib/libtiff.so.* +debian/tmp/usr/share/doc/libtiff4/html --- tiff-3.7.4.orig/debian/libtiffxx0c2.install +++ tiff-3.7.4/debian/libtiffxx0c2.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libtiffxx.so.* --- tiff-3.7.4.orig/debian/copyright +++ tiff-3.7.4/debian/copyright @@ -0,0 +1,37 @@ +libtiff was originally debianized by Guy Maor and +later maintained by Josip Rodin . Jay +Berkenbilt repackaged it in conjunction with the +3.7.0 release and is now the primary maintainer. + +Original source can be found at: http://www.remotesensing.org/libtiff/ + +Copyright (C) 1988-1997 Sam Leffler +Copyright (C) 1991-1997 Silicon Graphics, Inc. +Portions Copyright (C) 1985-1987, 1990 Regents of the University of California +Portions Copyright (C) 1990, 1991 Digital Equipment Corporation +Portions Copyright (C) 1990 Sun Microsystems, Inc. +Portions Copyright (C) 1990, 1995 Frank D. Cringle +Portions Copyright (C) 1996 BancTec AB +Portions Copyright (C) 1996 Mike Johnson +Portions Copyright (C) 1996 Pixar +Portions Copyright (C) 1997 Greg Ward Larson +Portions Copyright (C) 2000 Frank Warmerdam + +Permission to use, copy, modify, distribute, and sell this software and +its documentation for any purpose is hereby granted without fee, provided +that (i) the above copyright notices and this permission notice appear in +all copies of the software and related documentation, and (ii) the names of +Sam Leffler and Silicon Graphics may not be used in any advertising or +publicity relating to the software without the specific, prior written +permission of Sam Leffler and Silicon Graphics. + +THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, +EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY +WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR +ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, +OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, +WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF +LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE +OF THIS SOFTWARE. --- tiff-3.7.4.orig/debian/control +++ tiff-3.7.4/debian/control @@ -0,0 +1,62 @@ +Source: tiff +Section: libs +Priority: optional +Maintainer: Jay Berkenbilt +Uploaders: Josip Rodin +Build-Depends: cdbs, debhelper (>= 4.1.0), zlib1g-dev, libjpeg62-dev, libxmu-dev, libgl1-mesa-dev, freeglut3-dev +Standards-Version: 3.6.2 + +Package: libtiff4 +Architecture: any +Depends: ${shlibs:Depends} +Description: Tag Image File Format (TIFF) library + libtiff is a library providing support for the Tag Image File Format + (TIFF), a widely used format for storing image data. This package + includes the shared library. + +Package: libtiffxx0c2 +Architecture: any +Depends: ${shlibs:Depends} +Conflicts: libtiffxx0 +Replaces: libtiffxx0 +Description: Tag Image File Format (TIFF) library -- C++ interface + libtiff is a library providing support for the Tag Image File Format + (TIFF), a widely used format for storing image data. This package + includes the shared library for the experimental C++ interfaces. + +Package: libtiff4-dev +Section: libdevel +Architecture: any +Depends: libtiff4 (= ${Source-Version}), libtiffxx0c2 (= ${Source-Version}), libc6-dev | libc-dev, zlib1g-dev, libjpeg62-dev +Conflicts: libtiff3g-dev, libtiff3-dev, libtiff-dev +Provides: libtiff-dev +Description: Tag Image File Format library (TIFF), development files + libtiff is a library providing support for the Tag Image File Format + (TIFF), a widely used format for storing image data. This package + includes the development files, static library, and header files. + +Package: libtiff-tools +Section: graphics +Architecture: any +Depends: ${shlibs:Depends} +Suggests: libtiff-opengl +Conflicts: libtiff3 (<< 3.4beta037-1), libtiff3-gif +Replaces: libtiff3-gif +Description: TIFF manipulation and conversion tools + libtiff is a library providing support for the Tag Image File Format + (TIFF), a widely used format for storing image data. This package + includes tools for converting TIFF images to and from other formats + and tools for doing simple manipulations of TIFF images. See also + libtiff-opengl. + +Package: libtiff-opengl +Section: graphics +Architecture: any +Depends: ${shlibs:Depends} +Replaces: libtiff-tools (<< 3.7.0-2) +Description: TIFF manipulation and conversion tools + libtiff is a library providing support for the Tag Image File Format + (TIFF), a widely used format for storing image data. This package + contains libtiff tools that depend upon opengl. It complements the + libtiff-tools package, which contains the libtiff tools that don't + depend upon opengl. --- tiff-3.7.4.orig/debian/rules +++ tiff-3.7.4/debian/rules @@ -0,0 +1,41 @@ +#!/usr/bin/make -f + +# Variables used by cdbs +VERSION := $(shell dpkg-parsechangelog | \ + awk '/Version:/ {print $$2}' | cut -d- -f 1) +DEB_TAR_SRCDIR = tiff-$(VERSION) +DEB_COMPRESS_EXCLUDE = html +export CPPFLAGS = -D_REENTRANT + +# Include cdbs rules files. +include /usr/share/cdbs/1/rules/tarball.mk +include /usr/share/cdbs/1/rules/simple-patchsys.mk +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/class/autotools.mk + +DEB_CONFIGURE_USER_FLAGS = --with-docdir="\$${prefix}/share/doc/libtiff4" + +# As 0.4.21, cdbs creates but doesn't remove debian/compat. It +# creates it conditionally, so this doesn't have a trivial fix. +clean:: + $(RM) debian/compat + +# tiffgt is in libtiff-opengl so libtiff-tools doesn't have to have +# all the X and opengl dependencies. +binary-post-install/libtiff-tools:: + $(RM) debian/libtiff-tools/usr/bin/tiffgt + $(RM) debian/libtiff-tools/usr/share/man/man1/tiffgt.1* + +# Install lintian override files +binary-post-install/%:: + if [ -f debian/$*.lintian ]; then \ + mkdir -p debian/$*/usr/share/lintian/overrides && \ + cp -p debian/$*.lintian debian/$*/usr/share/lintian/overrides/$*; \ + fi + +# Point everyone's /usr/share/doc entry to libtiff4's +binary-predeb/%:: + if [ "$*" != "libtiff4" ]; then \ + $(RM) -r debian/$*/usr/share/doc/$*; \ + ln -s libtiff4 debian/$*/usr/share/doc/$*; \ + fi --- tiff-3.7.4.orig/debian/libtiff-opengl.install +++ tiff-3.7.4/debian/libtiff-opengl.install @@ -0,0 +1,2 @@ +debian/tmp/usr/bin/tiffgt +debian/tmp/usr/share/man/man1/tiffgt.1 --- tiff-3.7.4.orig/debian/libtiff-tools.install +++ tiff-3.7.4/debian/libtiff-tools.install @@ -0,0 +1,2 @@ +debian/tmp/usr/bin +debian/tmp/usr/share/man/man1 --- tiff-3.7.4.orig/debian/libtiff4-dev.lintian +++ tiff-3.7.4/debian/libtiff4-dev.lintian @@ -0,0 +1,5 @@ +# +# The synopsis line starts with a capital letter because of the TIFF +# acronym, not because it contains a sentence. +# +libtiff4-dev: description-synopsis-starts-with-a-capital-letter --- tiff-3.7.4.orig/debian/libtiffxx0c2.lintian +++ tiff-3.7.4/debian/libtiffxx0c2.lintian @@ -0,0 +1,5 @@ +# +# The synopsis line starts with a capital letter because of the TIFF +# acronym, not because it contains a sentence. +# +libtiffxx0c2: description-synopsis-starts-with-a-capital-letter --- tiff-3.7.4.orig/debian/changelog +++ tiff-3.7.4/debian/changelog @@ -0,0 +1,545 @@ +tiff (3.7.4-1ubuntu3.11) dapper-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via crafted + THUNDER_2BITDELTAS data + - debian/patches/z_CVE-2011-1167.patch: validate bitspersample and + make sure npixels is sane in libtiff/tif_thunder.c. + - CVE-2011-1167 + + -- Marc Deslauriers Wed, 30 Mar 2011 13:34:17 -0400 + +tiff (3.7.4-1ubuntu3.10) dapper-security; urgency=low + + * debian/patches/CVE-2011-0192.patch: update for regression in + processing of certain CCITTFAX4 files (LP: #731540). + - http://bugzilla.maptools.org/show_bug.cgi?id=2297 + + -- Kees Cook Mon, 14 Mar 2011 10:56:27 -0700 + +tiff (3.7.4-1ubuntu3.9) dapper-security; urgency=low + + * SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite + values + - debian/patches/z_CVE-2010-2595.patch: validate values in + libtiff/tif_color.c. + - CVE-2010-2595 + * SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067) + - debian/patches/z_CVE-2010-2597.patch: properly initialize fields in + libtiff/tif_strip.c. + - CVE-2010-2597 + - CVE-2010-2598 + * SECURITY UPDATE: denial of service via out-of-order tags + - debian/patches/z_CVE-2010-2630.patch: correctly handle order in + libtiff/tif_dirread.c. + - CVE-2010-2630 + * SECURITY UPDATE: denial of service and possible code exection via + YCBCRSUBSAMPLING tag + - debian/patches/z_CVE-2011-0191.patch: validate td_ycbcrsubsampling in + libtiff/tif_dir.c. + - CVE-2011-0191 + * SECURITY UPDATE: denial of service and possible code execution via + buffer overflow in Fax4Decode + - debian/patches/z_CVE-2011-0192.patch: check length in + libtiff/tif_fax3.h. + - CVE-2011-0192 + + -- Marc Deslauriers Fri, 04 Mar 2011 10:09:48 -0500 + +tiff (3.7.4-1ubuntu3.8) dapper-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution and crashes via multiple + integer overflows. Backported upstream fixes: + - debian/patches/CVE-2010-1411.patch + - debian/patches/fix-unknown-tags.patch + + -- Kees Cook Thu, 17 Jun 2010 12:08:10 -0700 + +tiff (3.7.4-1ubuntu3.6) dapper-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via integer overflows in + tiff2rgba and rgb2ycbcr + - debian/patches/CVE-2009-2347.patch: check for integer overflows in + tools/rgb2ycbcr.c and tools/tiff2rgba.c. + - CVE-2009-2347 + + -- Marc Deslauriers Mon, 13 Jul 2009 09:31:11 -0400 + +tiff (3.7.4-1ubuntu3.4) dapper-security; urgency=low + + * SECURITY UPDATE: denial of service via buffer underflow in the + LZWDecodeCompat function (LP: #380149) + - debian/patches/CVE-2009-2285.patch: abort if code is bigger than + CODE_CLEAR in libtiff/tif_lzw.c. + - CVE-2009-2285 + + -- Marc Deslauriers Fri, 03 Jul 2009 15:19:54 -0400 + +tiff (3.7.4-1ubuntu3.3) dapper-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via LZW overflow. + * Add debian/patches/CVE-2008-2327.patch: thanks to Jay Berkenbilt. + + -- Kees Cook Fri, 29 Aug 2008 11:59:21 -0700 + +tiff (3.7.4-1ubuntu3.2) dapper-security; urgency=low + + * SECURITY UPDATE: Arbitrary code execution with crafted TIFF files, found + by Tavis Ormandy of the Google Security Team. + * Add debian/patches/CVE-2006-3459-3465.patch: + - CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in + tif_dirread.c + - CVE-2006-3460: A heap overflow vulnerability was discovered in the + jpeg decoder + - CVE-2006-3461: A heap overflow exists in the PixarLog decoder + - CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap + overflow + - CVE-2006-3463: An infinite loop was discovered in + EstimateStripByteCounts() + - CVE-2006-3464: Multiple unchecked arithmetic operations were + uncovered, including a number of the range checking operations + deisgned to ensure the offsets specified in tiff directories are + legitimate. + - A number of codepaths were uncovered where assertions did not hold + true, resulting in the client application calling abort() + - CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag + support + + -- Martin Pitt Wed, 2 Aug 2006 13:27:14 +0200 + +tiff (3.7.4-1ubuntu3.1) dapper-security; urgency=low + + * SECURITY UPDATE: Arbitrary command execution with crafted long file names. + * Add debian/patches/tiffsplit-fname-overflow.patch: + - tools/tiffsplit.c: Use snprintf instead of strcpy for copying the + user-specified file name into a statically sized buffer. + - CVE-2006-2656 + * Add debian/patches/tiff2pdf-octal-printf.patch: + - tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal + signed char (it printed a signed integer, which overflew the buffer and + was wrong anyway). + + -- Martin Pitt Fri, 2 Jun 2006 18:15:30 +0200 + +tiff (3.7.4-1ubuntu3) dapper; urgency=low + + * debian/patches/fix_43286_crasher.patch: + - upstream change, fix a crasher (Ubuntu: #43286) + + -- Sebastien Bacher Sun, 7 May 2006 13:21:05 +0200 + +tiff (3.7.4-1ubuntu2) dapper; urgency=low + + * SECURITY UPDATE: DoS and arbitrary code execution with crafted TIFF files. + * Add debian/patches/3.8.1-security-fixes.patch: Backported security + relevant fixes from stable 3.8.1 release: + - libtiff/tif_dirread.c: Fix error reporting in TIFFFetchAnyArray() + (%d in format string without corresponding integer argument). + [CVE-2006-2024] + - libtiff/{tif_pixarlog.c, tif_fax3.c, tif_zip.c}: Properly + restore setfield/getfield methods in cleanup functions to avoid crash on + invalid files. [CVE-2006-2024] + - libtiff/{tif_predict.c, tif_predict.h}: Added new function + TIFFPredictorCleanup() to restore parent decode/encode/field methods. + [CVE-2006-2024] + - libtiff/tif_dirread.c: Check for integer overflow in TIFFFetchData(). + [CVE-2006-2025] + - libtiff/tif_jpeg.c: Properly restore setfield/getfield methods in + cleanup functions to avoid double free(). [CVE-2006-2026] + - libtiff/tif_color.c: Check for out-of-bounds values in TIFFXYZToRGB(). + [CVE-2006-2120] + * See http://bugzilla.remotesensing.org/show_bug.cgi?id=1102 for reproducer + images. + + -- Martin Pitt Wed, 3 May 2006 12:56:50 +0200 + +tiff (3.7.4-1ubuntu1) dapper; urgency=low + + * Synchronize to Debian. + * Only change left: xlibmesa-gl-dev -> libgl1-mesa-dev build dependency + change. + + -- Martin Pitt Wed, 9 Nov 2005 18:21:15 -0500 + +tiff (3.7.4-1) unstable; urgency=low + + * New upstream release + * Fix typos in manual page (Closes: #327921, #327922, #327923, #327924) + + -- Jay Berkenbilt Fri, 7 Oct 2005 10:25:49 -0400 + +tiff (3.7.3-1) unstable; urgency=low + + * New upstream release + * g++ 4.0 transition: libtiffxx0 is now libtiffxx0c2. + + -- Jay Berkenbilt Sat, 9 Jul 2005 12:00:44 -0400 + +tiff (3.7.2-3) unstable; urgency=high + + * Fix for exploitable segmentation fault on files with bad BitsPerSample + values. (Closes: #309739) + [libtiff/tif_dirread.c, CAN-2005-1544] + Thanks to Martin Pitt for the report. + + -- Jay Berkenbilt Thu, 19 May 2005 05:41:28 -0400 + +tiff (3.7.2-2) unstable; urgency=high + + * Fix zero pagesize bug with tiff2ps -a2 and tiff2ps -a3. Thanks to + Patrice Fournier for the patch. (Closes: #303583) + * Note: uploading with urgency=high since this very small fix impacts + tools only (not the library), and we don't want to block tiff's many + reverse dependencies from transitioning to sarge. + + -- Jay Berkenbilt Sun, 10 Apr 2005 10:12:37 -0400 + +tiff (3.7.2-1) unstable; urgency=low + + * New upstream release + + -- Jay Berkenbilt Sat, 19 Mar 2005 14:51:06 -0500 + +tiff (3.7.1-4) unstable; urgency=low + + * Fix from upstream: include a better workaround for tiff files with + invalid strip byte counts. (Closes: #183268) + + -- Jay Berkenbilt Tue, 22 Feb 2005 19:20:14 -0500 + +tiff (3.7.1-3) unstable; urgency=low + + * Disable C++ new experimental interfaces for now; will reappear in a + future version in the separate libtiffxx0 package. + + -- Jay Berkenbilt Sat, 29 Jan 2005 13:32:37 -0500 + +tiff (3.7.1+pre3.7.2-1) experimental; urgency=low + + * New upstream release + * Separate experimental C++ interface into separate libtiffxx library. + + -- Jay Berkenbilt Sat, 29 Jan 2005 13:03:19 -0500 + +tiff (3.7.1-2) unstable; urgency=low + + * Make -dev package depend upon other -dev packages referenced in the + .la file created by libtool. (Closes: #291136) + * tiff2ps: Allow one of -w and -h without the other. (Closes: #244247) + + -- Jay Berkenbilt Wed, 19 Jan 2005 10:45:00 -0500 + +tiff (3.7.1-1) unstable; urgency=low + + * New upstream release + * Correct error in doc-base file (Closes: #285652) + + -- Jay Berkenbilt Wed, 5 Jan 2005 16:54:12 -0500 + +tiff (3.7.0-2) experimental; urgency=low + + * Replace hard-coded libc6-dev dependency with something friendlier to + porters (libc6-dev | libc-dev). (Closes: #179727) + * Fixed upstream: proper netbsdelf*-gnu support in configure. Actually + fixed in 3.7.0-1 but left out of changelog. (Closes: #179728) + * Include opengl support; adds new libtiff-opengl package. (Closes: #219456) + * Fixed upstream: fax2ps now allows access to first page. (Closes: #244251) + + -- Jay Berkenbilt Sat, 11 Dec 2004 09:51:52 -0500 + +tiff (3.7.0-1) experimental; urgency=low + + * New upstream release (Closes: #276996) + * New maintainer (Thanks Joy!) + * Repackage using cdbs and simple-patchsys to fix some errors and + simplify patch management + * Fixed upstream: tiff2pdf ignores -z and -j (Closes: #280682) + * Fixed upstream: Memory leak in TIFFClientOpen (Closes: #256657) + + -- Jay Berkenbilt Fri, 26 Nov 2004 13:50:13 -0500 + +tiff (3.6.1-5) unstable; urgency=high + + * New maintainer (thanks Joy!) + * Applied patch by Dmitry V. Levin to fix a segmentation fault + [tools/tiffdump.c, CAN-2004-1183] + Thanks to Martin Schulze for forwarding the patch. + * Fixed section of -dev package (devel -> libdevel) + + -- Jay Berkenbilt Wed, 5 Jan 2005 16:27:26 -0500 + +tiff (3.6.1-4) unstable; urgency=high + + * Fix heap overflow security bug [CAN-2004-1308]. (Closes: #286815) + + -- Jay Berkenbilt Wed, 22 Dec 2004 10:20:52 -0500 + +tiff (3.6.1-3) unstable; urgency=medium + + * Patches from upstream to fix zero-size tile and integer overflow + problems created by previous security patches, closes: #276783. + * Added Jay Berkenbilt as co-maintainer. Jay thanks Joy for letting him + help and eventually take over maintenance of these packages! + + -- Josip Rodin Mon, 01 Nov 2004 12:28:27 +0100 + +tiff (3.6.1-2) unstable; urgency=low + + * Included security fixes for: + + CAN-2004-0803 + - libtiff/tif_luv.c + - libtiff/tif_next.c + - libtiff/tif_thunder.c + + CAN-2004-0804 (but this one is already applied upstream, it seems) + - libtiff/tif_dirread.c + + CAN-2004-0886 + - libtiff/tif_aux.c + - libtiff/tif_compress.c + - libtiff/tif_dir.c + - libtiff/tif_dirinfo.c + - libtiff/tif_dirread.c + - libtiff/tif_dirwrite.c + - libtiff/tif_extension.c + - libtiff/tif_fax3.c + - libtiff/tiffiop.h + - libtiff/tif_getimage.c + - libtiff/tif_luv.c + - libtiff/tif_pixarlog.c + - libtiff/tif_strip.c + - libtiff/tif_tile.c + - libtiff/tif_write.c + Thanks to Martin Schulze for forwarding the patches. + + -- Josip Rodin Thu, 14 Oct 2004 16:13:11 +0200 + +tiff (3.6.1-1.1) unstable; urgency=medium + + * Non-maintainer upload; thanks to Jay Berkenbilt for + preparing the patches + * Rename shared library and development packages to resolve accidental + upstream ABI change. Closes: #236247 + * Include patch from upstream to fix multistrip g3 fax bug. + Closes: #243405 + * Include LZW support. Closes: #260242, #248490 + * Fix URL in copyright file. Closes: #261357 + * Install missing documentation files. Closes: #261356 + + -- Steve Langasek Sun, 25 Jul 2004 10:28:06 -0400 + +tiff (3.6.1-1) unstable; urgency=low + + * New upstream version, closes: #231977. + * Slightly fixed up the static lib build rules so that the build process + does the normal stuff for the dynamic lib and then does the static with + the same tiffvers.h. + + -- Josip Rodin Mon, 23 Feb 2004 18:23:34 +0100 + +tiff (3.5.7-2) unstable; urgency=high + + * Added back the patch that used -src static/libtiff.a in the install + rule. Wonder how that disappeared... closes: #170914. + * Fake it's a GNU system in order for the configure script to use our + toolchain stuff on the NetBSD port, thanks to Joel Baker, closes: #130636. + + -- Josip Rodin Tue, 10 Dec 2002 17:18:28 +0100 + +tiff (3.5.7-1) unstable; urgency=low + + * New upstream version, closes: #144940. + * A whole new set of patches for the breakage in the build system :) + + -- Josip Rodin Sun, 6 Oct 2002 22:54:08 +0200 + +tiff (3.5.5-6) unstable; urgency=low + + * It appears that the general 64-bit detection code, isn't. + We have to include all of those three conditions, feh. + This really closes: #106706. + + -- Josip Rodin Wed, 8 Aug 2001 23:09:55 +0200 + +tiff (3.5.5-5) unstable; urgency=low + + * Changed two Alpha/Mips-isms into general 64-bit detection code, + patch from John Daily , closes: #106706. + * Patched man/Makefile.in to generate a manual page file for + TIFFClientOpen(3t), as a .so link to TIFFOpen(3t), closes: #99577. + * Used /usr/share/doc in the doc-base file, closes: #74122. + * Changed libtiff3g-dev's section back to devel, since graphics was, + according to elmo, "hysterical raisins". :)) + + -- Josip Rodin Fri, 27 Jul 2001 01:43:04 +0200 + +tiff (3.5.5-4) unstable; urgency=low + + * Updated config.* files, closes: #94696. + * Fixed libtiff3g-dev's section, closes: #85533. + + -- Josip Rodin Wed, 20 Jun 2001 18:29:24 +0200 + +tiff (3.5.5-3) unstable; urgency=low + + * Build shared library on Hurd, too, closes: #72482. + * Upped Standards-Version to 3.5.0. + + -- Josip Rodin Sat, 30 Sep 2000 17:42:13 +0200 + +tiff (3.5.5-2) unstable; urgency=low + + * Make `dynamic shared object' on Linux unconditionally, fixes the problem + with libc.so.6.1 on alpha, thanks Chris C. Chimelis. + + -- Josip Rodin Wed, 13 Sep 2000 21:44:00 +0200 + +tiff (3.5.5-1) unstable; urgency=low + + * New upstream version. + * The upstream build system sucks. There, I said it. Back to work now. :) + * Added a build dependencies on make (>= 3.77) (closes: #67747) and + debhelper. + * Standards-Version: 3.2.1: + + added DEB_BUILD_OPTIONS checks in debian/rules + + -- Josip Rodin Tue, 29 Aug 2000 14:06:02 +0200 + +tiff (3.5.4-5) frozen unstable; urgency=low + + * Fixed 16-bit/32-bit values bug in fax2ps from libtiff-tools, that + also breaks printing from hylafax, using provided oneliner patch + from Bernd Herd (accepted upstream), closes: #49232 and probably #62235. + + -- Josip Rodin Mon, 27 Mar 2000 17:12:10 +0200 + +tiff (3.5.4-4) frozen unstable; urgency=low + + * Weird dpkg-shlibdeps from dpkg 1.6.8-pre has done it again, this time + with libz.so, making the packages depend on zlib1 (instead of zlib1g). + Closes: #56134, #56137, #56140, #56155. + + -- Josip Rodin Tue, 25 Jan 2000 18:05:28 +0100 + +tiff (3.5.4-3) frozen unstable; urgency=low + + * Included libtiff.so file in libtiff3g-dev, dammit :( My eye hurts, + a lot, but this was easy to fix, thank goodness :) (closes: #55814). + This bugfix deserves to get into frozen because the bug cripples + libtiff3g-dev, a lot. + + -- Josip Rodin Fri, 21 Jan 2000 19:02:22 +0100 + +tiff (3.5.4-2) unstable; urgency=low + + * Fixed upstream build system to use ${DESTDIR}, and with that working, + created install: rule in debian/rules and used it. + * Fixed the way rules file gets the version from upstream sources, + and fixed dist/tiff.alpha, it didn't work. + * Removed README file from libtiff3g binary package, useless. + * Fixed configure script not to emit the wrong warning about + zlib/jpeg dirs not specified (they're in /usr/include, stupid :). + + -- Josip Rodin Thu, 30 Dec 1999 01:17:32 +0100 + +tiff (3.5.4-1) unstable; urgency=low + + * New upstream version, closes: #50338. + * Disabled libc5 build, it wouldn't compile. :( + + -- Josip Rodin Fri, 3 Dec 1999 20:49:25 +0100 + +tiff (3.5.2-4) unstable; urgency=low + + * Castrated the rules file, to make it actually work on !(i386 m68k). + Closes: #49316. + + -- Josip Rodin Sat, 6 Nov 1999 13:22:54 +0100 + +tiff (3.5.2-3) unstable; urgency=low + + * Removed sparc from the libtiff3 arches list, as BenC advised. + + -- Josip Rodin Fri, 29 Oct 1999 23:29:23 +0200 + +tiff (3.5.2-2) unstable; urgency=low + + * Changed Architecture: line for libtiff3 from "any" to "i386 m68k sparc" + as it is actually only built on those. Changed description a little bit. + * Minor fixes to the rules file. + + -- Josip Rodin Thu, 28 Oct 1999 14:00:02 +0200 + +tiff (3.5.2-1) unstable; urgency=low + + * New upstream version. + * Renamed source package to just "tiff", like upstream tarball name. + * New maintainer (thanks Guy!). Renewed packaging, with debhelper, + using Joey's nifty multi2 example, with several adjustments. + * Ditched libtiff3-altdev, nobody's using that and nobody should be + using that. Packaging for it still exists, it's just commented out. + * Uses doc-base for -dev docs now. Uncompressed HTML docs, 100kb space + saved is pointless when you can't use any links between documents. + + -- Josip Rodin Tue, 26 Oct 1999 16:20:46 +0200 + +libtiff3 (3.4beta037-8) unstable; urgency=low + + * Argh, same bug in the prerm, closes: #36990, #36850, #36855, + #36866, #36988. + + -- Guy Maor Sat, 1 May 1999 10:12:23 -0700 + +libtiff3 (3.4beta037-7) unstable; urgency=low + + * Don't error when dhelp is not installed, closes: #36879, #36922. + + -- Guy Maor Thu, 29 Apr 1999 19:17:55 -0700 + +libtiff3 (3.4beta037-6) unstable; urgency=low + + * Only build libc5 packages on appropriate archs, closes: #27083, #32007. + * Apply NMU patch, closes: #26413, #26887. + * Add dhelp support, closes: #35154. + * Recompile removes invalid dependency, closes: #30961. + + -- Guy Maor Sat, 24 Apr 1999 15:17:51 -0700 + +libtiff3 (3.4beta037-5.1) frozen unstable; urgency=low + + * NMU to not use install -s to strip static .a libraries. Fixes: #26413 + * Build with recent libjpeg. Fixes: #26887 + * Add Section: and Priority: headers to debian/control. + + -- Ben Gertzfield Mon, 26 Oct 1998 22:44:33 -0800 + +libtiff3 (3.4beta037-5) unstable; urgency=low + + * Explicit link with -lm (and don't need -lc now), fixes: #19167, #22180. + + -- Guy Maor Tue, 11 Aug 1998 22:27:56 -0700 + +libtiff3 (3.4beta037-4) unstable; urgency=low + + * libtiff3-tools conflicts & replaces with libtiff3-gif (13521,15107). + + -- Guy Maor Sun, 11 Jan 1998 13:09:28 -0800 + +libtiff3 (3.4beta037-3) unstable; urgency=low + + * New libjpegg contains shlibs file, so don't need shlibs.local. + * Compile with -D_REENTRANT. + * Add shlibs for libtiff3g (13423). + + -- Guy Maor Sat, 27 Sep 1997 13:17:45 -0500 + +libtiff3 (3.4beta037-2) unstable; urgency=low + + * Add libjpegg6a to shlibs.local to correct for broken dependency. + + -- Guy Maor Fri, 26 Sep 1997 11:23:55 -0500 + +libtiff3 (3.4beta037-1) unstable; urgency=low + + * New upstream version, libc6 compile, policy 2.3.0.0 (5136, 7470, 7627, 8166 + 8312, 9479, 9492, 9531, 11700, 11702). + * Fix check for shared lib support (10805). + + -- Guy Maor Tue, 23 Sep 1997 16:55:56 -0500 --- tiff-3.7.4.orig/debian/libtiff4.lintian +++ tiff-3.7.4/debian/libtiff4.lintian @@ -0,0 +1,5 @@ +# +# The synopsis line starts with a capital letter because of the TIFF +# acronym, not because it contains a sentence. +# +libtiff4: description-synopsis-starts-with-a-capital-letter --- tiff-3.7.4.orig/debian/libtiff4-dev.install +++ tiff-3.7.4/debian/libtiff4-dev.install @@ -0,0 +1,5 @@ +debian/tmp/usr/lib/lib*.so +debian/tmp/usr/lib/lib*.a +debian/tmp/usr/lib/lib*.la +debian/tmp/usr/include +debian/tmp/usr/share/man/man3 --- tiff-3.7.4.orig/debian/patches/fix-unknown-tags.patch +++ tiff-3.7.4/debian/patches/fix-unknown-tags.patch @@ -0,0 +1,178 @@ +diff -Nur -x '*.orig' -x '*~' tiff-3.7.4/build-tree/tiff-3.7.4/libtiff/tif_dirinfo.c tiff-3.7.4.new/build-tree/tiff-3.7.4/libtiff/tif_dirinfo.c +--- tiff-3.7.4/libtiff/tif_dirinfo.c 2010-06-17 12:20:57.827649365 -0700 ++++ tiff-3.7.4/libtiff/tif_dirinfo.c 2010-06-17 12:23:56.173899467 -0700 +@@ -437,8 +437,8 @@ + return strcmp(ta->field_name, tb->field_name); + } + +-void +-_TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], int n) ++int ++_TIFFMergeFieldInfo_check(TIFF* tif, const TIFFFieldInfo info[], int n) + { + TIFFFieldInfo** tp; + int i; +@@ -453,7 +453,11 @@ + tif->tif_fieldinfo = (TIFFFieldInfo**) + _TIFFmalloc(n * sizeof (TIFFFieldInfo*)); + } +- assert(tif->tif_fieldinfo != NULL); ++ if (!tif->tif_fieldinfo) { ++ TIFFError("_TIFFMergeFieldInfo", ++ "Failed to allocate field info array"); ++ return 0; ++ } + tp = &tif->tif_fieldinfo[tif->tif_nfields]; + for (i = 0; i < n; i++) + tp[i] = (TIFFFieldInfo*) &info[i]; /* XXX */ +@@ -461,6 +465,15 @@ + /* Sort the field info by tag number */ + qsort(tif->tif_fieldinfo, tif->tif_nfields += n, + sizeof (TIFFFieldInfo*), tagCompare); ++ ++ return n; ++} ++ ++void ++_TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], int n) ++{ ++ if (!_TIFFMergeFieldInfo_check(tif, info, n)) ++ assert(tif->tif_fieldinfo != NULL); + } + + void +diff -Nur -x '*.orig' -x '*~' tiff-3.7.4/build-tree/tiff-3.7.4/libtiff/tif_dirread.c tiff-3.7.4.new/build-tree/tiff-3.7.4/libtiff/tif_dirread.c +--- tiff-3.7.4/libtiff/tif_dirread.c 2010-06-17 12:20:57.827649365 -0700 ++++ tiff-3.7.4/libtiff/tif_dirread.c 2010-06-17 12:23:30.894208474 -0700 +@@ -40,6 +40,7 @@ + extern void TIFFCvtIEEEFloatToNative(TIFF*, uint32, float*); + extern void TIFFCvtIEEEDoubleToNative(TIFF*, uint32, double*); + #endif ++extern int _TIFFMergeFieldInfo_check(TIFF* tif, const TIFFFieldInfo info[], int n); + + static int EstimateStripByteCounts(TIFF*, TIFFDirEntry*, uint16); + static void MissingRequired(TIFF*, const char*); +@@ -85,6 +86,7 @@ + char* cp; + int diroutoforderwarning = 0; + int compressionknown = 0; ++ int haveunknowntags = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -244,8 +246,10 @@ + fix = 0; + for (dp = dir, n = dircount; n > 0; n--, dp++) { + +- if (fix >= tif->tif_nfields || dp->tdir_tag == IGNORE) ++ if (dp->tdir_tag == IGNORE) + continue; ++ if (fix >= tif->tif_nfields) ++ fix = 0; + + /* + * Silicon Beach (at least) writes unordered +@@ -267,25 +271,9 @@ + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { + +- TIFFWarning(module, +- "%s: unknown field with tag %d (0x%x) encountered", +- tif->tif_name, dp->tdir_tag, dp->tdir_tag, +- dp->tdir_type); +- /* +- * creating anonymous fields prior to knowing the compression +- * algorithm (ie, when the field info has been merged) could cause +- * crashes with pathological directories. +- * -- taviso@google.com 15 Jun 2006 +- */ +- if (compressionknown) +- TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), 1 ); +- else goto ignore; +- +- fix = 0; +- while (fix < tif->tif_nfields && +- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) +- fix++; ++ /* Unknown tag ... we'll deal with it below */ ++ haveunknowntags = 1; ++ continue; + } + /* + * Null out old tags that we ignore. +@@ -375,6 +363,74 @@ + } + + /* ++ * If we saw any unknown tags, make an extra pass over the directory ++ * to deal with them. This must be done separately because the tags ++ * could have become known when we registered a codec after finding ++ * the Compression tag. In a correctly-sorted directory there's ++ * no problem because Compression will come before any codec-private ++ * tags, but if the sorting is wrong that might not hold. ++ */ ++ if (haveunknowntags) { ++ fix = 0; ++ for (dp = dir, n = dircount; n > 0; n--, dp++) { ++ if (dp->tdir_tag == IGNORE) ++ continue; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ ++ while (fix < tif->tif_nfields && ++ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) ++ fix++; ++ if (fix >= tif->tif_nfields || ++ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { ++ ++ TIFFWarning(module, ++ "%s: unknown field with tag %d (0x%x) encountered", ++ tif->tif_name, ++ dp->tdir_tag, ++ dp->tdir_tag); ++ ++ if (!_TIFFMergeFieldInfo_check(tif, ++ _TIFFCreateAnonFieldInfo(tif, ++ dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), ++ 1)) ++ { ++ TIFFWarning(module, ++ "Registering anonymous field with tag %d (0x%x) failed", ++ dp->tdir_tag, ++ dp->tdir_tag); ++ dp->tdir_tag = IGNORE; ++ continue; ++ } ++ fix = 0; ++ while (fix < tif->tif_nfields && ++ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) ++ fix++; ++ } ++ /* ++ * Check data type. ++ */ ++ fip = tif->tif_fieldinfo[fix]; ++ while (dp->tdir_type != (unsigned short) fip->field_type ++ && fix < tif->tif_nfields) { ++ if (fip->field_type == TIFF_ANY) /* wildcard */ ++ break; ++ fip = tif->tif_fieldinfo[++fix]; ++ if (fix >= tif->tif_nfields || ++ fip->field_tag != dp->tdir_tag) { ++ TIFFWarning(module, ++ "%s: wrong data type %d for \"%s\"; tag ignored", ++ tif->tif_name, dp->tdir_type, ++ tif->tif_fieldinfo[fix-1]->field_name); ++ dp->tdir_tag = IGNORE; ++ break; ++ } ++ } ++ } ++ } ++ ++ /* + * Allocate directory structure and setup defaults. + */ + if (!TIFFFieldSet(tif, FIELD_IMAGEDIMENSIONS)) { --- tiff-3.7.4.orig/debian/patches/z_CVE-2010-2595.patch +++ tiff-3.7.4/debian/patches/z_CVE-2010-2595.patch @@ -0,0 +1,30 @@ +Description: fix denial of service via invalid ReferenceBlackWhite values +Origin: upstream, libtiff/tif_color.c r1.12.2.2 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2208 + +diff -Naur tiff-3.7.4.orig//libtiff/tif_color.c tiff-3.7.4/libtiff/tif_color.c +--- tiff-3.7.4.orig//libtiff/tif_color.c 2011-03-03 16:19:03.000000000 -0500 ++++ tiff-3.7.4/libtiff/tif_color.c 2011-03-03 16:20:11.000000000 -0500 +@@ -182,13 +182,18 @@ + TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, + uint32 *r, uint32 *g, uint32 *b) + { ++ int32 i; ++ + /* XXX: Only 8-bit YCbCr input supported for now */ + Y = CLAMP(Y, 0, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); + +- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; +- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] +- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; +- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; ++ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; ++ *r = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] ++ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); ++ *g = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; ++ *b = CLAMP(i, 0, 255); + } + + /* --- tiff-3.7.4.orig/debian/patches/3.8.1-security-fixes.patch +++ tiff-3.7.4/debian/patches/3.8.1-security-fixes.patch @@ -0,0 +1,292 @@ +diff -ruN tiff-3.7.4-old/libtiff/tif_color.c tiff-3.7.4/libtiff/tif_color.c +--- tiff-3.7.4-old/libtiff/tif_color.c 2005-07-04 13:20:07.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_color.c 2006-05-03 12:56:38.000000000 +0200 +@@ -92,6 +92,11 @@ + Yg = TIFFmax(Yg, cielab->display.d_Y0G); + Yb = TIFFmax(Yb, cielab->display.d_Y0B); + ++ /* Avoid overflow in case of wrong input values */ ++ Yr = TIFFmin(Yr, cielab->display.d_YCR); ++ Yg = TIFFmin(Yg, cielab->display.d_YCG); ++ Yb = TIFFmin(Yb, cielab->display.d_YCB); ++ + /* Turn luminosity to colour value. */ + i = (int)((Yr - cielab->display.d_Y0R) / cielab->rstep); + i = TIFFmin(cielab->range, i); +diff -ruN tiff-3.7.4-old/libtiff/tif_dirread.c tiff-3.7.4/libtiff/tif_dirread.c +--- tiff-3.7.4-old/libtiff/tif_dirread.c 2005-08-17 15:05:26.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_dirread.c 2006-05-03 12:55:40.000000000 +0200 +@@ -784,13 +784,20 @@ + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); + tsize_t cc = dir->tdir_count * w; + ++ /* Check for overflow. */ ++ if (!dir->tdir_count || !w || cc / w != (tsize_t)dir->tdir_count) ++ goto bad; ++ + if (!isMapped(tif)) { + if (!SeekOK(tif, dir->tdir_offset)) + goto bad; + if (!ReadOK(tif, cp, cc)) + goto bad; + } else { +- if (dir->tdir_offset + cc > tif->tif_size) ++ /* Check for overflow. */ ++ if ((tsize_t)dir->tdir_offset + cc < (tsize_t)dir->tdir_offset ++ || (tsize_t)dir->tdir_offset + cc < cc ++ || (tsize_t)dir->tdir_offset + cc > (tsize_t)tif->tif_size) + goto bad; + _TIFFmemcpy(cp, tif->tif_base + dir->tdir_offset, cc); + } +@@ -1138,6 +1145,7 @@ + /* TIFF_UNDEFINED */ + TIFFError(tif->tif_name, + "cannot read TIFF_ANY type %d for field \"%s\"", ++ dir->tdir_type, + _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); + return (0); + } +diff -ruN tiff-3.7.4-old/libtiff/tif_fax3.c tiff-3.7.4/libtiff/tif_fax3.c +--- tiff-3.7.4-old/libtiff/tif_fax3.c 2005-07-29 15:21:10.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_fax3.c 2006-05-03 12:55:40.000000000 +0200 +@@ -1056,19 +1056,22 @@ + static void + Fax3Cleanup(TIFF* tif) + { +- if (tif->tif_data) { +- Fax3CodecState* sp = DecoderState(tif); +- +- if (sp->runs) +- _TIFFfree(sp->runs); +- if (sp->refline) +- _TIFFfree(sp->refline); +- +- if (Fax3State(tif)->subaddress) +- _TIFFfree(Fax3State(tif)->subaddress); +- _TIFFfree(tif->tif_data); +- tif->tif_data = NULL; +- } ++ Fax3CodecState* sp = DecoderState(tif); ++ ++ assert(sp != 0); ++ ++ tif->tif_tagmethods.vgetfield = sp->b.vgetparent; ++ tif->tif_tagmethods.vsetfield = sp->b.vsetparent; ++ ++ if (sp->runs) ++ _TIFFfree(sp->runs); ++ if (sp->refline) ++ _TIFFfree(sp->refline); ++ ++ if (Fax3State(tif)->subaddress) ++ _TIFFfree(Fax3State(tif)->subaddress); ++ _TIFFfree(tif->tif_data); ++ tif->tif_data = NULL; + } + + #define FIELD_BADFAXLINES (FIELD_CODEC+0) +@@ -1120,6 +1123,9 @@ + { + Fax3BaseState* sp = Fax3State(tif); + ++ assert(sp != 0); ++ assert(sp->vsetparent != 0); ++ + switch (tag) { + case TIFFTAG_FAXMODE: + sp->mode = va_arg(ap, int); +diff -ruN tiff-3.7.4-old/libtiff/tif_jpeg.c tiff-3.7.4/libtiff/tif_jpeg.c +--- tiff-3.7.4-old/libtiff/tif_jpeg.c 2005-06-06 11:36:57.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_jpeg.c 2006-05-03 12:55:40.000000000 +0200 +@@ -1500,15 +1500,19 @@ + static void + JPEGCleanup(TIFF* tif) + { +- if (tif->tif_data) { +- JPEGState *sp = JState(tif); +- if( sp->cinfo_initialized ) +- TIFFjpeg_destroy(sp); /* release libjpeg resources */ +- if (sp->jpegtables) /* tag value */ +- _TIFFfree(sp->jpegtables); +- _TIFFfree(tif->tif_data); /* release local state */ +- tif->tif_data = NULL; +- } ++ JPEGState *sp = JState(tif); ++ ++ assert(sp != 0); ++ ++ tif->tif_tagmethods.vgetfield = sp->vgetparent; ++ tif->tif_tagmethods.vsetfield = sp->vsetparent; ++ ++ if( sp->cinfo_initialized ) ++ TIFFjpeg_destroy(sp); /* release libjpeg resources */ ++ if (sp->jpegtables) /* tag value */ ++ _TIFFfree(sp->jpegtables); ++ _TIFFfree(tif->tif_data); /* release local state */ ++ tif->tif_data = NULL; + } + + static int +diff -ruN tiff-3.7.4-old/libtiff/tif_lzw.c tiff-3.7.4/libtiff/tif_lzw.c +--- tiff-3.7.4-old/libtiff/tif_lzw.c 2004-10-02 15:52:29.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_lzw.c 2006-05-03 12:55:40.000000000 +0200 +@@ -1002,6 +1002,8 @@ + static void + LZWCleanup(TIFF* tif) + { ++ (void)TIFFPredictorCleanup(tif); ++ + if (tif->tif_data) { + if (DecoderState(tif)->dec_codetab) + _TIFFfree(DecoderState(tif)->dec_codetab); +diff -ruN tiff-3.7.4-old/libtiff/tif_pixarlog.c tiff-3.7.4/libtiff/tif_pixarlog.c +--- tiff-3.7.4-old/libtiff/tif_pixarlog.c 2005-01-15 18:20:58.000000000 +0100 ++++ tiff-3.7.4/libtiff/tif_pixarlog.c 2006-05-03 12:55:40.000000000 +0200 +@@ -1163,24 +1163,29 @@ + { + PixarLogState* sp = (PixarLogState*) tif->tif_data; + +- if (sp) { +- if (sp->FromLT2) _TIFFfree(sp->FromLT2); +- if (sp->From14) _TIFFfree(sp->From14); +- if (sp->From8) _TIFFfree(sp->From8); +- if (sp->ToLinearF) _TIFFfree(sp->ToLinearF); +- if (sp->ToLinear16) _TIFFfree(sp->ToLinear16); +- if (sp->ToLinear8) _TIFFfree(sp->ToLinear8); +- if (sp->state&PLSTATE_INIT) { +- if (tif->tif_mode == O_RDONLY) +- inflateEnd(&sp->stream); +- else +- deflateEnd(&sp->stream); +- } +- if (sp->tbuf) +- _TIFFfree(sp->tbuf); +- _TIFFfree(sp); +- tif->tif_data = NULL; ++ assert(sp != 0); ++ ++ (void)TIFFPredictorCleanup(tif); ++ ++ tif->tif_tagmethods.vgetfield = sp->vgetparent; ++ tif->tif_tagmethods.vsetfield = sp->vsetparent; ++ ++ if (sp->FromLT2) _TIFFfree(sp->FromLT2); ++ if (sp->From14) _TIFFfree(sp->From14); ++ if (sp->From8) _TIFFfree(sp->From8); ++ if (sp->ToLinearF) _TIFFfree(sp->ToLinearF); ++ if (sp->ToLinear16) _TIFFfree(sp->ToLinear16); ++ if (sp->ToLinear8) _TIFFfree(sp->ToLinear8); ++ if (sp->state&PLSTATE_INIT) { ++ if (tif->tif_mode == O_RDONLY) ++ inflateEnd(&sp->stream); ++ else ++ deflateEnd(&sp->stream); + } ++ if (sp->tbuf) ++ _TIFFfree(sp->tbuf); ++ _TIFFfree(sp); ++ tif->tif_data = NULL; + } + + static int +diff -ruN tiff-3.7.4-old/libtiff/tif_predict.c tiff-3.7.4/libtiff/tif_predict.c +--- tiff-3.7.4-old/libtiff/tif_predict.c 2005-06-06 11:36:59.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_predict.c 2006-05-03 12:55:40.000000000 +0200 +@@ -519,6 +519,9 @@ + { + TIFFPredictorState *sp = PredictorState(tif); + ++ assert(sp != NULL); ++ assert(sp->vsetparent != NULL); ++ + switch (tag) { + case TIFFTAG_PREDICTOR: + sp->predictor = (uint16) va_arg(ap, int); +@@ -536,6 +539,9 @@ + { + TIFFPredictorState *sp = PredictorState(tif); + ++ assert(sp != NULL); ++ assert(sp->vgetparent != NULL); ++ + switch (tag) { + case TIFFTAG_PREDICTOR: + *va_arg(ap, uint16*) = sp->predictor; +@@ -570,6 +576,8 @@ + { + TIFFPredictorState* sp = PredictorState(tif); + ++ assert(sp != 0); ++ + /* + * Merge codec-specific tag information and + * override parent get/set field methods. +@@ -595,4 +603,20 @@ + return 1; + } + ++int ++TIFFPredictorCleanup(TIFF* tif) ++{ ++ TIFFPredictorState* sp = PredictorState(tif); ++ ++ assert(sp != 0); ++ ++ tif->tif_tagmethods.vgetfield = sp->vgetparent; ++ tif->tif_tagmethods.vsetfield = sp->vsetparent; ++ tif->tif_tagmethods.printdir = sp->printdir; ++ tif->tif_setupdecode = sp->setupdecode; ++ tif->tif_setupencode = sp->setupencode; ++ ++ return 1; ++} ++ + /* vim: set ts=8 sts=8 sw=8 noet: */ +diff -ruN tiff-3.7.4-old/libtiff/tif_predict.h tiff-3.7.4/libtiff/tif_predict.h +--- tiff-3.7.4-old/libtiff/tif_predict.h 2005-04-15 19:13:34.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_predict.h 2006-05-03 12:55:40.000000000 +0200 +@@ -55,6 +55,7 @@ + extern "C" { + #endif + extern int TIFFPredictorInit(TIFF*); ++extern int TIFFPredictorCleanup(TIFF*); + #if defined(__cplusplus) + } + #endif +diff -ruN tiff-3.7.4-old/libtiff/tif_zip.c tiff-3.7.4/libtiff/tif_zip.c +--- tiff-3.7.4-old/libtiff/tif_zip.c 2004-10-02 15:52:29.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_zip.c 2006-05-03 12:55:40.000000000 +0200 +@@ -249,17 +249,23 @@ + ZIPCleanup(TIFF* tif) + { + ZIPState* sp = ZState(tif); +- if (sp) { +- if (sp->state&ZSTATE_INIT) { +- /* NB: avoid problems in the library */ +- if (tif->tif_mode == O_RDONLY) +- inflateEnd(&sp->stream); +- else +- deflateEnd(&sp->stream); +- } +- _TIFFfree(sp); +- tif->tif_data = NULL; ++ ++ assert(sp != 0); ++ ++ (void)TIFFPredictorCleanup(tif); ++ ++ tif->tif_tagmethods.vgetfield = sp->vgetparent; ++ tif->tif_tagmethods.vsetfield = sp->vsetparent; ++ ++ if (sp->state&ZSTATE_INIT) { ++ /* NB: avoid problems in the library */ ++ if (tif->tif_mode == O_RDONLY) ++ inflateEnd(&sp->stream); ++ else ++ deflateEnd(&sp->stream); + } ++ _TIFFfree(sp); ++ tif->tif_data = NULL; + } + + static int --- tiff-3.7.4.orig/debian/patches/z_CVE-2011-0192.patch +++ tiff-3.7.4/debian/patches/z_CVE-2011-0192.patch @@ -0,0 +1,21 @@ +Description: fix denial of service and possible code execution via + buffer overflow in Fax4Decode +Origin: Thanks to Apple and Huzaifa Sidhpurwala + +Index: tiff-3.9.2/libtiff/tif_fax3.h +=================================================================== +--- tiff-3.9.2.orig/libtiff/tif_fax3.h 2005-12-12 01:23:11.000000000 -0800 ++++ tiff-3.9.2/libtiff/tif_fax3.h 2011-03-14 10:46:49.748757261 -0700 +@@ -478,6 +478,12 @@ + break; \ + case S_VL: \ + CHECK_b1; \ ++ if (b1 <= (int) (a0 + TabEnt->Param)) { \ ++ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \ ++ unexpected("VL", a0); \ ++ goto eol2d; \ ++ } \ ++ } \ + SETVAL(b1 - a0 - TabEnt->Param); \ + b1 -= *--pb; \ + break; \ --- tiff-3.7.4.orig/debian/patches/z_CVE-2011-0191.patch +++ tiff-3.7.4/debian/patches/z_CVE-2011-0191.patch @@ -0,0 +1,18 @@ +Description: denial of service and possible code exection via + YCBCRSUBSAMPLING tag +Origin: Thanks to Apple + +diff -Naur tiff-3.7.4.orig//libtiff/tif_dir.c tiff-3.7.4/libtiff/tif_dir.c +--- tiff-3.7.4.orig//libtiff/tif_dir.c 2011-03-03 15:43:02.000000000 -0500 ++++ tiff-3.7.4/libtiff/tif_dir.c 2011-03-03 16:11:21.000000000 -0500 +@@ -385,6 +385,10 @@ + case TIFFTAG_YCBCRSUBSAMPLING: + td->td_ycbcrsubsampling[0] = (uint16) va_arg(ap, int); + td->td_ycbcrsubsampling[1] = (uint16) va_arg(ap, int); ++ if (td->td_ycbcrsubsampling[0] > 4) ++ td->td_ycbcrsubsampling[0] = (td->td_compression == 7) ? 1 : 2; ++ if (td->td_ycbcrsubsampling[1] > 4) ++ td->td_ycbcrsubsampling[1] = (td->td_compression == 7) ? 1 : 2; + break; + case TIFFTAG_WHITEPOINT: + _TIFFsetFloatArray(&td->td_whitepoint, va_arg(ap, float*), 2); --- tiff-3.7.4.orig/debian/patches/doc-typos.patch +++ tiff-3.7.4/debian/patches/doc-typos.patch @@ -0,0 +1,144 @@ +diff -ruN tiff-3.7.4-old/html/man/gif2tiff.1.html tiff-3.7.4/html/man/gif2tiff.1.html +--- tiff-3.7.4-old/html/man/gif2tiff.1.html 2005-03-06 12:03:07.000000000 +0100 ++++ tiff-3.7.4/html/man/gif2tiff.1.html 2006-06-01 15:51:03.000000000 +0200 +@@ -54,7 +54,7 @@ + TIFF. The TIFF image is + created as a palette image, with samples compressed with the + Lempel-Ziv & Welch algorithm (Compression=5). +-These characteristics can overriden, or explicitly specified ++These characteristics can overridden, or explicitly specified + with the options described below.

+ + +diff -ruN tiff-3.7.4-old/html/man/ppm2tiff.1.html tiff-3.7.4/html/man/ppm2tiff.1.html +--- tiff-3.7.4-old/html/man/ppm2tiff.1.html 2005-03-06 12:03:12.000000000 +0100 ++++ tiff-3.7.4/html/man/ppm2tiff.1.html 2006-06-01 15:51:03.000000000 +0200 +@@ -54,7 +54,7 @@ + packed (PlanarConfiguration=1), compressed with the + Lempel-Ziv & Welch algorithm (Compression=5), and + with each strip no more than 8 kilobytes. These +-characteristics can be overriden, or explicitly specified ++characteristics can be overridden, or explicitly specified + with the options described below

+ +

If the PPM file contains greyscale data, +diff -ruN tiff-3.7.4-old/html/man/ras2tiff.1.html tiff-3.7.4/html/man/ras2tiff.1.html +--- tiff-3.7.4-old/html/man/ras2tiff.1.html 2005-03-06 12:03:12.000000000 +0100 ++++ tiff-3.7.4/html/man/ras2tiff.1.html 2006-06-01 15:51:03.000000000 +0200 +@@ -55,7 +55,7 @@ + packed (PlanarConfiguration=1), compressed with the + Lempel-Ziv & Welch algorithm (Compression=5), and + with each strip no more than 8 kilobytes. These +-characteristics can overriden, or explicitly specified with ++characteristics can overridden, or explicitly specified with + the options described below.

+ +

Any colormap information in the rasterfile is carried +diff -ruN tiff-3.7.4-old/html/man/raw2tiff.1.html tiff-3.7.4/html/man/raw2tiff.1.html +--- tiff-3.7.4-old/html/man/raw2tiff.1.html 2005-03-06 12:03:12.000000000 +0100 ++++ tiff-3.7.4/html/man/raw2tiff.1.html 2006-06-01 15:51:03.000000000 +0200 +@@ -522,7 +522,7 @@ + indicate the right line size. That is why you should be + cautious with the very large images, because guessing + process may take a while (depending on your system +-perfomance). Of course, the utility can’t guess the ++performance). Of course, the utility can’t guess the + header size, number of bands and data type, so it should be + specified manually. If you don’t know anything about + your image, just try with the several combinations of those +diff -ruN tiff-3.7.4-old/html/man/sgi2tiff.1.html tiff-3.7.4/html/man/sgi2tiff.1.html +--- tiff-3.7.4-old/html/man/sgi2tiff.1.html 2005-03-06 12:03:13.000000000 +0100 ++++ tiff-3.7.4/html/man/sgi2tiff.1.html 2006-06-01 15:51:03.000000000 +0200 +@@ -55,7 +55,7 @@ + packed (PlanarConfiguration=1), compressed with the + Lempel-Ziv & Welch algorithm (Compression=5), and + with each strip no more than 8 kilobytes. These +-characteristics can overriden, or explicitly specified with ++characteristics can overridden, or explicitly specified with + the options described below.

+ + +diff -ruN tiff-3.7.4-old/html/man/tiffsv.1.html tiff-3.7.4/html/man/tiffsv.1.html +--- tiff-3.7.4-old/html/man/tiffsv.1.html 2005-03-06 12:03:19.000000000 +0100 ++++ tiff-3.7.4/html/man/tiffsv.1.html 2006-06-01 15:51:03.000000000 +0200 +@@ -56,7 +56,7 @@ + (PlanarConfiguration=1), compressed with the + Lempel-Ziv & Welch algorithm (Compression=5), and + with each strip no more than 8 kilobytes. These +-characteristics can be overriden, or explicitly specified ++characteristics can be overridden, or explicitly specified + with the options described below.

+ + +diff -ruN tiff-3.7.4-old/man/gif2tiff.1 tiff-3.7.4/man/gif2tiff.1 +--- tiff-3.7.4-old/man/gif2tiff.1 1999-07-27 23:50:27.000000000 +0200 ++++ tiff-3.7.4/man/gif2tiff.1 2006-06-01 15:51:03.000000000 +0200 +@@ -44,7 +44,7 @@ + image is created as a palette image, with samples + compressed with the Lempel-Ziv & Welch algorithm (\c + .IR Compression =5). +-These characteristics can overriden, or explicitly specified ++These characteristics can overridden, or explicitly specified + with the options described below. + .SH OPTIONS + .TP +diff -ruN tiff-3.7.4-old/man/ppm2tiff.1 tiff-3.7.4/man/ppm2tiff.1 +--- tiff-3.7.4-old/man/ppm2tiff.1 2003-05-05 12:41:17.000000000 +0200 ++++ tiff-3.7.4/man/ppm2tiff.1 2006-06-01 15:51:03.000000000 +0200 +@@ -51,7 +51,7 @@ + compressed with the Lempel-Ziv & Welch algorithm (\c + .IR Compression =5), + and with each strip no more than 8 kilobytes. +-These characteristics can be overriden, or explicitly specified ++These characteristics can be overridden, or explicitly specified + with the options described below + .PP + If the +diff -ruN tiff-3.7.4-old/man/ras2tiff.1 tiff-3.7.4/man/ras2tiff.1 +--- tiff-3.7.4-old/man/ras2tiff.1 1999-07-27 23:50:28.000000000 +0200 ++++ tiff-3.7.4/man/ras2tiff.1 2006-06-01 15:51:03.000000000 +0200 +@@ -46,7 +46,7 @@ + compressed with the Lempel-Ziv & Welch algorithm (\c + .IR Compression =5), + and with each strip no more than 8 kilobytes. +-These characteristics can overriden, or explicitly specified ++These characteristics can overridden, or explicitly specified + with the options described below. + .PP + Any colormap information in the rasterfile is carried over to the +diff -ruN tiff-3.7.4-old/man/raw2tiff.1 tiff-3.7.4/man/raw2tiff.1 +--- tiff-3.7.4-old/man/raw2tiff.1 2003-11-12 10:20:10.000000000 +0100 ++++ tiff-3.7.4/man/raw2tiff.1 2006-06-01 15:51:03.000000000 +0200 +@@ -175,7 +175,7 @@ + at the image center using several appropriate line sizes and the highest + absolute value of the coefficient will indicate the right line size. That is + why you should be cautious with the very large images, because guessing +-process may take a while (depending on your system perfomance). Of course, the ++process may take a while (depending on your system performance). Of course, the + utility can't guess the header size, number of bands and data type, so it + should be specified manually. If you don't know anything about your image, + just try with the several combinations of those options. +diff -ruN tiff-3.7.4-old/man/sgi2tiff.1 tiff-3.7.4/man/sgi2tiff.1 +--- tiff-3.7.4-old/man/sgi2tiff.1 1999-07-27 23:50:28.000000000 +0200 ++++ tiff-3.7.4/man/sgi2tiff.1 2006-06-01 15:51:03.000000000 +0200 +@@ -50,7 +50,7 @@ + compressed with the Lempel-Ziv & Welch algorithm (\c + .IR Compression =5), + and with each strip no more than 8 kilobytes. +-These characteristics can overriden, or explicitly specified ++These characteristics can overridden, or explicitly specified + with the options described below. + .SH OPTIONS + .TP +diff -ruN tiff-3.7.4-old/man/tiffsv.1 tiff-3.7.4/man/tiffsv.1 +--- tiff-3.7.4-old/man/tiffsv.1 1999-07-27 23:50:28.000000000 +0200 ++++ tiff-3.7.4/man/tiffsv.1 2006-06-01 15:51:03.000000000 +0200 +@@ -46,7 +46,7 @@ + compressed with the Lempel-Ziv & Welch algorithm (\c + .IR Compression =5), + and with each strip no more than 8 kilobytes. +-These characteristics can be overriden, or explicitly specified ++These characteristics can be overridden, or explicitly specified + with the options described below. + .SH OPTIONS + .TP --- tiff-3.7.4.orig/debian/patches/z_CVE-2011-1167.patch +++ tiff-3.7.4/debian/patches/z_CVE-2011-1167.patch @@ -0,0 +1,72 @@ +Description: fix arbitrary code execution via crafted + THUNDER_2BITDELTAS data +Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2300 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2300 + +diff -Naur tiff-3.8.2.ori//libtiff/tif_thunder.c tiff-3.8.2/libtiff/tif_thunder.c +--- tiff-3.8.2.ori//libtiff/tif_thunder.c 2005-12-21 07:33:56.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_thunder.c 2011-03-30 13:26:06.522487732 -0400 +@@ -25,6 +25,7 @@ + */ + + #include "tiffiop.h" ++#include + #ifdef THUNDER_SUPPORT + /* + * TIFF Library. +@@ -55,12 +56,32 @@ + static const int twobitdeltas[4] = { 0, 1, 0, -1 }; + static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; + +-#define SETPIXEL(op, v) { \ +- lastpixel = (v) & 0xf; \ +- if (npixels++ & 1) \ +- *op++ |= lastpixel; \ +- else \ ++#define SETPIXEL(op, v) { \ ++ lastpixel = (v) & 0xf; \ ++ if ( npixels < maxpixels ) \ ++ { \ ++ if (npixels++ & 1) \ ++ *op++ |= lastpixel; \ ++ else \ + op[0] = (tidataval_t) (lastpixel << 4); \ ++ } \ ++} ++ ++static int ++ThunderSetupDecode(TIFF* tif) ++{ ++ static const char module[] = "ThunderSetupDecode"; ++ ++ if( tif->tif_dir.td_bitspersample != 4 ) ++ { ++ TIFFError(module, ++ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.", ++ (int) tif->tif_dir.td_bitspersample ); ++ return 0; ++ } ++ ++ ++ return (1); + } + + static int +@@ -142,7 +163,8 @@ + occ -= tif->tif_scanlinesize; + row += tif->tif_scanlinesize; + } +- return (1); ++ ++ return (1); + } + + int +@@ -151,6 +173,7 @@ + (void) scheme; + tif->tif_decoderow = ThunderDecodeRow; + tif->tif_decodestrip = ThunderDecodeRow; ++ tif->tif_setupdecode = ThunderSetupDecode; + return (1); + } + #endif /* THUNDER_SUPPORT */ --- tiff-3.7.4.orig/debian/patches/fix_43286_crasher.patch +++ tiff-3.7.4/debian/patches/fix_43286_crasher.patch @@ -0,0 +1,18 @@ +Index: libtiff/tif_jpeg.c +=================================================================== +RCS file: /cvs/maptools/cvsroot/libtiff/libtiff/tif_jpeg.c,v +retrieving revision 1.43 +retrieving revision 1.44 +diff -u -r1.43 -r1.44 +--- a/libtiff/tif_jpeg.c 7 Mar 2006 11:59:12 -0000 1.43 ++++ b/libtiff/tif_jpeg.c 15 Mar 2006 20:56:40 -0000 1.44 +@@ -1850,9 +1850,6 @@ + + assert(scheme == COMPRESSION_JPEG); + +- if ((tif->tif_flags & TIFF_CODERSETUP) == 0) +- JPEGCleanup(tif); +- + /* + * Allocate state block so tag methods have storage to record values. + */ --- tiff-3.7.4.orig/debian/patches/tiff2pdf-octal-printf.patch +++ tiff-3.7.4/debian/patches/tiff2pdf-octal-printf.patch @@ -0,0 +1,12 @@ +diff -ruN tiff-3.7.4-old/tools/tiff2pdf.c tiff-3.7.4/tools/tiff2pdf.c +--- tiff-3.7.4-old/tools/tiff2pdf.c 2005-06-23 15:30:28.000000000 +0200 ++++ tiff-3.7.4/tools/tiff2pdf.c 2006-06-02 18:15:11.000000000 +0200 +@@ -3758,7 +3758,7 @@ + written += TIFFWriteFile(output, (tdata_t) "(", 1); + for (i=0;i + +Index: tiff-3.8.2/libtiff/tif_fax3.c +=================================================================== +--- tiff-3.8.2.orig/libtiff/tif_fax3.c 2010-06-10 18:09:58.779641597 -0700 ++++ tiff-3.8.2/libtiff/tif_fax3.c 2010-06-10 18:11:50.949640612 -0700 +@@ -491,7 +491,16 @@ + td->td_compression == COMPRESSION_CCITTFAX4 + ); + +- nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels; ++ if (needsRefLine) { ++ /* integer overflow check */ ++ if ((uint32)rowpixels > 0xffffffff - 32 || TIFFroundup(rowpixels,32) > 0xffffffff / 2) ++ return (0); ++ nruns = 2*TIFFroundup(rowpixels,32); ++ } else ++ nruns = rowpixels; ++ /* integer overflow check */ ++ if (nruns > (0xffffffff - 3) / 2) ++ return (0); + + dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns+3, sizeof (uint32), + "for Group 3/4 run arrays"); --- tiff-3.7.4.orig/debian/patches/z_CVE-2010-2630.patch +++ tiff-3.7.4/debian/patches/z_CVE-2010-2630.patch @@ -0,0 +1,44 @@ +Description: fix denial of service via out-of-order tags +Origin: upstream, r1.92.2.13 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2210 + +diff -Naur tiff-3.7.4.orig//libtiff/tif_dirread.c tiff-3.7.4/libtiff/tif_dirread.c +--- tiff-3.7.4.orig//libtiff/tif_dirread.c 2011-03-03 15:43:32.000000000 -0500 ++++ tiff-3.7.4/libtiff/tif_dirread.c 2011-03-03 15:50:07.000000000 -0500 +@@ -82,6 +82,7 @@ + const TIFFFieldInfo* fip; + int fix; + uint16 dircount; ++ uint16 previous_tag = 0; + toff_t nextdiroff; + char* cp; + int diroutoforderwarning = 0; +@@ -248,23 +249,24 @@ + + if (dp->tdir_tag == IGNORE) + continue; +- if (fix >= tif->tif_nfields) +- fix = 0; + + /* + * Silicon Beach (at least) writes unordered + * directory tags (violating the spec). Handle + * it here, but be obnoxious (maybe they'll fix it?). + */ +- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) { ++ if (dp->tdir_tag < previous_tag) { + if (!diroutoforderwarning) { + TIFFWarning(module, + "%s: invalid TIFF directory; tags are not sorted in ascending order", + tif->tif_name); + diroutoforderwarning = 1; + } +- fix = 0; /* O(n^2) */ + } ++ previous_tag = dp->tdir_tag; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; --- tiff-3.7.4.orig/debian/patches/CVE-2008-2327.patch +++ tiff-3.7.4/debian/patches/CVE-2008-2327.patch @@ -0,0 +1,58 @@ +--- tiff-3.8.2.orig/libtiff/tif_lzw.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_lzw.c 2008-08-17 11:31:32.994004551 -0400 +@@ -237,6 +237,13 @@ + sp->dec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); ++ /* ++ * Zero-out the unused entries ++ */ ++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); ++ ++ + } + return (1); + } +@@ -408,12 +415,20 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask-1; + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFError(tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } ++ + *op++ = (char)code, occ--; + oldcodep = sp->dec_codetab + code; + continue; +@@ -604,12 +619,20 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFError(tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } ++ + *op++ = code, occ--; + oldcodep = sp->dec_codetab + code; + continue; --- tiff-3.7.4.orig/debian/patches/CVE-2009-2347.patch +++ tiff-3.7.4/debian/patches/CVE-2009-2347.patch @@ -0,0 +1,166 @@ +# +# Description: fix arbitrary code execution via integer overflows in tiff2rgba and rgb2ycbcr +# +diff -Naur tiff-3.7.4.orig/tools/rgb2ycbcr.c tiff-3.7.4/tools/rgb2ycbcr.c +--- tiff-3.7.4.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400 ++++ tiff-3.7.4/tools/rgb2ycbcr.c 2009-07-13 09:30:34.000000000 -0400 +@@ -202,6 +202,17 @@ + #undef LumaBlue + #undef V2Code + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + /* + * Convert a strip of RGB data to YCbCr and + * sample to generate the output data. +@@ -278,10 +289,19 @@ + float floatv; + char *stringv; + uint32 longv; ++ tsize_t raster_size; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +diff -Naur tiff-3.7.4.orig/tools/tiff2rgba.c tiff-3.7.4/tools/tiff2rgba.c +--- tiff-3.7.4.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500 ++++ tiff-3.7.4/tools/tiff2rgba.c 2009-07-13 09:30:34.000000000 -0400 +@@ -124,6 +124,17 @@ + return (0); + } + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + static int + cvt_by_tile( TIFF *in, TIFF *out ) + +@@ -133,6 +144,7 @@ + uint32 tile_width, tile_height; + uint32 row, col; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -150,7 +162,14 @@ + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) tile_width, (unsigned long) tile_height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -158,7 +177,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + if (!wrk_line) { +@@ -226,6 +245,7 @@ + uint32 width, height; /* image width & height */ + uint32 row; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -241,7 +261,14 @@ + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) rowsperstrip); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -249,7 +276,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + if (!wrk_line) { +@@ -328,14 +355,22 @@ + uint32* raster; /* retrieve RGBA image */ + uint32 width, height; /* image width & height */ + uint32 row; +- ++ tsize_t raster_size; ++ + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); + + rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -353,7 +388,7 @@ + */ + if( no_alpha ) + { +- int pixel_count = width * height; ++ tsize_t pixel_count = (tsize_t) width * (tsize_t) height; + unsigned char *src, *dst; + + src = (unsigned char *) raster; --- tiff-3.7.4.orig/debian/patches/soname.patch +++ tiff-3.7.4/debian/patches/soname.patch @@ -0,0 +1,36 @@ +--- a/libtiff/Makefile.am.qdist 2005-07-12 12:02:04.000000000 -0400 ++++ b/libtiff/Makefile.am 2005-10-07 10:32:23.073588096 -0400 +@@ -108,7 +108,7 @@ + libtiff_la_SOURCES = $(SRCS) + libtiff_la_LDFLAGS = \ + -no-undefined \ +- -version-number $(LIBTIFF_VERSION_INFO) ++ -version-number 4:1:4 + if HAVE_RPATH + libtiff_la_LDFLAGS += $(LIBDIR) + endif +@@ -117,7 +117,7 @@ + libtiffxx_la_SOURCES = $(SRCSXX) + libtiffxx_la_LDFLAGS = \ + -no-undefined \ +- -version-number $(LIBTIFF_VERSION_INFO) ++ -version-number 0:0:4 + if HAVE_RPATH + libtiffxx_la_LDFLAGS += $(LIBDIR) + endif +--- a/libtiff/Makefile.in.qdist 2005-09-12 12:33:05.000000000 -0400 ++++ b/libtiff/Makefile.in 2005-10-07 10:32:44.971259144 -0400 +@@ -344,11 +344,11 @@ + lib_LTLIBRARIES = libtiff.la $(am__append_2) + libtiff_la_SOURCES = $(SRCS) + libtiff_la_LDFLAGS = -no-undefined -version-number \ +- $(LIBTIFF_VERSION_INFO) $(am__append_3) ++ 4:1:4 $(am__append_3) + libtiff_la_LIBADD = $(LIBPORT) + libtiffxx_la_SOURCES = $(SRCSXX) + libtiffxx_la_LDFLAGS = -no-undefined -version-number \ +- $(LIBTIFF_VERSION_INFO) $(am__append_4) ++ 0:0:4 $(am__append_4) + libtiffxx_la_LIBADD = $(LIBTIFF) $(LIBPORT) + libtiffxx_la_DEPENDENCIES = libtiff.la + mkg3states_SOURCES = mkg3states.c tif_fax3.h --- tiff-3.7.4.orig/debian/patches/tiffsplit-fname-overflow.patch +++ tiff-3.7.4/debian/patches/tiffsplit-fname-overflow.patch @@ -0,0 +1,20 @@ +diff -ruN tiff-3.7.4-old/tools/tiffsplit.c tiff-3.7.4/tools/tiffsplit.c +--- tiff-3.7.4-old/tools/tiffsplit.c 2005-05-26 20:38:48.000000000 +0200 ++++ tiff-3.7.4/tools/tiffsplit.c 2006-06-01 16:00:11.000000000 +0200 +@@ -60,14 +60,13 @@ + return (-3); + } + if (argc > 2) +- strcpy(fname, argv[2]); ++ snprintf(fname, sizeof(fname), "%s", argv[2]); + in = TIFFOpen(argv[1], "r"); + if (in != NULL) { + do { + char path[1024+1]; + newfilename(); +- strcpy(path, fname); +- strcat(path, ".tif"); ++ snprintf(path, sizeof(path), "%s.tif", fname); + out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); + if (out == NULL) + return (-2); --- tiff-3.7.4.orig/debian/patches/z_CVE-2010-2597.patch +++ tiff-3.7.4/debian/patches/z_CVE-2010-2597.patch @@ -0,0 +1,21 @@ +Description: fix denial of service via devide-by-zero +Origin: backport, r1.19.2.3 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2215 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/593067 + +diff -Naur tiff-3.7.4.orig//libtiff/tif_strip.c tiff-3.7.4/libtiff/tif_strip.c +--- tiff-3.7.4.orig//libtiff/tif_strip.c 2004-10-26 14:18:01.000000000 -0400 ++++ tiff-3.7.4/libtiff/tif_strip.c 2011-03-03 15:47:50.000000000 -0500 +@@ -124,9 +124,9 @@ + uint16 ycbcrsubsampling[2]; + tsize_t w, scanline, samplingarea; + +- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1 ); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; + if (samplingarea == 0) { --- tiff-3.7.4.orig/debian/patches/CVE-2006-3459-3465.patch +++ tiff-3.7.4/debian/patches/CVE-2006-3459-3465.patch @@ -0,0 +1,635 @@ +diff -Nur tiff-3.7.4/build-tree/tiff-3.7.4/libtiff/tif_dir.c tiff-3.7.4.new/build-tree/tiff-3.7.4/libtiff/tif_dir.c +--- tiff-3.7.4/libtiff/tif_dir.c 2005-09-08 10:18:41.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_dir.c 2006-08-02 13:21:13.000000000 +0200 +@@ -40,6 +40,22 @@ + #define DATATYPE_UINT 2 /* !unsigned integer data */ + #define DATATYPE_IEEEFP 3 /* !IEEE floating point data */ + ++static char * ++CheckMalloc(TIFF* tif, size_t nmemb, size_t elem_size, const char* what) ++{ ++ char *cp = NULL; ++ tsize_t bytes = nmemb * elem_size; ++ ++ if (nmemb && elem_size && bytes / elem_size == nmemb) ++ cp = (char*) _TIFFmalloc(bytes); ++ ++ if (cp == NULL) ++ TIFFError(tif->tif_name, "No space %s", what); ++ ++ return (cp); ++} ++ ++ + static void + setByteArray(void** vpp, void* vp, size_t nmemb, size_t elem_size) + { +@@ -122,6 +138,7 @@ + { + static const char module[] = "_TIFFVSetField"; + ++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; +@@ -196,10 +213,12 @@ + break; + case TIFFTAG_ORIENTATION: + v = va_arg(ap, uint32); ++ const TIFFFieldInfo* fip; + if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { ++ fip = _TIFFFieldWithTag(tif, tag); + TIFFWarning(tif->tif_name, + "Bad value %lu for \"%s\" tag ignored", +- v, _TIFFFieldWithTag(tif, tag)->field_name); ++ v, fip ? fip->field_name : "Unknown"); + } else + td->td_orientation = (uint16) v; + break; +@@ -436,11 +455,15 @@ + * happens, for example, when tiffcp is used to convert between + * compression schemes and codec-specific tags are blindly copied. + */ ++ /* ++ * better not dereference fip if it is NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { + TIFFError(module, + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + status = 0; + break; + } +@@ -515,7 +538,7 @@ + if (fip->field_type == TIFF_ASCII) + _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); + else { +- tv->value = _TIFFmalloc(tv_size * tv->count); ++ tv->value = CheckMalloc(tif, tv_size, tv->count, "Tag Value"); + if (!tv->value) { + status = 0; + goto end; +@@ -592,7 +615,7 @@ + } + } + if (status) { +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ TIFFSetFieldBit(tif, fip->field_bit); + tif->tif_flags |= TIFF_DIRTYDIRECT; + } + +@@ -601,12 +624,12 @@ + return (status); + badvalue: + TIFFError(module, "%s: Bad value %d for \"%s\"", +- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + badvalue32: + TIFFError(module, "%s: Bad value %ld for \"%s\"", +- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + badvaluedbl: +@@ -886,12 +909,16 @@ + * If the client tries to get a tag that is not valid + * for the image's codec then we'll arrive here. + */ ++ /* ++ * dont dereference fip if it's NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) + { + TIFFError("_TIFFVGetField", + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + ret_val = 0; + break; + } +diff -Nur tiff-3.7.4/build-tree/tiff-3.7.4/libtiff/tif_dirinfo.c tiff-3.7.4.new/build-tree/tiff-3.7.4/libtiff/tif_dirinfo.c +--- tiff-3.7.4/libtiff/tif_dirinfo.c 2005-07-28 10:49:23.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_dirinfo.c 2006-08-02 13:21:13.000000000 +0200 +@@ -636,7 +636,8 @@ + TIFFError("TIFFFieldWithTag", + "Internal error, unknown tag 0x%x", + (unsigned int) tag); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +@@ -650,7 +651,8 @@ + if (!fip) { + TIFFError("TIFFFieldWithName", + "Internal error, unknown tag %s", field_name); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +diff -Nur tiff-3.7.4/build-tree/tiff-3.7.4/libtiff/tif_dirread.c tiff-3.7.4.new/build-tree/tiff-3.7.4/libtiff/tif_dirread.c +--- tiff-3.7.4/libtiff/tif_dirread.c 2006-08-02 13:21:12.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_dirread.c 2006-08-02 13:24:02.000000000 +0200 +@@ -84,6 +84,7 @@ + toff_t nextdiroff; + char* cp; + int diroutoforderwarning = 0; ++ int compressionknown = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -151,11 +152,17 @@ + } else { + toff_t off = tif->tif_diroff; + +- if (off + sizeof (uint16) > tif->tif_size) { +- TIFFError(module, +- "%s: Can not read TIFF directory count", +- tif->tif_name); +- return (0); ++ /* ++ * Check for integer overflow when validating the dir_off, otherwise ++ * a very high offset may cause an OOB read and crash the client. ++ * -- taviso@google.com, 14 Jun 2006. ++ */ ++ if (off + sizeof (uint16) > tif->tif_size || ++ off + sizeof (uint16) < off) { ++ TIFFError(module, ++ "%s: Can not read TIFF directory count", ++ tif->tif_name); ++ return (0); + } else + _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); + off += sizeof (uint16); +@@ -264,12 +271,17 @@ + "%s: unknown field with tag %d (0x%x) encountered", + tif->tif_name, dp->tdir_tag, dp->tdir_tag, + dp->tdir_type); +- +- TIFFMergeFieldInfo( tif, +- _TIFFCreateAnonFieldInfo( tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type ), +- 1 ); ++ /* ++ * creating anonymous fields prior to knowing the compression ++ * algorithm (ie, when the field info has been merged) could cause ++ * crashes with pathological directories. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (compressionknown) ++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), 1 ); ++ else goto ignore; ++ + fix = 0; + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) +@@ -326,6 +338,7 @@ + dp->tdir_type, dp->tdir_offset); + if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) + goto bad; ++ else compressionknown++; + break; + /* XXX: workaround for broken TIFFs */ + } else if (dp->tdir_type == TIFF_LONG) { +@@ -533,6 +546,7 @@ + * Attempt to deal with a missing StripByteCounts tag. + */ + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Some manufacturers violate the spec by not giving + * the size of the strips. In this case, assume there +@@ -549,7 +563,7 @@ + "%s: TIFF directory is missing required " + "\"%s\" field, calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + /* +@@ -573,6 +587,7 @@ + } else if (td->td_nstrips == 1 + && td->td_stripoffset[0] != 0 + && BYTECOUNTLOOKSBAD) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Plexus (and others) sometimes give a value + * of zero for a tag when they don't know what +@@ -583,7 +598,7 @@ + TIFFWarning(module, + "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if(EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } +@@ -682,7 +697,13 @@ + + register TIFFDirEntry *dp; + register TIFFDirectory *td = &tif->tif_dir; +- uint16 i; ++ ++ /* i is used to iterate over td->td_nstrips, so must be ++ * at least the same width. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ ++ uint32 i; + + if (td->td_stripbytecount) + _TIFFfree(td->td_stripbytecount); +@@ -759,16 +780,18 @@ + static int + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) + { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ + if (count > dir->tdir_count) { + TIFFWarning(tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (0); + } else if (count < dir->tdir_count) { + TIFFWarning(tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (1); + } +@@ -782,6 +805,7 @@ + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) + { + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + tsize_t cc = dir->tdir_count * w; + + /* Check for overflow. */ +@@ -824,7 +848,7 @@ + return (cc); + bad: + TIFFError(tif->tif_name, "Error fetching data for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + return ((tsize_t) 0); + } + +@@ -850,10 +874,12 @@ + static int + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) + { ++ const TIFFFieldInfo* fip; + if (denom == 0) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFError(tif->tif_name, + "%s: Rational with zero denominator (num = %lu)", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); ++ fip ? fip->field_name : "Unknown", num); + return (0); + } else { + if (dir->tdir_type == TIFF_RATIONAL) +@@ -1077,6 +1103,20 @@ + { + int i; + ++ /* ++ * Prevent overflowing the v stack arrays below by performing a sanity ++ * check on tdir_count, this should never be greater than two. ++ * -- taviso@google.com 14 Jun 2006. ++ */ ++ if (dir->tdir_count > 2) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ TIFFWarning(tif->tif_name, ++ "unexpected count for field \"%s\", %lu, expected 2; ignored.", ++ fip ? fip->field_name : "Unknown", ++ dir->tdir_count); ++ return 0; ++ } ++ + switch (dir->tdir_type) { + case TIFF_BYTE: + case TIFF_SBYTE: +@@ -1140,14 +1180,15 @@ + case TIFF_DOUBLE: + return (TIFFFetchDoubleArray(tif, dir, (double*) v)); + default: ++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + /* TIFF_NOTYPE */ + /* TIFF_ASCII */ + /* TIFF_UNDEFINED */ + TIFFError(tif->tif_name, + "cannot read TIFF_ANY type %d for field \"%s\"", + dir->tdir_type, +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); +- return (0); ++ fip ? fip->field_name : "Unknown"); ++ return (0); } + } + return (1); + } +@@ -1162,6 +1203,9 @@ + int ok = 0; + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); + ++ if (fip == NULL) { ++ return (0); ++ } + if (dp->tdir_count > 1) { /* array of values */ + char* cp = NULL; + +@@ -1303,6 +1347,7 @@ + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1320,9 +1365,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFError(tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1344,6 +1390,7 @@ + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1361,9 +1408,10 @@ + check_count = samples; + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFError(tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1385,6 +1433,7 @@ + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1402,9 +1451,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFError(tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +diff -Nur tiff-3.7.4/build-tree/tiff-3.7.4/libtiff/tif_fax3.c tiff-3.7.4.new/build-tree/tiff-3.7.4/libtiff/tif_fax3.c +--- tiff-3.7.4/libtiff/tif_fax3.c 2006-08-02 13:21:12.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_fax3.c 2006-08-02 13:21:13.000000000 +0200 +@@ -1122,6 +1122,7 @@ + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) + { + Fax3BaseState* sp = Fax3State(tif); ++ const TIFFFieldInfo* fip; + + assert(sp != 0); + assert(sp->vsetparent != 0); +@@ -1167,7 +1168,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +diff -Nur tiff-3.7.4/build-tree/tiff-3.7.4/libtiff/tif_jpeg.c tiff-3.7.4.new/build-tree/tiff-3.7.4/libtiff/tif_jpeg.c +--- tiff-3.7.4/libtiff/tif_jpeg.c 2006-08-02 13:21:12.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_jpeg.c 2006-08-02 13:26:09.000000000 +0200 +@@ -710,15 +710,31 @@ + segment_width = TIFFhowmany(segment_width, sp->h_sampling); + segment_height = TIFFhowmany(segment_height, sp->v_sampling); + } +- if (sp->cinfo.d.image_width != segment_width || +- sp->cinfo.d.image_height != segment_height) { ++ if (sp->cinfo.d.image_width < segment_width || ++ sp->cinfo.d.image_height < segment_height) { + TIFFWarning(module, + "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", + segment_width, + segment_height, + sp->cinfo.d.image_width, + sp->cinfo.d.image_height); ++ } ++ ++ if (sp->cinfo.d.image_width > segment_width || ++ sp->cinfo.d.image_height > segment_height) { ++ /* ++ * This case could be dangerous, if the strip or tile size has been ++ * reported as less than the amount of data jpeg will return, some ++ * potential security issues arise. Catch this case and error out. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ TIFFError(module, ++ "JPEG strip/tile size exceeds expected dimensions," ++ "expected %dx%d, got %dx%d", segment_width, segment_height, ++ sp->cinfo.d.image_width, sp->cinfo.d.image_height); ++ return (0); + } ++ + if (sp->cinfo.d.num_components != + (td->td_planarconfig == PLANARCONFIG_CONTIG ? + td->td_samplesperpixel : 1)) { +@@ -749,6 +765,22 @@ + sp->cinfo.d.comp_info[0].v_samp_factor, + sp->h_sampling, sp->v_sampling); + ++ /* ++ * There are potential security issues here for decoders that ++ * have already allocated buffers based on the expected sampling ++ * factors. Lets check the sampling factors dont exceed what ++ * we were expecting. ++ * -- taviso@google.com 14 June 2006 ++ */ ++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || ++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { ++ TIFFError(module, ++ "Cannot honour JPEG sampling factors that" ++ " exceed those specified."); ++ return (0); ++ } ++ ++ + /* + * XXX: Files written by the Intergraph software + * has different sampling factors stored in the +@@ -1502,15 +1534,17 @@ + { + JPEGState *sp = JState(tif); + +- assert(sp != 0); ++ /* assert(sp != 0); */ + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + ++ if (sp != NULL) { + if( sp->cinfo_initialized ) + TIFFjpeg_destroy(sp); /* release libjpeg resources */ + if (sp->jpegtables) /* tag value */ + _TIFFfree(sp->jpegtables); ++ } + _TIFFfree(tif->tif_data); /* release local state */ + tif->tif_data = NULL; + } +@@ -1520,6 +1554,7 @@ + { + JPEGState* sp = JState(tif); + TIFFDirectory* td = &tif->tif_dir; ++ const TIFFFieldInfo* fip; + uint32 v32; + + assert(sp != NULL); +@@ -1585,7 +1620,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +@@ -1705,7 +1746,11 @@ + { + JPEGState* sp = JState(tif); + +- assert(sp != NULL); ++ /* assert(sp != NULL); */ ++ if (sp == NULL) { ++ TIFFWarning("JPEGPrintDir", "Unknown JPEGState"); ++ return; ++ } + + (void) flags; + if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) +diff -Nur tiff-3.7.4/build-tree/tiff-3.7.4/libtiff/tif_next.c tiff-3.7.4.new/build-tree/tiff-3.7.4/libtiff/tif_next.c +--- tiff-3.7.4/libtiff/tif_next.c 2004-11-07 12:08:36.000000000 +0100 ++++ tiff-3.7.4/libtiff/tif_next.c 2006-08-02 13:21:13.000000000 +0200 +@@ -105,11 +105,16 @@ + * as codes of the form + * until we've filled the scanline. + */ ++ /* ++ * Ensure the run does not exceed the scanline ++ * bounds, potentially resulting in a security issue. ++ * -- taviso@google.com 14 Jun 2006. ++ */ + op = row; + for (;;) { + grey = (n>>6) & 0x3; + n &= 0x3f; +- while (n-- > 0) ++ while (n-- > 0 && npixels < scanline) + SETPIXEL(op, grey); + if (npixels >= (int) imagewidth) + break; +diff -Nur tiff-3.7.4/build-tree/tiff-3.7.4/libtiff/tif_pixarlog.c tiff-3.7.4.new/build-tree/tiff-3.7.4/libtiff/tif_pixarlog.c +--- tiff-3.7.4/libtiff/tif_pixarlog.c 2006-08-02 13:21:12.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_pixarlog.c 2006-08-02 13:21:13.000000000 +0200 +@@ -768,7 +768,19 @@ + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabArrayOfShort(up, nsamples); + +- for (i = 0; i < nsamples; i += llen, up += llen) { ++ /* ++ * if llen is not an exact multiple of nsamples, the decode operation ++ * may overflow the output buffer, so truncate it enough to prevent that ++ * but still salvage as much data as possible. ++ * -- taviso@google.com 14th June 2006 ++ */ ++ if (nsamples % llen) ++ TIFFWarning(module, ++ "%s: stride %lu is not a multiple of sample count, " ++ "%lu, data truncated.", tif->tif_name, llen, nsamples); ++ ++ ++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalAccumulateF(up, llen, sp->stride, +diff -Nur tiff-3.7.4/build-tree/tiff-3.7.4/libtiff/tif_read.c tiff-3.7.4.new/build-tree/tiff-3.7.4/libtiff/tif_read.c +--- tiff-3.7.4/libtiff/tif_read.c 2005-04-15 19:13:34.000000000 +0200 ++++ tiff-3.7.4/libtiff/tif_read.c 2006-08-02 13:21:13.000000000 +0200 +@@ -272,7 +272,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { ++ /* ++ * This sanity check could potentially overflow, causing an OOB read. ++ * verify that offset + bytecount is > offset. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || ++ (td->td_stripoffset[strip] + bytecount) < td->td_stripoffset[strip]) { + /* + * This error message might seem strange, but it's + * what would happen if a read were done instead. +@@ -470,7 +476,14 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { ++ /* ++ * We must check this calculation doesnt overflow, potentially ++ * causing an OOB read. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if ( td->td_stripoffset[tile] + bytecount > tif->tif_size || ++ (td->td_stripoffset[tile] + bytecount) < ++ td->td_stripoffset[tile]) { + tif->tif_curtile = NOTILE; + return (0); + } --- tiff-3.7.4.orig/debian/patches/CVE-2009-2285.patch +++ tiff-3.7.4/debian/patches/CVE-2009-2285.patch @@ -0,0 +1,29 @@ +# +# Description: fix denial of service via buffer underflow in the LZWDecodeCompat function +# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/380149 +# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534137 +# Upstream: http://bugzilla.maptools.org/show_bug.cgi?id=2065 +# Upstream: http://bugzilla.maptools.org/show_bug.cgi?id=1985 +# Patch: http://bugzilla.maptools.org/attachment.cgi?id=279 +# +diff -Naur tiff-3.7.4.orig/libtiff/tif_lzw.c tiff-3.7.4/libtiff/tif_lzw.c +--- tiff-3.7.4.orig/libtiff/tif_lzw.c 2009-07-03 15:16:44.000000000 -0400 ++++ tiff-3.7.4/libtiff/tif_lzw.c 2009-07-03 15:19:14.000000000 -0400 +@@ -422,7 +422,7 @@ + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFError(tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); +@@ -626,7 +626,7 @@ + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFError(tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); --- tiff-3.7.4.orig/debian/libtiff-tools.lintian +++ tiff-3.7.4/debian/libtiff-tools.lintian @@ -0,0 +1,5 @@ +# +# The synopsis line starts with a capital letter because of the TIFF +# acronym, not because it contains a sentence. +# +libtiff-tools: description-synopsis-starts-with-a-capital-letter --- tiff-3.7.4.orig/debian/libtiffxx0c2.shlibs +++ tiff-3.7.4/debian/libtiffxx0c2.shlibs @@ -0,0 +1 @@ +libtiffxx 0 libtiffxx0c2 --- tiff-3.7.4.orig/debian/libtiff4-dev.doc-base +++ tiff-3.7.4/debian/libtiff4-dev.doc-base @@ -0,0 +1,9 @@ +Document: libtiff4-dev +Title: TIFF Software +Author: Sam Leffler +Abstract: Support for the Tag Image File Format (TIFF) for storing image data. +Section: Apps/Graphics + +Format: HTML +Index: /usr/share/doc/libtiff4/html/index.html +Files: /usr/share/doc/libtiff4/html/*.html --- tiff-3.7.4.orig/debian/README.Debian +++ tiff-3.7.4/debian/README.Debian @@ -0,0 +1,23 @@ +libtiff for Debian ++----------------+ + +This version of libtiff is installed with a different shared library +soname from the upstream version. This is because an accidental +change to the library's ABI was introduced somewhere between 3.5.7 and +3.6.1. There are no source-level incompatibilities between 3.5.7 and +the current version, so any application that worked with 3.5.7 should +work fine when recompiled with the libtiff4 packages. + +libtiff version 3.7.1 introduced an experimental and somewhat volatile +C++ interface. To use it, you must link against -ltiffxx. Please +note that the API and ABI of the C++ library may be unstable for a +while. + +Example tiff files are available: + + ftp://ftp.remotesensing.org/pub/libtiff/pics-.tar.gz + +These files may be useful for people testing software to make sure it +can work with a wide variety of tiff files. + + -- Jay Berkenbilt , Sat Jul 9 12:23:38 2005 --- tiff-3.7.4.orig/debian/libtiff4.shlibs +++ tiff-3.7.4/debian/libtiff4.shlibs @@ -0,0 +1 @@ +libtiff 4 libtiff4 --- tiff-3.7.4.orig/debian/libtiff-opengl.lintian +++ tiff-3.7.4/debian/libtiff-opengl.lintian @@ -0,0 +1,5 @@ +# +# The synopsis line starts with a capital letter because of the TIFF +# acronym, not because it contains a sentence. +# +libtiff-opengl: description-synopsis-starts-with-a-capital-letter --- tiff-3.7.4.orig/tiff-3.7.4.tar.gz.cdbs-config_list +++ tiff-3.7.4/tiff-3.7.4.tar.gz.cdbs-config_list @@ -0,0 +1,2 @@ +tiff-3.7.4/config/config.guess +tiff-3.7.4/config/config.sub