--- tiff-3.8.2.orig/debian/libtiff4.install +++ tiff-3.8.2/debian/libtiff4.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libtiff.so.* --- tiff-3.8.2.orig/debian/libtiffxx0c2.install +++ tiff-3.8.2/debian/libtiffxx0c2.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libtiffxx.so.* --- tiff-3.8.2.orig/debian/copyright +++ tiff-3.8.2/debian/copyright @@ -0,0 +1,37 @@ +libtiff was originally debianized by Guy Maor and +later maintained by Josip Rodin . Jay +Berkenbilt repackaged it in conjunction with the +3.7.0 release and is now the primary maintainer. + +Original source can be found at: http://www.remotesensing.org/libtiff/ + +Copyright (C) 1988-1997 Sam Leffler +Copyright (C) 1991-1997 Silicon Graphics, Inc. +Portions Copyright (C) 1985-1987, 1990 Regents of the University of California +Portions Copyright (C) 1990, 1991 Digital Equipment Corporation +Portions Copyright (C) 1990 Sun Microsystems, Inc. +Portions Copyright (C) 1990, 1995 Frank D. Cringle +Portions Copyright (C) 1996 BancTec AB +Portions Copyright (C) 1996 Mike Johnson +Portions Copyright (C) 1996 Pixar +Portions Copyright (C) 1997 Greg Ward Larson +Portions Copyright (C) 2000 Frank Warmerdam + +Permission to use, copy, modify, distribute, and sell this software and +its documentation for any purpose is hereby granted without fee, provided +that (i) the above copyright notices and this permission notice appear in +all copies of the software and related documentation, and (ii) the names of +Sam Leffler and Silicon Graphics may not be used in any advertising or +publicity relating to the software without the specific, prior written +permission of Sam Leffler and Silicon Graphics. + +THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, +EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY +WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +IN NO EVENT SHALL SAM LEFFLER OR SILICON GRAPHICS BE LIABLE FOR +ANY SPECIAL, INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, +OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, +WHETHER OR NOT ADVISED OF THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF +LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE +OF THIS SOFTWARE. --- tiff-3.8.2.orig/debian/control +++ tiff-3.8.2/debian/control @@ -0,0 +1,64 @@ +Source: tiff +Section: libs +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Jay Berkenbilt +Uploaders: Josip Rodin +Build-Depends: cdbs, debhelper (>= 4.1.0), zlib1g-dev, libjpeg62-dev, libxmu-dev, libglu1-mesa-dev, freeglut3-dev, libxi-dev +Standards-Version: 3.7.2 + +Package: libtiff4 +Architecture: any +Depends: ${shlibs:Depends} +Description: Tag Image File Format (TIFF) library + libtiff is a library providing support for the Tag Image File Format + (TIFF), a widely used format for storing image data. This package + includes the shared library. + +Package: libtiffxx0c2 +Architecture: any +Depends: ${shlibs:Depends} +Conflicts: libtiffxx0 +Replaces: libtiffxx0 +Description: Tag Image File Format (TIFF) library -- C++ interface + libtiff is a library providing support for the Tag Image File Format + (TIFF), a widely used format for storing image data. This package + includes the shared library for the experimental C++ interfaces. + +Package: libtiff4-dev +Section: libdevel +Architecture: any +Depends: libtiff4 (= ${Source-Version}), libtiffxx0c2 (= ${Source-Version}), libc6-dev | libc-dev, zlib1g-dev, libjpeg62-dev +Conflicts: libtiff3g-dev, libtiff3-dev, libtiff-dev +Provides: libtiff-dev +Replaces: libtiff4 (<< 3.8.2-7ubuntu1) +Description: Tag Image File Format library (TIFF), development files + libtiff is a library providing support for the Tag Image File Format + (TIFF), a widely used format for storing image data. This package + includes the development files, static library, and header files. + +Package: libtiff-tools +Section: graphics +Architecture: any +Depends: ${shlibs:Depends} +Suggests: libtiff-opengl +Conflicts: libtiff3 (<< 3.4beta037-1), libtiff3-gif +Replaces: libtiff3-gif +Description: TIFF manipulation and conversion tools + libtiff is a library providing support for the Tag Image File Format + (TIFF), a widely used format for storing image data. This package + includes tools for converting TIFF images to and from other formats + and tools for doing simple manipulations of TIFF images. See also + libtiff-opengl. + +Package: libtiff-opengl +Section: graphics +Architecture: any +Depends: ${shlibs:Depends} +Replaces: libtiff-tools (<< 3.7.0-2) +Description: TIFF manipulation and conversion tools + libtiff is a library providing support for the Tag Image File Format + (TIFF), a widely used format for storing image data. This package + contains libtiff tools that depend upon opengl. It complements the + libtiff-tools package, which contains the libtiff tools that don't + depend upon opengl. --- tiff-3.8.2.orig/debian/rules +++ tiff-3.8.2/debian/rules @@ -0,0 +1,45 @@ +#!/usr/bin/make -f + +# Variables used by cdbs +VERSION := $(shell dpkg-parsechangelog | \ + awk '/Version:/ {print $$2}' | cut -d- -f 1) +DEB_TAR_SRCDIR = tiff-$(VERSION) +DEB_COMPRESS_EXCLUDE = html +export CPPFLAGS = -D_REENTRANT + +# Include cdbs rules files. +include /usr/share/cdbs/1/rules/tarball.mk +include /usr/share/cdbs/1/rules/simple-patchsys.mk +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/class/autotools.mk + +DEB_CONFIGURE_USER_FLAGS = --with-docdir="\$${prefix}/share/doc/libtiff4" + +# As 0.4.21, cdbs creates but doesn't remove debian/compat. It +# creates it conditionally, so this doesn't have a trivial fix. +clean:: + $(RM) debian/compat *.cdbs-config_list + $(RM) debian/*.preinst + +# tiffgt is in libtiff-opengl so libtiff-tools doesn't have to have +# all the X and opengl dependencies. +binary-post-install/libtiff-tools:: + $(RM) debian/libtiff-tools/usr/bin/tiffgt + $(RM) debian/libtiff-tools/usr/share/man/man1/tiffgt.1* + +# Install lintian override files and create preinst +binary-post-install/%:: + if [ -f debian/$*.lintian ]; then \ + mkdir -p debian/$*/usr/share/lintian/overrides && \ + cp -p debian/$*.lintian debian/$*/usr/share/lintian/overrides/$*; \ + fi + if [ "$*" != "libtiff4" ]; then \ + sed -e s/PKG/$*/g < debian/all-preinst > debian/$*.preinst; \ + fi + +# Point everyone's /usr/share/doc entry to libtiff4's +binary-predeb/%:: + if [ "$*" != "libtiff4" ]; then \ + $(RM) -r debian/$*/usr/share/doc/$*; \ + ln -s libtiff4 debian/$*/usr/share/doc/$*; \ + fi --- tiff-3.8.2.orig/debian/libtiff-opengl.install +++ tiff-3.8.2/debian/libtiff-opengl.install @@ -0,0 +1,2 @@ +debian/tmp/usr/bin/tiffgt +debian/tmp/usr/share/man/man1/tiffgt.1 --- tiff-3.8.2.orig/debian/libtiff-tools.install +++ tiff-3.8.2/debian/libtiff-tools.install @@ -0,0 +1,2 @@ +debian/tmp/usr/bin +debian/tmp/usr/share/man/man1 --- tiff-3.8.2.orig/debian/watch +++ tiff-3.8.2/debian/watch @@ -0,0 +1,2 @@ +version=3 +ftp://ftp.remotesensing.org/pub/libtiff/tiff-([\d\.]+).tar.gz --- tiff-3.8.2.orig/debian/libtiff4-dev.lintian +++ tiff-3.8.2/debian/libtiff4-dev.lintian @@ -0,0 +1,5 @@ +# +# The synopsis line starts with a capital letter because of the TIFF +# acronym, not because it contains a sentence. +# +libtiff4-dev: description-synopsis-starts-with-a-capital-letter --- tiff-3.8.2.orig/debian/libtiffxx0c2.lintian +++ tiff-3.8.2/debian/libtiffxx0c2.lintian @@ -0,0 +1,5 @@ +# +# The synopsis line starts with a capital letter because of the TIFF +# acronym, not because it contains a sentence. +# +libtiffxx0c2: description-synopsis-starts-with-a-capital-letter --- tiff-3.8.2.orig/debian/changelog +++ tiff-3.8.2/debian/changelog @@ -0,0 +1,637 @@ +tiff (3.8.2-7ubuntu3.13) hardy-security; urgency=low + + * SECURITY UPDATE: possible arbitrary code execution via heap overflow + in tiff2pdf. + - debian/patches/z_CVE-2012-3401.patch: properly set t2p->t2p_error in + tools/tiff2pdf.c. + - CVE-2012-3401 + + -- Marc Deslauriers Mon, 16 Jul 2012 10:06:03 -0400 + +tiff (3.8.2-7ubuntu3.12) hardy-security; urgency=low + + * SECURITY UPDATE: possible arbitrary code execution via buffer overflow + due to type-conversion flaw (LP: #1016324) + - debian/patches/z_CVE-2012-2088.patch: check for overflows in + libtiff/tif_strip.c and libtiff/tif_tile.c. + - CVE-2012-2088 + * SECURITY UPDATE: possible arbitrary code execution via integer + overflows in tiff2pdf (LP: #1016324) + - debian/patches/z_CVE-2012-2113.patch: check for overflows in + tools/tiff2pdf.c. + - CVE-2012-2113 + + -- Marc Deslauriers Wed, 04 Jul 2012 11:15:53 -0400 + +tiff (3.8.2-7ubuntu3.11) hardy-security; urgency=low + + * No-change rebuild to get lpia package. + + -- Marc Deslauriers Thu, 05 Apr 2012 09:09:36 -0400 + +tiff (3.8.2-7ubuntu3.10) hardy-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution via + tiffdump + - debian/patches/z_CVE-2010-4665.patch: prevent integer overflow in + tools/tiffdump.c. + - CVE-2010-4665 + * SECURITY UPDATE: arbitrary code execution via size overflow + - debian/patches/z_CVE-2012-1173.patch: use TIFFSafeMultiply in + libtiff/tif_getimage.c, fix TIFFSafeMultiply in libtiff/tiffiop.h. + - CVE-2012-1173 + * debian/patches/CVE-2010-1411.patch: updated to use actual upstream fix + and to get TIFFSafeMultiply macro. + + -- Marc Deslauriers Mon, 02 Apr 2012 12:15:45 -0400 + +tiff (3.8.2-7ubuntu3.9) hardy-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via crafted + THUNDER_2BITDELTAS data + - debian/patches/z_CVE-2011-1167.patch: validate bitspersample and + make sure npixels is sane in libtiff/tif_thunder.c. + - CVE-2011-1167 + + -- Marc Deslauriers Wed, 30 Mar 2011 13:27:02 -0400 + +tiff (3.8.2-7ubuntu3.8) hardy-security; urgency=low + + * debian/patches/CVE-2011-0192.patch: update for regression in + processing of certain CCITTFAX4 files (LP: #731540). + - http://bugzilla.maptools.org/show_bug.cgi?id=2297 + + -- Kees Cook Mon, 14 Mar 2011 11:16:23 -0700 + +tiff (3.8.2-7ubuntu3.7) hardy-security; urgency=low + + * SECURITY UPDATE: denial of service via invalid ReferenceBlackWhite + values + - debian/patches/z_CVE-2010-2595.patch: validate values in + libtiff/tif_color.c. + - CVE-2010-2595 + * SECURITY UPDATE: denial of service via devide-by-zero (LP: #593067) + - debian/patches/z_CVE-2010-2597.patch: properly initialize fields in + libtiff/tif_strip.c. + - CVE-2010-2597 + - CVE-2010-2598 + * SECURITY UPDATE: denial of service via out-of-order tags + - debian/patches/z_CVE-2010-2630.patch: correctly handle order in + libtiff/tif_dirread.c. + - CVE-2010-2630 + * SECURITY UPDATE: denial of service and possible code exection via + YCBCRSUBSAMPLING tag + - debian/patches/z_CVE-2011-0191.patch: validate td_ycbcrsubsampling in + libtiff/tif_dir.c. + - CVE-2011-0191 + * SECURITY UPDATE: denial of service and possible code execution via + buffer overflow in Fax4Decode + - debian/patches/z_CVE-2011-0192.patch: check length in + libtiff/tif_fax3.h. + - CVE-2011-0192 + + -- Marc Deslauriers Fri, 04 Mar 2011 10:08:57 -0500 + +tiff (3.8.2-7ubuntu3.6) hardy-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution and crashes via multiple + integer overflows. Backported upstream fixes: + - debian/patches/CVE-2010-1411.patch + - debian/patches/fix-unknown-tags.patch + + -- Kees Cook Thu, 17 Jun 2010 12:00:56 -0700 + +tiff (3.8.2-7ubuntu3.4) hardy-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via integer overflows in + tiff2rgba and rgb2ycbcr + - debian/patches/CVE-2009-2347.patch: check for integer overflows in + tools/rgb2ycbcr.c and tools/tiff2rgba.c. + - CVE-2009-2347 + + -- Marc Deslauriers Mon, 13 Jul 2009 09:25:56 -0400 + +tiff (3.8.2-7ubuntu3.2) hardy-security; urgency=low + + * SECURITY UPDATE: denial of service via buffer underflow in the + LZWDecodeCompat function (LP: #380149) + - debian/patches/CVE-2009-2285.patch: abort if code is bigger than + CODE_CLEAR in libtiff/tif_lzw.c. + - CVE-2009-2285 + + -- Marc Deslauriers Fri, 03 Jul 2009 14:54:05 -0400 + +tiff (3.8.2-7ubuntu3.1) hardy-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via LZW overflow. + * Add debian/patches/CVE-2008-2327.patch: thanks to Jay Berkenbilt. + + -- Kees Cook Fri, 29 Aug 2008 11:59:21 -0700 + +tiff (3.8.2-7ubuntu3) hardy; urgency=low + + * Rebuild with recent g++ compiler version. + + -- Matthias Klose Thu, 03 Apr 2008 11:25:07 +0000 + +tiff (3.8.2-7ubuntu2) gutsy; urgency=low + + * Fix package conflict. + + -- Matthias Klose Fri, 05 Oct 2007 13:16:34 +0200 + +tiff (3.8.2-7ubuntu1) gutsy; urgency=low + + * Move the html docs from libtiff4 into libtiff4-dev. + * Set Ubuntu maintainer address. + + -- Matthias Klose Fri, 05 Oct 2007 08:49:20 +0000 + +tiff (3.8.2-7) unstable; urgency=high + + * Replace empty directories in /usr/share/doc with links during package + upgrade. (Closes: #404631) + + -- Jay Berkenbilt Tue, 2 Jan 2007 15:50:50 -0500 + +tiff (3.8.2-6) unstable; urgency=high + + * Add watch file + * Tavis Ormandy of the Google Security Team discovered several problems + in the TIFF library. The Common Vulnerabilities and Exposures project + identifies the following issues: + - CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in + tif_dirread.c + - CVE-2006-3460: A heap overflow vulnerability was discovered in the + jpeg decoder + - CVE-2006-3461: A heap overflow exists in the PixarLog decoder + - CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap + overflow + - CVE-2006-3463: An infinite loop was discovered in + EstimateStripByteCounts() + - CVE-2006-3464: Multiple unchecked arithmetic operations were + uncovered, including a number of the range checking operations + deisgned to ensure the offsets specified in tiff directories are + legitimate. + - A number of codepaths were uncovered where assertions did not hold + true, resulting in the client application calling abort() + - CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag + support + + -- Jay Berkenbilt Mon, 31 Jul 2006 18:14:59 -0400 + +tiff (3.8.2-5) unstable; urgency=low + + * Fix logic error that caused -q flag to be ignored when doing jpeg + compression with tiff2pdf. (Closes: #373102) + + -- Jay Berkenbilt Mon, 19 Jun 2006 18:55:38 -0400 + +tiff (3.8.2-4) unstable; urgency=high + + * SECURITY UPDATE: Arbitrary command execution with crafted TIF files. + Thanks to Martin Pitt. (Closes: #371064) + * Add debian/patches/tiff2pdf-octal-printf.patch: + - tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal + signed char (it printed a signed integer, which overflew the buffer and + was wrong anyway). + - CVE-2006-2193 + + -- Jay Berkenbilt Wed, 7 Jun 2006 17:52:12 -0400 + +tiff (3.8.2-3) unstable; urgency=high + + * SECURITY UPDATE: Arbitrary command execution with crafted long file + names. Thanks to Martin Pitt for forwarding this. + Add debian/patches/tiffsplit-fname-overflow.patch: + - tools/tiffsplit.c: Use snprintf instead of strcpy for copying the + user-specified file name into a statically sized buffer. + CVE-2006-2656. (Closes: #369819) + * Update standards version to 3.7.2. No changes required. + * Moved doc-base information to libtiff4 instead of libtiff4-dev. + + -- Jay Berkenbilt Thu, 1 Jun 2006 21:24:21 -0400 + +tiff (3.8.2-2) unstable; urgency=low + + * Fix build dependencies to get OpenGL utility libraries after new Xorg + packaging. (Closes: #365722) + * Updated standards version to 3.7.0; no changes required to package. + + -- Jay Berkenbilt Tue, 2 May 2006 10:10:45 -0400 + +tiff (3.8.2-1) unstable; urgency=low + + * New upstream release + + -- Jay Berkenbilt Tue, 28 Mar 2006 21:42:33 -0500 + +tiff (3.8.0-3) unstable; urgency=low + + * Switched build dependency from xlibmesa-gl-dev to libgl1-mesa-dev + (incorporating Ubunutu patch) + * Incorporated patch from upstream to fix handling of RGBA tiffs in + tiff2pdf. (Closes: #352849) + + -- Jay Berkenbilt Sun, 26 Feb 2006 13:21:17 -0500 + +tiff (3.8.0-2) unstable; urgency=low + + * Applied fixes from upstream to address a memory access violation + [CVE-2006-0405]. (Closes: #350715, #351223) + + -- Jay Berkenbilt Fri, 3 Feb 2006 21:48:39 -0500 + +tiff (3.8.0-1) unstable; urgency=low + + * New upstream release. (Closes: #349921) + * NOTE: The debian version of 3.8.0 includes a patch to correct a binary + incompatibility in the original 3.8.0 release. This libtiff package + is binary compatible with 3.7.4 and will be binary compatible with the + upcoming 3.8.1 release. + + -- Jay Berkenbilt Fri, 27 Jan 2006 21:38:58 -0500 + +tiff (3.7.4-1) unstable; urgency=low + + * New upstream release + * Fix typos in manual page (Closes: #327921, #327922, #327923, #327924) + + -- Jay Berkenbilt Fri, 7 Oct 2005 10:25:49 -0400 + +tiff (3.7.3-1) unstable; urgency=low + + * New upstream release + * g++ 4.0 transition: libtiffxx0 is now libtiffxx0c2. + + -- Jay Berkenbilt Sat, 9 Jul 2005 12:00:44 -0400 + +tiff (3.7.2-3) unstable; urgency=high + + * Fix for exploitable segmentation fault on files with bad BitsPerSample + values. (Closes: #309739) + [libtiff/tif_dirread.c, CAN-2005-1544] + Thanks to Martin Pitt for the report. + + -- Jay Berkenbilt Thu, 19 May 2005 05:41:28 -0400 + +tiff (3.7.2-2) unstable; urgency=high + + * Fix zero pagesize bug with tiff2ps -a2 and tiff2ps -a3. Thanks to + Patrice Fournier for the patch. (Closes: #303583) + * Note: uploading with urgency=high since this very small fix impacts + tools only (not the library), and we don't want to block tiff's many + reverse dependencies from transitioning to sarge. + + -- Jay Berkenbilt Sun, 10 Apr 2005 10:12:37 -0400 + +tiff (3.7.2-1) unstable; urgency=low + + * New upstream release + + -- Jay Berkenbilt Sat, 19 Mar 2005 14:51:06 -0500 + +tiff (3.7.1-4) unstable; urgency=low + + * Fix from upstream: include a better workaround for tiff files with + invalid strip byte counts. (Closes: #183268) + + -- Jay Berkenbilt Tue, 22 Feb 2005 19:20:14 -0500 + +tiff (3.7.1-3) unstable; urgency=low + + * Disable C++ new experimental interfaces for now; will reappear in a + future version in the separate libtiffxx0 package. + + -- Jay Berkenbilt Sat, 29 Jan 2005 13:32:37 -0500 + +tiff (3.7.1+pre3.7.2-1) experimental; urgency=low + + * New upstream release + * Separate experimental C++ interface into separate libtiffxx library. + + -- Jay Berkenbilt Sat, 29 Jan 2005 13:03:19 -0500 + +tiff (3.7.1-2) unstable; urgency=low + + * Make -dev package depend upon other -dev packages referenced in the + .la file created by libtool. (Closes: #291136) + * tiff2ps: Allow one of -w and -h without the other. (Closes: #244247) + + -- Jay Berkenbilt Wed, 19 Jan 2005 10:45:00 -0500 + +tiff (3.7.1-1) unstable; urgency=low + + * New upstream release + * Correct error in doc-base file (Closes: #285652) + + -- Jay Berkenbilt Wed, 5 Jan 2005 16:54:12 -0500 + +tiff (3.7.0-2) experimental; urgency=low + + * Replace hard-coded libc6-dev dependency with something friendlier to + porters (libc6-dev | libc-dev). (Closes: #179727) + * Fixed upstream: proper netbsdelf*-gnu support in configure. Actually + fixed in 3.7.0-1 but left out of changelog. (Closes: #179728) + * Include opengl support; adds new libtiff-opengl package. (Closes: #219456) + * Fixed upstream: fax2ps now allows access to first page. (Closes: #244251) + + -- Jay Berkenbilt Sat, 11 Dec 2004 09:51:52 -0500 + +tiff (3.7.0-1) experimental; urgency=low + + * New upstream release (Closes: #276996) + * New maintainer (Thanks Joy!) + * Repackage using cdbs and simple-patchsys to fix some errors and + simplify patch management + * Fixed upstream: tiff2pdf ignores -z and -j (Closes: #280682) + * Fixed upstream: Memory leak in TIFFClientOpen (Closes: #256657) + + -- Jay Berkenbilt Fri, 26 Nov 2004 13:50:13 -0500 + +tiff (3.6.1-5) unstable; urgency=high + + * New maintainer (thanks Joy!) + * Applied patch by Dmitry V. Levin to fix a segmentation fault + [tools/tiffdump.c, CAN-2004-1183] + Thanks to Martin Schulze for forwarding the patch. + * Fixed section of -dev package (devel -> libdevel) + + -- Jay Berkenbilt Wed, 5 Jan 2005 16:27:26 -0500 + +tiff (3.6.1-4) unstable; urgency=high + + * Fix heap overflow security bug [CAN-2004-1308]. (Closes: #286815) + + -- Jay Berkenbilt Wed, 22 Dec 2004 10:20:52 -0500 + +tiff (3.6.1-3) unstable; urgency=medium + + * Patches from upstream to fix zero-size tile and integer overflow + problems created by previous security patches, closes: #276783. + * Added Jay Berkenbilt as co-maintainer. Jay thanks Joy for letting him + help and eventually take over maintenance of these packages! + + -- Josip Rodin Mon, 01 Nov 2004 12:28:27 +0100 + +tiff (3.6.1-2) unstable; urgency=low + + * Included security fixes for: + + CAN-2004-0803 + - libtiff/tif_luv.c + - libtiff/tif_next.c + - libtiff/tif_thunder.c + + CAN-2004-0804 (but this one is already applied upstream, it seems) + - libtiff/tif_dirread.c + + CAN-2004-0886 + - libtiff/tif_aux.c + - libtiff/tif_compress.c + - libtiff/tif_dir.c + - libtiff/tif_dirinfo.c + - libtiff/tif_dirread.c + - libtiff/tif_dirwrite.c + - libtiff/tif_extension.c + - libtiff/tif_fax3.c + - libtiff/tiffiop.h + - libtiff/tif_getimage.c + - libtiff/tif_luv.c + - libtiff/tif_pixarlog.c + - libtiff/tif_strip.c + - libtiff/tif_tile.c + - libtiff/tif_write.c + Thanks to Martin Schulze for forwarding the patches. + + -- Josip Rodin Thu, 14 Oct 2004 16:13:11 +0200 + +tiff (3.6.1-1.1) unstable; urgency=medium + + * Non-maintainer upload; thanks to Jay Berkenbilt for + preparing the patches + * Rename shared library and development packages to resolve accidental + upstream ABI change. Closes: #236247 + * Include patch from upstream to fix multistrip g3 fax bug. + Closes: #243405 + * Include LZW support. Closes: #260242, #248490 + * Fix URL in copyright file. Closes: #261357 + * Install missing documentation files. Closes: #261356 + + -- Steve Langasek Sun, 25 Jul 2004 10:28:06 -0400 + +tiff (3.6.1-1) unstable; urgency=low + + * New upstream version, closes: #231977. + * Slightly fixed up the static lib build rules so that the build process + does the normal stuff for the dynamic lib and then does the static with + the same tiffvers.h. + + -- Josip Rodin Mon, 23 Feb 2004 18:23:34 +0100 + +tiff (3.5.7-2) unstable; urgency=high + + * Added back the patch that used -src static/libtiff.a in the install + rule. Wonder how that disappeared... closes: #170914. + * Fake it's a GNU system in order for the configure script to use our + toolchain stuff on the NetBSD port, thanks to Joel Baker, closes: #130636. + + -- Josip Rodin Tue, 10 Dec 2002 17:18:28 +0100 + +tiff (3.5.7-1) unstable; urgency=low + + * New upstream version, closes: #144940. + * A whole new set of patches for the breakage in the build system :) + + -- Josip Rodin Sun, 6 Oct 2002 22:54:08 +0200 + +tiff (3.5.5-6) unstable; urgency=low + + * It appears that the general 64-bit detection code, isn't. + We have to include all of those three conditions, feh. + This really closes: #106706. + + -- Josip Rodin Wed, 8 Aug 2001 23:09:55 +0200 + +tiff (3.5.5-5) unstable; urgency=low + + * Changed two Alpha/Mips-isms into general 64-bit detection code, + patch from John Daily , closes: #106706. + * Patched man/Makefile.in to generate a manual page file for + TIFFClientOpen(3t), as a .so link to TIFFOpen(3t), closes: #99577. + * Used /usr/share/doc in the doc-base file, closes: #74122. + * Changed libtiff3g-dev's section back to devel, since graphics was, + according to elmo, "hysterical raisins". :)) + + -- Josip Rodin Fri, 27 Jul 2001 01:43:04 +0200 + +tiff (3.5.5-4) unstable; urgency=low + + * Updated config.* files, closes: #94696. + * Fixed libtiff3g-dev's section, closes: #85533. + + -- Josip Rodin Wed, 20 Jun 2001 18:29:24 +0200 + +tiff (3.5.5-3) unstable; urgency=low + + * Build shared library on Hurd, too, closes: #72482. + * Upped Standards-Version to 3.5.0. + + -- Josip Rodin Sat, 30 Sep 2000 17:42:13 +0200 + +tiff (3.5.5-2) unstable; urgency=low + + * Make `dynamic shared object' on Linux unconditionally, fixes the problem + with libc.so.6.1 on alpha, thanks Chris C. Chimelis. + + -- Josip Rodin Wed, 13 Sep 2000 21:44:00 +0200 + +tiff (3.5.5-1) unstable; urgency=low + + * New upstream version. + * The upstream build system sucks. There, I said it. Back to work now. :) + * Added a build dependencies on make (>= 3.77) (closes: #67747) and + debhelper. + * Standards-Version: 3.2.1: + + added DEB_BUILD_OPTIONS checks in debian/rules + + -- Josip Rodin Tue, 29 Aug 2000 14:06:02 +0200 + +tiff (3.5.4-5) frozen unstable; urgency=low + + * Fixed 16-bit/32-bit values bug in fax2ps from libtiff-tools, that + also breaks printing from hylafax, using provided oneliner patch + from Bernd Herd (accepted upstream), closes: #49232 and probably #62235. + + -- Josip Rodin Mon, 27 Mar 2000 17:12:10 +0200 + +tiff (3.5.4-4) frozen unstable; urgency=low + + * Weird dpkg-shlibdeps from dpkg 1.6.8-pre has done it again, this time + with libz.so, making the packages depend on zlib1 (instead of zlib1g). + Closes: #56134, #56137, #56140, #56155. + + -- Josip Rodin Tue, 25 Jan 2000 18:05:28 +0100 + +tiff (3.5.4-3) frozen unstable; urgency=low + + * Included libtiff.so file in libtiff3g-dev, dammit :( My eye hurts, + a lot, but this was easy to fix, thank goodness :) (closes: #55814). + This bugfix deserves to get into frozen because the bug cripples + libtiff3g-dev, a lot. + + -- Josip Rodin Fri, 21 Jan 2000 19:02:22 +0100 + +tiff (3.5.4-2) unstable; urgency=low + + * Fixed upstream build system to use ${DESTDIR}, and with that working, + created install: rule in debian/rules and used it. + * Fixed the way rules file gets the version from upstream sources, + and fixed dist/tiff.alpha, it didn't work. + * Removed README file from libtiff3g binary package, useless. + * Fixed configure script not to emit the wrong warning about + zlib/jpeg dirs not specified (they're in /usr/include, stupid :). + + -- Josip Rodin Thu, 30 Dec 1999 01:17:32 +0100 + +tiff (3.5.4-1) unstable; urgency=low + + * New upstream version, closes: #50338. + * Disabled libc5 build, it wouldn't compile. :( + + -- Josip Rodin Fri, 3 Dec 1999 20:49:25 +0100 + +tiff (3.5.2-4) unstable; urgency=low + + * Castrated the rules file, to make it actually work on !(i386 m68k). + Closes: #49316. + + -- Josip Rodin Sat, 6 Nov 1999 13:22:54 +0100 + +tiff (3.5.2-3) unstable; urgency=low + + * Removed sparc from the libtiff3 arches list, as BenC advised. + + -- Josip Rodin Fri, 29 Oct 1999 23:29:23 +0200 + +tiff (3.5.2-2) unstable; urgency=low + + * Changed Architecture: line for libtiff3 from "any" to "i386 m68k sparc" + as it is actually only built on those. Changed description a little bit. + * Minor fixes to the rules file. + + -- Josip Rodin Thu, 28 Oct 1999 14:00:02 +0200 + +tiff (3.5.2-1) unstable; urgency=low + + * New upstream version. + * Renamed source package to just "tiff", like upstream tarball name. + * New maintainer (thanks Guy!). Renewed packaging, with debhelper, + using Joey's nifty multi2 example, with several adjustments. + * Ditched libtiff3-altdev, nobody's using that and nobody should be + using that. Packaging for it still exists, it's just commented out. + * Uses doc-base for -dev docs now. Uncompressed HTML docs, 100kb space + saved is pointless when you can't use any links between documents. + + -- Josip Rodin Tue, 26 Oct 1999 16:20:46 +0200 + +libtiff3 (3.4beta037-8) unstable; urgency=low + + * Argh, same bug in the prerm, closes: #36990, #36850, #36855, + #36866, #36988. + + -- Guy Maor Sat, 1 May 1999 10:12:23 -0700 + +libtiff3 (3.4beta037-7) unstable; urgency=low + + * Don't error when dhelp is not installed, closes: #36879, #36922. + + -- Guy Maor Thu, 29 Apr 1999 19:17:55 -0700 + +libtiff3 (3.4beta037-6) unstable; urgency=low + + * Only build libc5 packages on appropriate archs, closes: #27083, #32007. + * Apply NMU patch, closes: #26413, #26887. + * Add dhelp support, closes: #35154. + * Recompile removes invalid dependency, closes: #30961. + + -- Guy Maor Sat, 24 Apr 1999 15:17:51 -0700 + +libtiff3 (3.4beta037-5.1) frozen unstable; urgency=low + + * NMU to not use install -s to strip static .a libraries. Fixes: #26413 + * Build with recent libjpeg. Fixes: #26887 + * Add Section: and Priority: headers to debian/control. + + -- Ben Gertzfield Mon, 26 Oct 1998 22:44:33 -0800 + +libtiff3 (3.4beta037-5) unstable; urgency=low + + * Explicit link with -lm (and don't need -lc now), fixes: #19167, #22180. + + -- Guy Maor Tue, 11 Aug 1998 22:27:56 -0700 + +libtiff3 (3.4beta037-4) unstable; urgency=low + + * libtiff3-tools conflicts & replaces with libtiff3-gif (13521,15107). + + -- Guy Maor Sun, 11 Jan 1998 13:09:28 -0800 + +libtiff3 (3.4beta037-3) unstable; urgency=low + + * New libjpegg contains shlibs file, so don't need shlibs.local. + * Compile with -D_REENTRANT. + * Add shlibs for libtiff3g (13423). + + -- Guy Maor Sat, 27 Sep 1997 13:17:45 -0500 + +libtiff3 (3.4beta037-2) unstable; urgency=low + + * Add libjpegg6a to shlibs.local to correct for broken dependency. + + -- Guy Maor Fri, 26 Sep 1997 11:23:55 -0500 + +libtiff3 (3.4beta037-1) unstable; urgency=low + + * New upstream version, libc6 compile, policy 2.3.0.0 (5136, 7470, 7627, 8166 + 8312, 9479, 9492, 9531, 11700, 11702). + * Fix check for shared lib support (10805). + + -- Guy Maor Tue, 23 Sep 1997 16:55:56 -0500 --- tiff-3.8.2.orig/debian/libtiff4.lintian +++ tiff-3.8.2/debian/libtiff4.lintian @@ -0,0 +1,5 @@ +# +# The synopsis line starts with a capital letter because of the TIFF +# acronym, not because it contains a sentence. +# +libtiff4: description-synopsis-starts-with-a-capital-letter --- tiff-3.8.2.orig/debian/libtiff4-dev.install +++ tiff-3.8.2/debian/libtiff4-dev.install @@ -0,0 +1,6 @@ +debian/tmp/usr/lib/lib*.so +debian/tmp/usr/lib/lib*.a +debian/tmp/usr/lib/lib*.la +debian/tmp/usr/include +debian/tmp/usr/share/man/man3 +debian/tmp/usr/share/doc/libtiff4/html --- tiff-3.8.2.orig/debian/patches/z_CVE-2012-2088.patch +++ tiff-3.8.2/debian/patches/z_CVE-2012-2088.patch @@ -0,0 +1,131 @@ +Description: fix possible arbitrary code execution via buffer overflow + due to type-conversion flaw +Origin: thanks to Red Hat +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1016324 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678140 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=832864 + +diff -Naurp tiff-3.8.2.ori/libtiff/tif_strip.c tiff-3.8.2/libtiff/tif_strip.c +--- tiff-3.8.2.ori/libtiff/tif_strip.c 2012-07-04 11:08:40.123666424 -0400 ++++ tiff-3.8.2/libtiff/tif_strip.c 2012-07-04 11:10:01.975668521 -0400 +@@ -107,6 +107,7 @@ tsize_t + TIFFVStripSize(TIFF* tif, uint32 nrows) + { + TIFFDirectory *td = &tif->tif_dir; ++ uint32 stripsize; + + if (nrows == (uint32) -1) + nrows = td->td_imagelength; +@@ -122,7 +123,7 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) + * YCbCr data for the extended image. + */ + uint16 ycbcrsubsampling[2]; +- tsize_t w, scanline, samplingarea; ++ uint32 w, scanline, samplingarea; + + TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, + ycbcrsubsampling + 0, +@@ -141,13 +142,27 @@ TIFFVStripSize(TIFF* tif, uint32 nrows) + nrows = TIFFroundup(nrows, ycbcrsubsampling[1]); + /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ + scanline = multiply(tif, nrows, scanline, "TIFFVStripSize"); +- return ((tsize_t) +- summarize(tif, scanline, +- multiply(tif, 2, scanline / samplingarea, +- "TIFFVStripSize"), "TIFFVStripSize")); ++ /* a zero anywhere in here means overflow, must return zero */ ++ if (scanline > 0) { ++ uint32 extra = ++ multiply(tif, 2, scanline / samplingarea, ++ "TIFFVStripSize"); ++ if (extra > 0) ++ stripsize = summarize(tif, scanline, extra, ++ "TIFFVStripSize"); ++ else ++ stripsize = 0; ++ } else ++ stripsize = 0; + } else +- return ((tsize_t) multiply(tif, nrows, TIFFScanlineSize(tif), +- "TIFFVStripSize")); ++ stripsize = multiply(tif, nrows, TIFFScanlineSize(tif), ++ "TIFFVStripSize"); ++ /* Because tsize_t is signed, we might have conversion overflow */ ++ if (((tsize_t) stripsize) < 0) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVStripSize"); ++ stripsize = 0; ++ } ++ return (tsize_t) stripsize; + } + + +diff -Naurp tiff-3.8.2.ori/libtiff/tif_tile.c tiff-3.8.2/libtiff/tif_tile.c +--- tiff-3.8.2.ori/libtiff/tif_tile.c 2006-03-03 07:09:43.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_tile.c 2012-07-04 11:10:01.975668521 -0400 +@@ -174,7 +174,7 @@ tsize_t + TIFFTileRowSize(TIFF* tif) + { + TIFFDirectory *td = &tif->tif_dir; +- tsize_t rowsize; ++ uint32 rowsize; + + if (td->td_tilelength == 0 || td->td_tilewidth == 0) + return ((tsize_t) 0); +@@ -193,7 +193,7 @@ tsize_t + TIFFVTileSize(TIFF* tif, uint32 nrows) + { + TIFFDirectory *td = &tif->tif_dir; +- tsize_t tilesize; ++ uint32 tilesize; + + if (td->td_tilelength == 0 || td->td_tilewidth == 0 || + td->td_tiledepth == 0) +@@ -209,12 +209,12 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) + * horizontal/vertical subsampling area include + * YCbCr data for the extended image. + */ +- tsize_t w = ++ uint32 w = + TIFFroundup(td->td_tilewidth, td->td_ycbcrsubsampling[0]); +- tsize_t rowsize = ++ uint32 rowsize = + TIFFhowmany8(multiply(tif, w, td->td_bitspersample, + "TIFFVTileSize")); +- tsize_t samplingarea = ++ uint32 samplingarea = + td->td_ycbcrsubsampling[0]*td->td_ycbcrsubsampling[1]; + if (samplingarea == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Invalid YCbCr subsampling"); +@@ -223,15 +223,27 @@ TIFFVTileSize(TIFF* tif, uint32 nrows) + nrows = TIFFroundup(nrows, td->td_ycbcrsubsampling[1]); + /* NB: don't need TIFFhowmany here 'cuz everything is rounded */ + tilesize = multiply(tif, nrows, rowsize, "TIFFVTileSize"); +- tilesize = summarize(tif, tilesize, +- multiply(tif, 2, tilesize / samplingarea, +- "TIFFVTileSize"), ++ /* a zero anywhere in here means overflow, must return zero */ ++ if (tilesize > 0) { ++ uint32 extra = ++ multiply(tif, 2, tilesize / samplingarea, + "TIFFVTileSize"); ++ if (extra > 0) ++ tilesize = summarize(tif, tilesize, extra, ++ "TIFFVTileSize"); ++ else ++ tilesize = 0; ++ } + } else + tilesize = multiply(tif, nrows, TIFFTileRowSize(tif), + "TIFFVTileSize"); +- return ((tsize_t) +- multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize")); ++ tilesize = multiply(tif, tilesize, td->td_tiledepth, "TIFFVTileSize"); ++ /* Because tsize_t is signed, we might have conversion overflow */ ++ if (((tsize_t) tilesize) < 0) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, "Integer overflow in %s", "TIFFVTileSize"); ++ tilesize = 0; ++ } ++ return (tsize_t) tilesize; + } + + /* --- tiff-3.8.2.orig/debian/patches/fix-unknown-tags.patch +++ tiff-3.8.2/debian/patches/fix-unknown-tags.patch @@ -0,0 +1,189 @@ +Description: fix crashes from unknown tag handling. +Origin: backported from upstream 3.9.4 + +Index: tiff-3.8.2/libtiff/tif_dirread.c +=================================================================== +--- tiff-3.8.2.orig/libtiff/tif_dirread.c 2010-06-17 11:40:48.836399406 -0700 ++++ tiff-3.8.2/libtiff/tif_dirread.c 2010-06-17 11:41:58.434710862 -0700 +@@ -43,6 +43,7 @@ + extern void TIFFCvtIEEEFloatToNative(TIFF*, uint32, float*); + extern void TIFFCvtIEEEDoubleToNative(TIFF*, uint32, double*); + #endif ++extern int _TIFFMergeFieldInfo_check(TIFF* tif, const TIFFFieldInfo info[], int n); + + static int EstimateStripByteCounts(TIFF*, TIFFDirEntry*, uint16); + static void MissingRequired(TIFF*, const char*); +@@ -85,6 +86,7 @@ + toff_t nextdiroff; + int diroutoforderwarning = 0; + int compressionknown = 0; ++ int haveunknowntags = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -245,8 +247,10 @@ + fix = 0; + for (dp = dir, n = dircount; n > 0; n--, dp++) { + +- if (fix >= tif->tif_nfields || dp->tdir_tag == IGNORE) ++ if (dp->tdir_tag == IGNORE) + continue; ++ if (fix >= tif->tif_nfields) ++ fix = 0; + + /* + * Silicon Beach (at least) writes unordered +@@ -268,29 +272,9 @@ + + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { +- +- TIFFWarningExt(tif->tif_clientdata, +- module, +- "%s: unknown field with tag %d (0x%x) encountered", +- tif->tif_name, +- dp->tdir_tag, +- dp->tdir_tag, +- dp->tdir_type); +- /* +- * creating anonymous fields prior to knowing the compression +- * algorithm (ie, when the field info has been merged) could cause +- * crashes with pathological directories. +- * -- taviso@google.com 15 Jun 2006 +- */ +- if (compressionknown) +- TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), 1 ); +- else goto ignore; +- +- fix = 0; +- while (fix < tif->tif_nfields && +- tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) +- fix++; ++ /* Unknown tag ... we'll deal with it below */ ++ haveunknowntags = 1; ++ continue; + } + + /* +@@ -381,6 +365,76 @@ + } + + /* ++ * If we saw any unknown tags, make an extra pass over the directory ++ * to deal with them. This must be done separately because the tags ++ * could have become known when we registered a codec after finding ++ * the Compression tag. In a correctly-sorted directory there's ++ * no problem because Compression will come before any codec-private ++ * tags, but if the sorting is wrong that might not hold. ++ */ ++ if (haveunknowntags) { ++ fix = 0; ++ for (dp = dir, n = dircount; n > 0; n--, dp++) { ++ if (dp->tdir_tag == IGNORE) ++ continue; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ ++ while (fix < tif->tif_nfields && ++ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) ++ fix++; ++ if (fix >= tif->tif_nfields || ++ tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { ++ ++ TIFFWarningExt(tif->tif_clientdata, ++ module, ++ "%s: unknown field with tag %d (0x%x) encountered", ++ tif->tif_name, ++ dp->tdir_tag, ++ dp->tdir_tag); ++ ++ if (!_TIFFMergeFieldInfo_check(tif, ++ _TIFFCreateAnonFieldInfo(tif, ++ dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), ++ 1)) ++ { ++ TIFFWarningExt(tif->tif_clientdata, ++ module, ++ "Registering anonymous field with tag %d (0x%x) failed", ++ dp->tdir_tag, ++ dp->tdir_tag); ++ dp->tdir_tag = IGNORE; ++ continue; ++ } ++ fix = 0; ++ while (fix < tif->tif_nfields && ++ tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) ++ fix++; ++ } ++ /* ++ * Check data type. ++ */ ++ fip = tif->tif_fieldinfo[fix]; ++ while (dp->tdir_type != (unsigned short) fip->field_type ++ && fix < tif->tif_nfields) { ++ if (fip->field_type == TIFF_ANY) /* wildcard */ ++ break; ++ fip = tif->tif_fieldinfo[++fix]; ++ if (fix >= tif->tif_nfields || ++ fip->field_tag != dp->tdir_tag) { ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: wrong data type %d for \"%s\"; tag ignored", ++ tif->tif_name, dp->tdir_type, ++ tif->tif_fieldinfo[fix-1]->field_name); ++ dp->tdir_tag = IGNORE; ++ break; ++ } ++ } ++ } ++ } ++ ++ /* + * Allocate directory structure and setup defaults. + */ + if (!TIFFFieldSet(tif, FIELD_IMAGEDIMENSIONS)) { +Index: tiff-3.8.2/libtiff/tif_dirinfo.c +=================================================================== +--- tiff-3.8.2.orig/libtiff/tif_dirinfo.c 2010-06-17 11:40:48.836399406 -0700 ++++ tiff-3.8.2/libtiff/tif_dirinfo.c 2010-06-17 11:41:33.193899323 -0700 +@@ -566,8 +566,8 @@ + return strcmp(ta->field_name, tb->field_name); + } + +-void +-_TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], int n) ++int ++_TIFFMergeFieldInfo_check(TIFF* tif, const TIFFFieldInfo info[], int n) + { + TIFFFieldInfo** tp; + int i; +@@ -582,7 +582,11 @@ + tif->tif_fieldinfo = (TIFFFieldInfo**) + _TIFFmalloc(n * sizeof (TIFFFieldInfo*)); + } +- assert(tif->tif_fieldinfo != NULL); ++ if (!tif->tif_fieldinfo) { ++ TIFFErrorExt(tif->tif_clientdata, "_TIFFMergeFieldInfo", ++ "Failed to allocate field info array"); ++ return 0; ++ } + tp = tif->tif_fieldinfo + tif->tif_nfields; + for (i = 0; i < n; i++) + *tp++ = (TIFFFieldInfo*) (info + i); /* XXX */ +@@ -590,6 +594,15 @@ + /* Sort the field info by tag number */ + qsort(tif->tif_fieldinfo, tif->tif_nfields += n, + sizeof (TIFFFieldInfo*), tagCompare); ++ ++ return n; ++} ++ ++void ++_TIFFMergeFieldInfo(TIFF* tif, const TIFFFieldInfo info[], int n) ++{ ++ if (!_TIFFMergeFieldInfo_check(tif, info, n)) ++ assert(tif->tif_fieldinfo != NULL); + } + + void --- tiff-3.8.2.orig/debian/patches/z_CVE-2010-2595.patch +++ tiff-3.8.2/debian/patches/z_CVE-2010-2595.patch @@ -0,0 +1,30 @@ +Description: fix denial of service via invalid ReferenceBlackWhite values +Origin: upstream, libtiff/tif_color.c r1.12.2.2 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2208 + +diff -Naur tiff-3.8.2.orig//libtiff/tif_color.c tiff-3.8.2/libtiff/tif_color.c +--- tiff-3.8.2.orig//libtiff/tif_color.c 2006-03-03 07:09:42.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_color.c 2011-03-03 15:30:48.000000000 -0500 +@@ -183,13 +183,18 @@ + TIFFYCbCrtoRGB(TIFFYCbCrToRGB *ycbcr, uint32 Y, int32 Cb, int32 Cr, + uint32 *r, uint32 *g, uint32 *b) + { ++ int32 i; ++ + /* XXX: Only 8-bit YCbCr input supported for now */ + Y = HICLAMP(Y, 255), Cb = CLAMP(Cb, 0, 255), Cr = CLAMP(Cr, 0, 255); + +- *r = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]]; +- *g = ycbcr->clamptab[ycbcr->Y_tab[Y] +- + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT)]; +- *b = ycbcr->clamptab[ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]]; ++ i = ycbcr->Y_tab[Y] + ycbcr->Cr_r_tab[Cr]; ++ *r = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] ++ + (int)((ycbcr->Cb_g_tab[Cb] + ycbcr->Cr_g_tab[Cr]) >> SHIFT); ++ *g = CLAMP(i, 0, 255); ++ i = ycbcr->Y_tab[Y] + ycbcr->Cb_b_tab[Cb]; ++ *b = CLAMP(i, 0, 255); + } + + /* --- tiff-3.8.2.orig/debian/patches/z_CVE-2011-0192.patch +++ tiff-3.8.2/debian/patches/z_CVE-2011-0192.patch @@ -0,0 +1,20 @@ +Description: fix denial of service and possible code execution via + buffer overflow in Fax4Decode +Origin: Thanks to Apple and Huzaifa Sidhpurwala + +diff -Naur tiff-3.8.2.orig//libtiff/tif_fax3.h tiff-3.8.2/libtiff/tif_fax3.h +--- tiff-3.8.2.orig//libtiff/tif_fax3.h 2005-12-12 09:58:22.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_fax3.h 2011-03-03 15:34:17.000000000 -0500 +@@ -478,6 +478,12 @@ + break; \ + case S_VL: \ + CHECK_b1; \ ++ if (b1 <= (int) (a0 + TabEnt->Param)) { \ ++ if (b1 < (int) (a0 + TabEnt->Param) || pa != thisrun) { \ ++ unexpected("VL", a0); \ ++ goto eol2d; \ ++ } \ ++ } \ + SETVALUE(b1 - a0 - TabEnt->Param); \ + b1 -= *--pb; \ + break; \ --- tiff-3.8.2.orig/debian/patches/z_CVE-2011-0191.patch +++ tiff-3.8.2/debian/patches/z_CVE-2011-0191.patch @@ -0,0 +1,18 @@ +Description: denial of service and possible code exection via + YCBCRSUBSAMPLING tag +Origin: Thanks to Apple + +diff -Naur tiff-3.8.2.orig//libtiff/tif_dir.c tiff-3.8.2/libtiff/tif_dir.c +--- tiff-3.8.2.orig//libtiff/tif_dir.c 2011-03-03 15:28:04.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_dir.c 2011-03-03 15:33:55.000000000 -0500 +@@ -359,6 +359,10 @@ + case TIFFTAG_YCBCRSUBSAMPLING: + td->td_ycbcrsubsampling[0] = (uint16) va_arg(ap, int); + td->td_ycbcrsubsampling[1] = (uint16) va_arg(ap, int); ++ if (td->td_ycbcrsubsampling[0] > 4) ++ td->td_ycbcrsubsampling[0] = (td->td_compression == 7) ? 1 : 2; ++ if (td->td_ycbcrsubsampling[1] > 4) ++ td->td_ycbcrsubsampling[1] = (td->td_compression == 7) ? 1 : 2; + break; + case TIFFTAG_TRANSFERFUNCTION: + v = (td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1; --- tiff-3.8.2.orig/debian/patches/z_CVE-2011-1167.patch +++ tiff-3.8.2/debian/patches/z_CVE-2011-1167.patch @@ -0,0 +1,72 @@ +Description: fix arbitrary code execution via crafted + THUNDER_2BITDELTAS data +Origin: upstream, http://bugzilla.maptools.org/show_bug.cgi?id=2300 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2300 + +diff -Naur tiff-3.8.2.ori//libtiff/tif_thunder.c tiff-3.8.2/libtiff/tif_thunder.c +--- tiff-3.8.2.ori//libtiff/tif_thunder.c 2005-12-21 07:33:56.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_thunder.c 2011-03-30 13:26:06.522487732 -0400 +@@ -25,6 +25,7 @@ + */ + + #include "tiffiop.h" ++#include + #ifdef THUNDER_SUPPORT + /* + * TIFF Library. +@@ -55,12 +56,32 @@ + static const int twobitdeltas[4] = { 0, 1, 0, -1 }; + static const int threebitdeltas[8] = { 0, 1, 2, 3, 0, -3, -2, -1 }; + +-#define SETPIXEL(op, v) { \ +- lastpixel = (v) & 0xf; \ +- if (npixels++ & 1) \ +- *op++ |= lastpixel; \ +- else \ ++#define SETPIXEL(op, v) { \ ++ lastpixel = (v) & 0xf; \ ++ if ( npixels < maxpixels ) \ ++ { \ ++ if (npixels++ & 1) \ ++ *op++ |= lastpixel; \ ++ else \ + op[0] = (tidataval_t) (lastpixel << 4); \ ++ } \ ++} ++ ++static int ++ThunderSetupDecode(TIFF* tif) ++{ ++ static const char module[] = "ThunderSetupDecode"; ++ ++ if( tif->tif_dir.td_bitspersample != 4 ) ++ { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Wrong bitspersample value (%d), Thunder decoder only supports 4bits per sample.", ++ (int) tif->tif_dir.td_bitspersample ); ++ return 0; ++ } ++ ++ ++ return (1); + } + + static int +@@ -142,7 +163,8 @@ + occ -= tif->tif_scanlinesize; + row += tif->tif_scanlinesize; + } +- return (1); ++ ++ return (1); + } + + int +@@ -151,6 +173,7 @@ + (void) scheme; + tif->tif_decoderow = ThunderDecodeRow; + tif->tif_decodestrip = ThunderDecodeRow; ++ tif->tif_setupdecode = ThunderSetupDecode; + return (1); + } + #endif /* THUNDER_SUPPORT */ --- tiff-3.8.2.orig/debian/patches/tiff2pdf-octal-printf.patch +++ tiff-3.8.2/debian/patches/tiff2pdf-octal-printf.patch @@ -0,0 +1,11 @@ +--- tiff-3.8.2/tools/tiff2pdf.c.orig 2006-03-21 11:42:51.000000000 -0500 ++++ tiff-3.8.2/tools/tiff2pdf.c 2006-06-07 17:54:01.027637232 -0400 +@@ -3668,7 +3668,7 @@ + written += TIFFWriteFile(output, (tdata_t) "(", 1); + for (i=0;itd_compression == COMPRESSION_CCITTFAX4 + ); + +- nruns = needsRefLine ? 2*TIFFroundup(rowpixels,32) : rowpixels; ++ /* ++ Assure that allocation computations do not overflow. ++ ++ TIFFroundup and TIFFSafeMultiply return zero on integer overflow ++ */ ++ dsp->runs=(uint32*) NULL; ++ nruns = TIFFroundup(rowpixels,32); ++ if (needsRefLine) { ++ nruns = TIFFSafeMultiply(uint32,nruns,2); ++ } ++ if ((nruns == 0) || (TIFFSafeMultiply(uint32,nruns,2) == 0)) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "Row pixels integer overflow (rowpixels %u)", ++ rowpixels); ++ return (0); ++ } ++ dsp->runs = (uint32*) _TIFFCheckMalloc(tif, ++ TIFFSafeMultiply(uint32,nruns,2), ++ sizeof (uint32), ++ "for Group 3/4 run arrays"); + +- dsp->runs = (uint32*) _TIFFCheckMalloc(tif, 2*nruns+3, sizeof (uint32), +- "for Group 3/4 run arrays"); + if (dsp->runs == NULL) + return (0); + dsp->curruns = dsp->runs; +diff -Naur tiff-3.8.2.ori/libtiff/tiffiop.h tiff-3.8.2/libtiff/tiffiop.h +--- tiff-3.8.2.ori/libtiff/tiffiop.h 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tiffiop.h 2012-04-02 11:58:04.838089974 -0400 +@@ -222,10 +222,15 @@ + #endif + + /* NB: the uint32 casts are to silence certain ANSI-C compilers */ +-#define TIFFhowmany(x, y) ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) ++#define TIFFhowmany(x, y) (((uint32)x < (0xffffffff - (uint32)(y-1))) ? \ ++ ((((uint32)(x))+(((uint32)(y))-1))/((uint32)(y))) : \ ++ 0U) + #define TIFFhowmany8(x) (((x)&0x07)?((uint32)(x)>>3)+1:(uint32)(x)>>3) + #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) + ++/* Safe multiply which returns zero if there is an integer overflow */ ++#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++ + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) + #define TIFFmin(A,B) ((A)<(B)?(A):(B)) + --- tiff-3.8.2.orig/debian/patches/z_CVE-2010-2630.patch +++ tiff-3.8.2/debian/patches/z_CVE-2010-2630.patch @@ -0,0 +1,44 @@ +Description: fix denial of service via out-of-order tags +Origin: upstream, r1.92.2.13 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2210 + +diff -Naur tiff-3.8.2.orig//libtiff/tif_dirread.c tiff-3.8.2/libtiff/tif_dirread.c +--- tiff-3.8.2.orig//libtiff/tif_dirread.c 2011-03-03 15:28:27.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_dirread.c 2011-03-03 15:32:32.000000000 -0500 +@@ -83,6 +83,7 @@ + const TIFFFieldInfo* fip; + size_t fix; + uint16 dircount; ++ uint16 previous_tag = 0; + toff_t nextdiroff; + int diroutoforderwarning = 0; + int compressionknown = 0; +@@ -249,23 +250,24 @@ + + if (dp->tdir_tag == IGNORE) + continue; +- if (fix >= tif->tif_nfields) +- fix = 0; + + /* + * Silicon Beach (at least) writes unordered + * directory tags (violating the spec). Handle + * it here, but be obnoxious (maybe they'll fix it?). + */ +- if (dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) { ++ if (dp->tdir_tag < previous_tag) { + if (!diroutoforderwarning) { + TIFFWarningExt(tif->tif_clientdata, module, + "%s: invalid TIFF directory; tags are not sorted in ascending order", + tif->tif_name); + diroutoforderwarning = 1; + } +- fix = 0; /* O(n^2) */ + } ++ previous_tag = dp->tdir_tag; ++ if (fix >= tif->tif_nfields || ++ dp->tdir_tag < tif->tif_fieldinfo[fix]->field_tag) ++ fix = 0; /* O(n^2) */ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; --- tiff-3.8.2.orig/debian/patches/CVE-2008-2327.patch +++ tiff-3.8.2/debian/patches/CVE-2008-2327.patch @@ -0,0 +1,58 @@ +--- tiff-3.8.2.orig/libtiff/tif_lzw.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_lzw.c 2008-08-17 11:31:32.994004551 -0400 +@@ -237,6 +237,13 @@ + sp->dec_codetab[code].length = 1; + sp->dec_codetab[code].next = NULL; + } while (code--); ++ /* ++ * Zero-out the unused entries ++ */ ++ _TIFFmemset(&sp->dec_codetab[CODE_CLEAR], 0, ++ (CODE_FIRST-CODE_CLEAR)*sizeof (code_t)); ++ ++ + } + return (1); + } +@@ -408,12 +415,20 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask-1; + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } ++ + *op++ = (char)code, occ--; + oldcodep = sp->dec_codetab + code; + continue; +@@ -604,12 +619,20 @@ + break; + if (code == CODE_CLEAR) { + free_entp = sp->dec_codetab + CODE_FIRST; ++ _TIFFmemset(free_entp, 0, (CSIZE-CODE_FIRST)*sizeof (code_t)); + nbits = BITS_MIN; + nbitsmask = MAXCODE(BITS_MIN); + maxcodep = sp->dec_codetab + nbitsmask; + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; ++ if (code == CODE_CLEAR) { ++ TIFFErrorExt(tif->tif_clientdata, tif->tif_name, ++ "LZWDecode: Corrupted LZW table at scanline %d", ++ tif->tif_row); ++ return (0); ++ } ++ + *op++ = code, occ--; + oldcodep = sp->dec_codetab + code; + continue; --- tiff-3.8.2.orig/debian/patches/z_CVE-2010-4665.patch +++ tiff-3.8.2/debian/patches/z_CVE-2010-4665.patch @@ -0,0 +1,37 @@ +Description: fix denial of service and possible code execution via tiffdump +Origin: extracted from libtiff 3.9.5 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2218 + +diff -Naur tiff-3.8.2.ori/tools/tiffdump.c tiff-3.8.2/tools/tiffdump.c +--- tiff-3.8.2.ori/tools/tiffdump.c 2005-12-02 11:01:33.000000000 -0500 ++++ tiff-3.8.2/tools/tiffdump.c 2012-04-02 12:09:09.374083635 -0400 +@@ -52,6 +52,11 @@ + # define O_BINARY 0 + #endif + ++/* Safe multiply which returns zero if there is an integer overflow */ ++#ifndef TIFFSafeMultiply ++# define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++#endif ++ + char* appname; + char* curfile; + int swabflag; +@@ -317,7 +322,7 @@ + printf(">\n"); + continue; + } +- space = dp->tdir_count * datawidth[dp->tdir_type]; ++ space = TIFFSafeMultiply(int, dp->tdir_count, datawidth[dp->tdir_type]); + if (space <= 0) { + printf(">\n"); + Error("Invalid count for tag %u", dp->tdir_tag); +@@ -709,7 +714,7 @@ + w = (dir->tdir_type < NWIDTHS ? datawidth[dir->tdir_type] : 0); + cc = dir->tdir_count * w; + if (lseek(fd, (off_t)dir->tdir_offset, 0) != (off_t)-1 +- && read(fd, cp, cc) != -1) { ++ && read(fd, cp, cc) == cc) { + if (swabflag) { + switch (dir->tdir_type) { + case TIFF_SHORT: --- tiff-3.8.2.orig/debian/patches/CVE-2009-2347.patch +++ tiff-3.8.2/debian/patches/CVE-2009-2347.patch @@ -0,0 +1,166 @@ +# +# Description: fix arbitrary code execution via integer overflows in tiff2rgba and rgb2ycbcr +# +diff -Naur tiff-3.8.2.orig/tools/rgb2ycbcr.c tiff-3.8.2/tools/rgb2ycbcr.c +--- tiff-3.8.2.orig/tools/rgb2ycbcr.c 2004-09-03 03:57:13.000000000 -0400 ++++ tiff-3.8.2/tools/rgb2ycbcr.c 2009-07-13 09:25:19.000000000 -0400 +@@ -202,6 +202,17 @@ + #undef LumaBlue + #undef V2Code + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + /* + * Convert a strip of RGB data to YCbCr and + * sample to generate the output data. +@@ -278,10 +289,19 @@ + float floatv; + char *stringv; + uint32 longv; ++ tsize_t raster_size; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +diff -Naur tiff-3.8.2.orig/tools/tiff2rgba.c tiff-3.8.2/tools/tiff2rgba.c +--- tiff-3.8.2.orig/tools/tiff2rgba.c 2004-11-07 06:08:37.000000000 -0500 ++++ tiff-3.8.2/tools/tiff2rgba.c 2009-07-13 09:25:19.000000000 -0400 +@@ -124,6 +124,17 @@ + return (0); + } + ++static tsize_t ++multiply(tsize_t m1, tsize_t m2) ++{ ++ tsize_t prod = m1 * m2; ++ ++ if (m1 && prod / m1 != m2) ++ prod = 0; /* overflow */ ++ ++ return prod; ++} ++ + static int + cvt_by_tile( TIFF *in, TIFF *out ) + +@@ -133,6 +144,7 @@ + uint32 tile_width, tile_height; + uint32 row, col; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -150,7 +162,14 @@ + /* + * Allocate tile buffer + */ +- raster = (uint32*)_TIFFmalloc(tile_width * tile_height * sizeof (uint32)); ++ raster_size = multiply(multiply(tile_width, tile_height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) tile_width, (unsigned long) tile_height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -158,7 +177,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(tile_width * sizeof (uint32)); + if (!wrk_line) { +@@ -226,6 +245,7 @@ + uint32 width, height; /* image width & height */ + uint32 row; + uint32 *wrk_line; ++ tsize_t raster_size; + int ok = 1; + + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); +@@ -241,7 +261,14 @@ + /* + * Allocate strip buffer + */ +- raster = (uint32*)_TIFFmalloc(width * rowsperstrip * sizeof (uint32)); ++ raster_size = multiply(multiply(width, rowsperstrip), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) rowsperstrip); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -249,7 +276,7 @@ + + /* + * Allocate a scanline buffer for swapping during the vertical +- * mirroring pass. ++ * mirroring pass. (Request can't overflow given prior checks.) + */ + wrk_line = (uint32*)_TIFFmalloc(width * sizeof (uint32)); + if (!wrk_line) { +@@ -328,14 +355,22 @@ + uint32* raster; /* retrieve RGBA image */ + uint32 width, height; /* image width & height */ + uint32 row; +- ++ tsize_t raster_size; ++ + TIFFGetField(in, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField(in, TIFFTAG_IMAGELENGTH, &height); + + rowsperstrip = TIFFDefaultStripSize(out, rowsperstrip); + TIFFSetField(out, TIFFTAG_ROWSPERSTRIP, rowsperstrip); + +- raster = (uint32*)_TIFFmalloc(width * height * sizeof (uint32)); ++ raster_size = multiply(multiply(width, height), sizeof (uint32)); ++ if (!raster_size) { ++ TIFFError(TIFFFileName(in), ++ "Can't allocate buffer for raster of size %lux%lu", ++ (unsigned long) width, (unsigned long) height); ++ return (0); ++ } ++ raster = (uint32*)_TIFFmalloc(raster_size); + if (raster == 0) { + TIFFError(TIFFFileName(in), "No space for raster buffer"); + return (0); +@@ -353,7 +388,7 @@ + */ + if( no_alpha ) + { +- int pixel_count = width * height; ++ tsize_t pixel_count = (tsize_t) width * (tsize_t) height; + unsigned char *src, *dst; + + src = (unsigned char *) raster; --- tiff-3.8.2.orig/debian/patches/soname.patch +++ tiff-3.8.2/debian/patches/soname.patch @@ -0,0 +1,36 @@ +--- libtiff/Makefile.am.orig 2005-07-27 15:22:58.000000000 -0400 ++++ libtiff/Makefile.am 2005-12-29 21:01:13.097527248 -0500 +@@ -108,7 +108,7 @@ + libtiff_la_SOURCES = $(SRCS) + libtiff_la_LDFLAGS = \ + -no-undefined \ +- -version-number $(LIBTIFF_VERSION_INFO) ++ -version-number 4:2:1 + if HAVE_RPATH + libtiff_la_LDFLAGS += $(LIBDIR) + endif +@@ -117,7 +117,7 @@ + libtiffxx_la_SOURCES = $(SRCSXX) + libtiffxx_la_LDFLAGS = \ + -no-undefined \ +- -version-number $(LIBTIFF_VERSION_INFO) ++ -version-number 0:0:6 + if HAVE_RPATH + libtiffxx_la_LDFLAGS += $(LIBDIR) + endif +--- libtiff/Makefile.in.orig 2005-12-29 16:49:57.000000000 -0500 ++++ libtiff/Makefile.in 2005-12-29 21:01:13.097527248 -0500 +@@ -347,11 +347,11 @@ + lib_LTLIBRARIES = libtiff.la $(am__append_2) + libtiff_la_SOURCES = $(SRCS) + libtiff_la_LDFLAGS = -no-undefined -version-number \ +- $(LIBTIFF_VERSION_INFO) $(am__append_3) ++ 4:2:1 $(am__append_3) + libtiff_la_LIBADD = $(LIBPORT) + libtiffxx_la_SOURCES = $(SRCSXX) + libtiffxx_la_LDFLAGS = -no-undefined -version-number \ +- $(LIBTIFF_VERSION_INFO) $(am__append_4) ++ 0:0:6 $(am__append_4) + libtiffxx_la_LIBADD = $(LIBTIFF) $(LIBPORT) + libtiffxx_la_DEPENDENCIES = libtiff.la + mkg3states_SOURCES = mkg3states.c tif_fax3.h --- tiff-3.8.2.orig/debian/patches/z_CVE-2012-1173.patch +++ tiff-3.8.2/debian/patches/z_CVE-2012-1173.patch @@ -0,0 +1,71 @@ +Description: fix arbitrary code execution via size overflow +Origin: thanks to Tom Lane of Red Hat + +diff -Naur tiff-3.8.2.ori/libtiff/tiffiop.h tiff-3.8.2/libtiff/tiffiop.h +--- tiff-3.8.2.ori/libtiff/tiffiop.h 2012-04-02 12:07:53.214084363 -0400 ++++ tiff-3.8.2/libtiff/tiffiop.h 2012-04-02 12:09:57.514083194 -0400 +@@ -229,7 +229,7 @@ + #define TIFFroundup(x, y) (TIFFhowmany(x,y)*(y)) + + /* Safe multiply which returns zero if there is an integer overflow */ +-#define TIFFSafeMultiply(t,v,m) ((((t)m != (t)0) && (((t)((v*m)/m)) == (t)v)) ? (t)(v*m) : (t)0) ++#define TIFFSafeMultiply(t,v,m) ((((t)(m) != (t)0) && (((t)(((v)*(m))/(m))) == (t)(v))) ? (t)((v)*(m)) : (t)0) + + #define TIFFmax(A,B) ((A)>(B)?(A):(B)) + #define TIFFmin(A,B) ((A)<(B)?(A):(B)) +diff -Naur tiff-3.8.2.ori/libtiff/tif_getimage.c tiff-3.8.2/libtiff/tif_getimage.c +--- tiff-3.8.2.ori/libtiff/tif_getimage.c 2005-12-27 06:28:23.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_getimage.c 2012-04-02 12:14:40.706080477 -0400 +@@ -665,18 +665,24 @@ + unsigned char* b; + unsigned char* a; + tsize_t tilesize; ++ tsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + uint32 nrow; + int ret = 1, flip; + + tilesize = TIFFTileSize(tif); +- buf = (unsigned char*) _TIFFmalloc(4*tilesize); ++ bufsize = TIFFSafeMultiply(tsize_t,4,tilesize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtTileSeparate"); ++ return (0); ++ } ++ buf = (unsigned char*) _TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, 4*tilesize); ++ _TIFFmemset(buf, 0, bufsize); + r = buf; + g = r + tilesize; + b = g + tilesize; +@@ -866,17 +872,23 @@ + uint32 rowsperstrip, offset_row; + uint32 imagewidth = img->width; + tsize_t stripsize; ++ tsize_t bufsize; + int32 fromskew, toskew; + int alpha = img->alpha; + int ret = 1, flip; + + stripsize = TIFFStripSize(tif); +- r = buf = (unsigned char *)_TIFFmalloc(4*stripsize); ++ bufsize = TIFFSafeMultiply(tsize_t,4,stripsize); ++ if (bufsize == 0) { ++ TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "Integer overflow in %s", "gtStripSeparate"); ++ return (0); ++ } ++ r = buf = (unsigned char *)_TIFFmalloc(bufsize); + if (buf == 0) { + TIFFErrorExt(tif->tif_clientdata, TIFFFileName(tif), "No space for tile buffer"); + return (0); + } +- _TIFFmemset(buf, 0, 4*stripsize); ++ _TIFFmemset(buf, 0, bufsize); + g = r + stripsize; + b = g + stripsize; + a = b + stripsize; --- tiff-3.8.2.orig/debian/patches/tiffsplit-fname-overflow.patch +++ tiff-3.8.2/debian/patches/tiffsplit-fname-overflow.patch @@ -0,0 +1,19 @@ +--- tiff-3.8.2/tools/tiffsplit.c.orig 2005-12-07 04:48:33.000000000 -0500 ++++ tiff-3.8.2/tools/tiffsplit.c 2006-06-01 21:20:25.039944864 -0400 +@@ -61,14 +61,13 @@ + return (-3); + } + if (argc > 2) +- strcpy(fname, argv[2]); ++ snprintf(fname, sizeof(fname), "%s", argv[2]); + in = TIFFOpen(argv[1], "r"); + if (in != NULL) { + do { + char path[1024+1]; + newfilename(); +- strcpy(path, fname); +- strcat(path, ".tif"); ++ snprintf(path, sizeof(path), "%s.tif", fname); + out = TIFFOpen(path, TIFFIsBigEndian(in)?"wb":"wl"); + if (out == NULL) + return (-2); --- tiff-3.8.2.orig/debian/patches/z_CVE-2010-2597.patch +++ tiff-3.8.2/debian/patches/z_CVE-2010-2597.patch @@ -0,0 +1,34 @@ +Description: fix denial of service via devide-by-zero +Origin: backport, r1.19.2.3 +Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2215 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/593067 + +diff -Naur tiff-3.8.2.orig//libtiff/tif_strip.c tiff-3.8.2/libtiff/tif_strip.c +--- tiff-3.8.2.orig//libtiff/tif_strip.c 2006-03-21 11:42:50.000000000 -0500 ++++ tiff-3.8.2/libtiff/tif_strip.c 2011-03-03 15:31:43.000000000 -0500 +@@ -124,9 +124,9 @@ + uint16 ycbcrsubsampling[2]; + tsize_t w, scanline, samplingarea; + +- TIFFGetField( tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1 ); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + samplingarea = ycbcrsubsampling[0]*ycbcrsubsampling[1]; + if (samplingarea == 0) { +@@ -234,9 +234,9 @@ + && !isUpSampled(tif)) { + uint16 ycbcrsubsampling[2]; + +- TIFFGetField(tif, TIFFTAG_YCBCRSUBSAMPLING, +- ycbcrsubsampling + 0, +- ycbcrsubsampling + 1); ++ TIFFGetFieldDefaulted(tif, TIFFTAG_YCBCRSUBSAMPLING, ++ ycbcrsubsampling + 0, ++ ycbcrsubsampling + 1); + + if (ycbcrsubsampling[0] == 0) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, --- tiff-3.8.2.orig/debian/patches/CVE-2006-3459-3465.patch +++ tiff-3.8.2/debian/patches/CVE-2006-3459-3465.patch @@ -0,0 +1,669 @@ +diff -ru tiff-3.8.2/libtiff/tif_dir.c tiff-3.8.2-goo/libtiff/tif_dir.c +--- tiff-3.8.2/libtiff/tif_dir.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dir.c 2006-07-14 13:52:01.027562000 +0100 +@@ -122,6 +122,7 @@ + { + static const char module[] = "_TIFFVSetField"; + ++ const TIFFFieldInfo* fip = _TIFFFindFieldInfo(tif, tag, TIFF_ANY); + TIFFDirectory* td = &tif->tif_dir; + int status = 1; + uint32 v32, i, v; +@@ -195,10 +196,12 @@ + break; + case TIFFTAG_ORIENTATION: + v = va_arg(ap, uint32); ++ const TIFFFieldInfo* fip; + if (v < ORIENTATION_TOPLEFT || ORIENTATION_LEFTBOT < v) { ++ fip = _TIFFFieldWithTag(tif, tag); + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "Bad value %lu for \"%s\" tag ignored", +- v, _TIFFFieldWithTag(tif, tag)->field_name); ++ v, fip ? fip->field_name : "Unknown"); + } else + td->td_orientation = (uint16) v; + break; +@@ -387,11 +390,15 @@ + * happens, for example, when tiffcp is used to convert between + * compression schemes and codec-specific tags are blindly copied. + */ ++ /* ++ * better not dereference fip if it is NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if(fip == NULL || fip->field_bit != FIELD_CUSTOM) { + TIFFErrorExt(tif->tif_clientdata, module, + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + status = 0; + break; + } +@@ -468,7 +475,7 @@ + if (fip->field_type == TIFF_ASCII) + _TIFFsetString((char **)&tv->value, va_arg(ap, char *)); + else { +- tv->value = _TIFFmalloc(tv_size * tv->count); ++ tv->value = _TIFFCheckMalloc(tif, tv_size, tv->count, "Tag Value"); + if (!tv->value) { + status = 0; + goto end; +@@ -563,7 +570,7 @@ + } + } + if (status) { +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ TIFFSetFieldBit(tif, fip->field_bit); + tif->tif_flags |= TIFF_DIRTYDIRECT; + } + +@@ -572,12 +579,12 @@ + return (status); + badvalue: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %d for \"%s\"", +- tif->tif_name, v, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + badvalue32: + TIFFErrorExt(tif->tif_clientdata, module, "%s: Bad value %ld for \"%s\"", +- tif->tif_name, v32, _TIFFFieldWithTag(tif, tag)->field_name); ++ tif->tif_name, v32, fip ? fip->field_name : "Unknown"); + va_end(ap); + return (0); + } +@@ -813,12 +820,16 @@ + * If the client tries to get a tag that is not valid + * for the image's codec then we'll arrive here. + */ ++ /* ++ * dont dereference fip if it's NULL. ++ * -- taviso@google.com 15 Jun 2006 ++ */ + if( fip == NULL || fip->field_bit != FIELD_CUSTOM ) + { + TIFFErrorExt(tif->tif_clientdata, "_TIFFVGetField", + "%s: Invalid %stag \"%s\" (not supported by codec)", + tif->tif_name, isPseudoTag(tag) ? "pseudo-" : "", +- _TIFFFieldWithTag(tif, tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + ret_val = 0; + break; + } +diff -ru tiff-3.8.2/libtiff/tif_dirinfo.c tiff-3.8.2-goo/libtiff/tif_dirinfo.c +--- tiff-3.8.2/libtiff/tif_dirinfo.c 2006-02-07 13:51:03.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirinfo.c 2006-07-14 13:52:00.953558000 +0100 +@@ -775,7 +775,8 @@ + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithTag", + "Internal error, unknown tag 0x%x", + (unsigned int) tag); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +@@ -789,7 +790,8 @@ + if (!fip) { + TIFFErrorExt(tif->tif_clientdata, "TIFFFieldWithName", + "Internal error, unknown tag %s", field_name); +- assert(fip != NULL); ++ /* assert(fip != NULL); */ ++ + /*NOTREACHED*/ + } + return (fip); +diff -ru tiff-3.8.2/libtiff/tif_dirread.c tiff-3.8.2-goo/libtiff/tif_dirread.c +--- tiff-3.8.2/libtiff/tif_dirread.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_dirread.c 2006-07-14 13:52:00.842557000 +0100 +@@ -29,6 +29,9 @@ + * + * Directory Read Support Routines. + */ ++ ++#include ++ + #include "tiffiop.h" + + #define IGNORE 0 /* tag placeholder used below */ +@@ -81,6 +84,7 @@ + uint16 dircount; + toff_t nextdiroff; + int diroutoforderwarning = 0; ++ int compressionknown = 0; + toff_t* new_dirlist; + + tif->tif_diroff = tif->tif_nextdiroff; +@@ -147,13 +151,20 @@ + } else { + toff_t off = tif->tif_diroff; + +- if (off + sizeof (uint16) > tif->tif_size) { +- TIFFErrorExt(tif->tif_clientdata, module, +- "%s: Can not read TIFF directory count", +- tif->tif_name); +- return (0); ++ /* ++ * Check for integer overflow when validating the dir_off, otherwise ++ * a very high offset may cause an OOB read and crash the client. ++ * -- taviso@google.com, 14 Jun 2006. ++ */ ++ if (off + sizeof (uint16) > tif->tif_size || ++ off > (UINT_MAX - sizeof(uint16))) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "%s: Can not read TIFF directory count", ++ tif->tif_name); ++ return (0); + } else +- _TIFFmemcpy(&dircount, tif->tif_base + off, sizeof (uint16)); ++ _TIFFmemcpy(&dircount, tif->tif_base + off, ++ sizeof (uint16)); + off += sizeof (uint16); + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabShort(&dircount); +@@ -254,6 +265,7 @@ + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; ++ + if (fix >= tif->tif_nfields || + tif->tif_fieldinfo[fix]->field_tag != dp->tdir_tag) { + +@@ -264,17 +276,23 @@ + dp->tdir_tag, + dp->tdir_tag, + dp->tdir_type); +- +- TIFFMergeFieldInfo(tif, +- _TIFFCreateAnonFieldInfo(tif, +- dp->tdir_tag, +- (TIFFDataType) dp->tdir_type), +- 1 ); ++ /* ++ * creating anonymous fields prior to knowing the compression ++ * algorithm (ie, when the field info has been merged) could cause ++ * crashes with pathological directories. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (compressionknown) ++ TIFFMergeFieldInfo(tif, _TIFFCreateAnonFieldInfo(tif, dp->tdir_tag, ++ (TIFFDataType) dp->tdir_type), 1 ); ++ else goto ignore; ++ + fix = 0; + while (fix < tif->tif_nfields && + tif->tif_fieldinfo[fix]->field_tag < dp->tdir_tag) + fix++; + } ++ + /* + * Null out old tags that we ignore. + */ +@@ -326,6 +344,7 @@ + dp->tdir_type, dp->tdir_offset); + if (!TIFFSetField(tif, dp->tdir_tag, (uint16)v)) + goto bad; ++ else compressionknown++; + break; + /* XXX: workaround for broken TIFFs */ + } else if (dp->tdir_type == TIFF_LONG) { +@@ -540,6 +559,7 @@ + * Attempt to deal with a missing StripByteCounts tag. + */ + if (!TIFFFieldSet(tif, FIELD_STRIPBYTECOUNTS)) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * Some manufacturers violate the spec by not giving + * the size of the strips. In this case, assume there +@@ -556,7 +576,7 @@ + "%s: TIFF directory is missing required " + "\"%s\" field, calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + /* +@@ -580,6 +600,7 @@ + } else if (td->td_nstrips == 1 + && td->td_stripoffset[0] != 0 + && BYTECOUNTLOOKSBAD) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Plexus (and others) sometimes give a value of zero for + * a tag when they don't know what the correct value is! Try +@@ -589,13 +610,14 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Bogus \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if(EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } else if (td->td_planarconfig == PLANARCONFIG_CONTIG + && td->td_nstrips > 2 + && td->td_compression == COMPRESSION_NONE + && td->td_stripbytecount[0] != td->td_stripbytecount[1]) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, TIFFTAG_STRIPBYTECOUNTS); + /* + * XXX: Some vendors fill StripByteCount array with absolutely + * wrong values (it can be equal to StripOffset array, for +@@ -604,7 +626,7 @@ + TIFFWarningExt(tif->tif_clientdata, module, + "%s: Wrong \"%s\" field, ignoring and calculating from imagelength", + tif->tif_name, +- _TIFFFieldWithTag(tif,TIFFTAG_STRIPBYTECOUNTS)->field_name); ++ fip ? fip->field_name : "Unknown"); + if (EstimateStripByteCounts(tif, dir, dircount) < 0) + goto bad; + } +@@ -870,7 +892,13 @@ + + register TIFFDirEntry *dp; + register TIFFDirectory *td = &tif->tif_dir; +- uint16 i; ++ ++ /* i is used to iterate over td->td_nstrips, so must be ++ * at least the same width. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ ++ uint32 i; + + if (td->td_stripbytecount) + _TIFFfree(td->td_stripbytecount); +@@ -947,16 +975,18 @@ + static int + CheckDirCount(TIFF* tif, TIFFDirEntry* dir, uint32 count) + { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ + if (count > dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag ignored", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (0); + } else if (count < dir->tdir_count) { + TIFFWarningExt(tif->tif_clientdata, tif->tif_name, + "incorrect count for field \"%s\" (%lu, expecting %lu); tag trimmed", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, ++ fip ? fip->field_name : "Unknown", + dir->tdir_count, count); + return (1); + } +@@ -970,6 +1000,7 @@ + TIFFFetchData(TIFF* tif, TIFFDirEntry* dir, char* cp) + { + int w = TIFFDataWidth((TIFFDataType) dir->tdir_type); ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + tsize_t cc = dir->tdir_count * w; + + /* Check for overflow. */ +@@ -1013,7 +1044,7 @@ + bad: + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Error fetching data for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + return (tsize_t) 0; + } + +@@ -1039,10 +1070,12 @@ + static int + cvtRational(TIFF* tif, TIFFDirEntry* dir, uint32 num, uint32 denom, float* rv) + { ++ const TIFFFieldInfo* fip; + if (denom == 0) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "%s: Rational with zero denominator (num = %lu)", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name, num); ++ fip ? fip->field_name : "Unknown", num); + return (0); + } else { + if (dir->tdir_type == TIFF_RATIONAL) +@@ -1159,6 +1192,20 @@ + static int + TIFFFetchShortPair(TIFF* tif, TIFFDirEntry* dir) + { ++ /* ++ * Prevent overflowing the v stack arrays below by performing a sanity ++ * check on tdir_count, this should never be greater than two. ++ * -- taviso@google.com 14 Jun 2006. ++ */ ++ if (dir->tdir_count > 2) { ++ const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); ++ TIFFWarningExt(tif->tif_clientdata, tif->tif_name, ++ "unexpected count for field \"%s\", %lu, expected 2; ignored.", ++ fip ? fip->field_name : "Unknown", ++ dir->tdir_count); ++ return 0; ++ } ++ + switch (dir->tdir_type) { + case TIFF_BYTE: + case TIFF_SBYTE: +@@ -1329,14 +1376,15 @@ + case TIFF_DOUBLE: + return (TIFFFetchDoubleArray(tif, dir, (double*) v)); + default: ++ { const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + /* TIFF_NOTYPE */ + /* TIFF_ASCII */ + /* TIFF_UNDEFINED */ + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "cannot read TIFF_ANY type %d for field \"%s\"", + dir->tdir_type, +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); +- return (0); ++ fip ? fip->field_name : "Unknown"); ++ return (0); } + } + return (1); + } +@@ -1351,6 +1399,9 @@ + int ok = 0; + const TIFFFieldInfo* fip = _TIFFFieldWithTag(tif, dp->tdir_tag); + ++ if (fip == NULL) { ++ return (0); ++ } + if (dp->tdir_count > 1) { /* array of values */ + char* cp = NULL; + +@@ -1493,6 +1544,7 @@ + TIFFFetchPerSampleShorts(TIFF* tif, TIFFDirEntry* dir, uint16* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1510,9 +1562,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1534,6 +1587,7 @@ + TIFFFetchPerSampleLongs(TIFF* tif, TIFFDirEntry* dir, uint32* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1551,9 +1605,10 @@ + check_count = samples; + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +@@ -1574,6 +1629,7 @@ + TIFFFetchPerSampleAnys(TIFF* tif, TIFFDirEntry* dir, double* pl) + { + uint16 samples = tif->tif_dir.td_samplesperpixel; ++ const TIFFFieldInfo* fip; + int status = 0; + + if (CheckDirCount(tif, dir, (uint32) samples)) { +@@ -1591,9 +1647,10 @@ + + for (i = 1; i < check_count; i++) + if (v[i] != v[0]) { ++ fip = _TIFFFieldWithTag(tif, dir->tdir_tag); + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "Cannot handle different per-sample values for field \"%s\"", +- _TIFFFieldWithTag(tif, dir->tdir_tag)->field_name); ++ fip ? fip->field_name : "Unknown"); + goto bad; + } + *pl = v[0]; +diff -ru tiff-3.8.2/libtiff/tif_fax3.c tiff-3.8.2-goo/libtiff/tif_fax3.c +--- tiff-3.8.2/libtiff/tif_fax3.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_fax3.c 2006-07-14 13:52:00.669557000 +0100 +@@ -1136,6 +1136,7 @@ + Fax3VSetField(TIFF* tif, ttag_t tag, va_list ap) + { + Fax3BaseState* sp = Fax3State(tif); ++ const TIFFFieldInfo* fip; + + assert(sp != 0); + assert(sp->vsetparent != 0); +@@ -1181,7 +1182,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +diff -ru tiff-3.8.2/libtiff/tif_jpeg.c tiff-3.8.2-goo/libtiff/tif_jpeg.c +--- tiff-3.8.2/libtiff/tif_jpeg.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_jpeg.c 2006-07-14 13:52:00.655560000 +0100 +@@ -722,15 +722,31 @@ + segment_width = TIFFhowmany(segment_width, sp->h_sampling); + segment_height = TIFFhowmany(segment_height, sp->v_sampling); + } +- if (sp->cinfo.d.image_width != segment_width || +- sp->cinfo.d.image_height != segment_height) { ++ if (sp->cinfo.d.image_width < segment_width || ++ sp->cinfo.d.image_height < segment_height) { + TIFFWarningExt(tif->tif_clientdata, module, + "Improper JPEG strip/tile size, expected %dx%d, got %dx%d", + segment_width, + segment_height, + sp->cinfo.d.image_width, + sp->cinfo.d.image_height); ++ } ++ ++ if (sp->cinfo.d.image_width > segment_width || ++ sp->cinfo.d.image_height > segment_height) { ++ /* ++ * This case could be dangerous, if the strip or tile size has been ++ * reported as less than the amount of data jpeg will return, some ++ * potential security issues arise. Catch this case and error out. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "JPEG strip/tile size exceeds expected dimensions," ++ "expected %dx%d, got %dx%d", segment_width, segment_height, ++ sp->cinfo.d.image_width, sp->cinfo.d.image_height); ++ return (0); + } ++ + if (sp->cinfo.d.num_components != + (td->td_planarconfig == PLANARCONFIG_CONTIG ? + td->td_samplesperpixel : 1)) { +@@ -761,6 +777,22 @@ + sp->cinfo.d.comp_info[0].v_samp_factor, + sp->h_sampling, sp->v_sampling); + ++ /* ++ * There are potential security issues here for decoders that ++ * have already allocated buffers based on the expected sampling ++ * factors. Lets check the sampling factors dont exceed what ++ * we were expecting. ++ * -- taviso@google.com 14 June 2006 ++ */ ++ if (sp->cinfo.d.comp_info[0].h_samp_factor > sp->h_sampling || ++ sp->cinfo.d.comp_info[0].v_samp_factor > sp->v_sampling) { ++ TIFFErrorExt(tif->tif_clientdata, module, ++ "Cannot honour JPEG sampling factors that" ++ " exceed those specified."); ++ return (0); ++ } ++ ++ + /* + * XXX: Files written by the Intergraph software + * has different sampling factors stored in the +@@ -1521,15 +1553,18 @@ + { + JPEGState *sp = JState(tif); + +- assert(sp != 0); ++ /* assert(sp != 0); */ + + tif->tif_tagmethods.vgetfield = sp->vgetparent; + tif->tif_tagmethods.vsetfield = sp->vsetparent; + +- if( sp->cinfo_initialized ) +- TIFFjpeg_destroy(sp); /* release libjpeg resources */ +- if (sp->jpegtables) /* tag value */ +- _TIFFfree(sp->jpegtables); ++ if (sp != NULL) { ++ if( sp->cinfo_initialized ) ++ TIFFjpeg_destroy(sp); /* release libjpeg resources */ ++ if (sp->jpegtables) /* tag value */ ++ _TIFFfree(sp->jpegtables); ++ } ++ + _TIFFfree(tif->tif_data); /* release local state */ + tif->tif_data = NULL; + +@@ -1541,6 +1576,7 @@ + { + JPEGState* sp = JState(tif); + TIFFDirectory* td = &tif->tif_dir; ++ const TIFFFieldInfo* fip; + uint32 v32; + + assert(sp != NULL); +@@ -1606,7 +1642,13 @@ + default: + return (*sp->vsetparent)(tif, tag, ap); + } +- TIFFSetFieldBit(tif, _TIFFFieldWithTag(tif, tag)->field_bit); ++ ++ if ((fip = _TIFFFieldWithTag(tif, tag))) { ++ TIFFSetFieldBit(tif, fip->field_bit); ++ } else { ++ return (0); ++ } ++ + tif->tif_flags |= TIFF_DIRTYDIRECT; + return (1); + } +@@ -1726,7 +1768,11 @@ + { + JPEGState* sp = JState(tif); + +- assert(sp != NULL); ++ /* assert(sp != NULL); */ ++ if (sp == NULL) { ++ TIFFWarningExt(tif->tif_clientdata, "JPEGPrintDir", "Unknown JPEGState"); ++ return; ++ } + + (void) flags; + if (TIFFFieldSet(tif,FIELD_JPEGTABLES)) +diff -ru tiff-3.8.2/libtiff/tif_next.c tiff-3.8.2-goo/libtiff/tif_next.c +--- tiff-3.8.2/libtiff/tif_next.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_next.c 2006-07-14 13:52:00.556567000 +0100 +@@ -105,11 +105,16 @@ + * as codes of the form + * until we've filled the scanline. + */ ++ /* ++ * Ensure the run does not exceed the scanline ++ * bounds, potentially resulting in a security issue. ++ * -- taviso@google.com 14 Jun 2006. ++ */ + op = row; + for (;;) { + grey = (n>>6) & 0x3; + n &= 0x3f; +- while (n-- > 0) ++ while (n-- > 0 && npixels < imagewidth) + SETPIXEL(op, grey); + if (npixels >= (int) imagewidth) + break; +diff -ru tiff-3.8.2/libtiff/tif_pixarlog.c tiff-3.8.2-goo/libtiff/tif_pixarlog.c +--- tiff-3.8.2/libtiff/tif_pixarlog.c 2006-03-21 16:42:50.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_pixarlog.c 2006-07-14 13:52:00.483557000 +0100 +@@ -768,7 +768,19 @@ + if (tif->tif_flags & TIFF_SWAB) + TIFFSwabArrayOfShort(up, nsamples); + +- for (i = 0; i < nsamples; i += llen, up += llen) { ++ /* ++ * if llen is not an exact multiple of nsamples, the decode operation ++ * may overflow the output buffer, so truncate it enough to prevent that ++ * but still salvage as much data as possible. ++ * -- taviso@google.com 14th June 2006 ++ */ ++ if (nsamples % llen) ++ TIFFWarningExt(tif->tif_clientdata, module, ++ "%s: stride %lu is not a multiple of sample count, " ++ "%lu, data truncated.", tif->tif_name, llen, nsamples); ++ ++ ++ for (i = 0; i < nsamples - (nsamples % llen); i += llen, up += llen) { + switch (sp->user_datafmt) { + case PIXARLOGDATAFMT_FLOAT: + horizontalAccumulateF(up, llen, sp->stride, +diff -ru tiff-3.8.2/libtiff/tif_read.c tiff-3.8.2-goo/libtiff/tif_read.c +--- tiff-3.8.2/libtiff/tif_read.c 2005-12-21 12:33:56.000000000 +0000 ++++ tiff-3.8.2-goo/libtiff/tif_read.c 2006-07-14 13:52:00.467568000 +0100 +@@ -31,6 +31,8 @@ + #include "tiffiop.h" + #include + ++#include ++ + int TIFFFillStrip(TIFF*, tstrip_t); + int TIFFFillTile(TIFF*, ttile_t); + static int TIFFStartStrip(TIFF*, tstrip_t); +@@ -272,7 +274,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[strip] + bytecount > tif->tif_size) { ++ /* ++ * This sanity check could potentially overflow, causing an OOB read. ++ * verify that offset + bytecount is > offset. ++ * -- taviso@google.com 14 Jun 2006 ++ */ ++ if ( td->td_stripoffset[strip] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[strip])) { + /* + * This error message might seem strange, but it's + * what would happen if a read were done instead. +@@ -470,7 +478,13 @@ + if ((tif->tif_flags & TIFF_MYBUFFER) && tif->tif_rawdata) + _TIFFfree(tif->tif_rawdata); + tif->tif_flags &= ~TIFF_MYBUFFER; +- if ( td->td_stripoffset[tile] + bytecount > tif->tif_size) { ++ /* ++ * We must check this calculation doesnt overflow, potentially ++ * causing an OOB read. ++ * -- taviso@google.com 15 Jun 2006 ++ */ ++ if (td->td_stripoffset[tile] + bytecount > tif->tif_size || ++ bytecount > (UINT_MAX - td->td_stripoffset[tile])) { + tif->tif_curtile = NOTILE; + return (0); + } --- tiff-3.8.2.orig/debian/patches/z_CVE-2012-2113.patch +++ tiff-3.8.2/debian/patches/z_CVE-2012-2113.patch @@ -0,0 +1,263 @@ +Description: fix possible arbitrary code execution via integer + overflows in tiff2pdf +Origin: thanks to Red Hat +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1016324 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678140 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=810551 + +diff -Naurp tiff-3.8.2.ori/tools/tiff2pdf.c tiff-3.8.2/tools/tiff2pdf.c +--- tiff-3.8.2.ori/tools/tiff2pdf.c 2012-07-04 11:08:21.743665954 -0400 ++++ tiff-3.8.2/tools/tiff2pdf.c 2012-07-04 11:14:58.847676122 -0400 +@@ -28,6 +28,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -42,6 +43,8 @@ + #define NULL ((void*)0) + #endif + ++typedef uint64_t uint64; ++ + #if defined(VMS) + #define unlink remove + #endif +@@ -313,6 +316,34 @@ tsize_t t2p_write_pdf_xobject_stream_fil + tsize_t t2p_write_pdf_xreftable(T2P*, TIFF*); + tsize_t t2p_write_pdf_trailer(T2P*, TIFF*); + ++static uint64 ++checkAdd64(uint64 summand1, uint64 summand2, T2P* t2p) ++{ ++ uint64 bytes = summand1 + summand2; ++ ++ if (bytes - summand1 != summand2) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ bytes = 0; ++ } ++ ++ return bytes; ++} ++ ++static uint64 ++checkMultiply64(uint64 first, uint64 second, T2P* t2p) ++{ ++ uint64 bytes = first * second; ++ ++ if (second && bytes / second != first) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ bytes = 0; ++ } ++ ++ return bytes; ++} ++ + /* + + This is the main function. +@@ -1754,9 +1785,7 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* + tstrip_t i=0; + tstrip_t stripcount=0; + #endif +-#ifdef OJPEG_SUPPORT +- tsize_t k = 0; +-#endif ++ uint64 k = 0; + + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ + #ifdef CCITT_SUPPORT +@@ -1784,19 +1813,25 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* + } + stripcount=TIFFNumberOfStrips(input); + for(i=0;itiff_dataoffset))){ + if(t2p->tiff_dataoffset != 0){ + if(TIFFGetField(input, TIFFTAG_JPEGIFBYTECOUNT, &(t2p->tiff_datasize))!=0){ + if(t2p->tiff_datasize < k) { +- t2p->pdf_ojpegiflength=t2p->tiff_datasize; +- t2p->tiff_datasize+=k; +- t2p->tiff_datasize+=6; +- t2p->tiff_datasize+=2*stripcount; + TIFFWarning(TIFF2PDF_MODULE, + "Input file %s has short JPEG interchange file byte count", + TIFFFileName(input)); ++ t2p->pdf_ojpegiflength=t2p->tiff_datasize; ++ k = checkAdd64(k, t2p->tiff_datasize, t2p); ++ k = checkAdd64(k, 6, t2p); ++ k = checkAdd64(k, stripcount, t2p); ++ k = checkAdd64(k, stripcount, t2p); ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } + return; +@@ -1809,9 +1844,14 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* + } + } + } +- t2p->tiff_datasize+=k; +- t2p->tiff_datasize+=2*stripcount; +- t2p->tiff_datasize+=2048; ++ k = checkAdd64(k, stripcount, t2p); ++ k = checkAdd64(k, stripcount, t2p); ++ k = checkAdd64(k, 2048, t2p); ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } + #endif +@@ -1819,11 +1859,11 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* + if(t2p->tiff_compression == COMPRESSION_JPEG){ + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &xuint16, &jpt) != 0 ){ + if(xuint16>4){ +- t2p->tiff_datasize+= xuint16; +- t2p->tiff_datasize -=2; /* don't use EOI of header */ ++ k += xuint16; ++ k -= 2; /* don't use EOI of header */ + } + } else { +- t2p->tiff_datasize=2; /* SOI for first strip */ ++ k = 2; /* SOI for first strip */ + } + stripcount=TIFFNumberOfStrips(input); + if(!TIFFGetField(input, TIFFTAG_STRIPBYTECOUNTS, &sbc)){ +@@ -1834,17 +1874,32 @@ void t2p_read_tiff_size(T2P* t2p, TIFF* + return; + } + for(i=0;itiff_datasize += sbc[i]; +- t2p->tiff_datasize -=4; /* don't use SOI or EOI of strip */ ++ k = checkAdd64(k, sbc[i], t2p); ++ k -=4; /* don't use SOI or EOI of strip */ ++ } ++ k = checkAdd64(k, 2, t2p); /* use EOI of last strip */ ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; + } +- t2p->tiff_datasize +=2; /* use EOI of last strip */ + } + #endif + (void) 0; + } +- t2p->tiff_datasize=TIFFScanlineSize(input) * t2p->tiff_length; ++ k = checkMultiply64(TIFFScanlineSize(input), t2p->tiff_length, t2p); + if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +- t2p->tiff_datasize*= t2p->tiff_samplesperpixel; ++ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++ } ++ if (k == 0) { ++ /* Assume we had overflow inside TIFFScanlineSize */ ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } ++ ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; + } + + return; +@@ -1863,6 +1918,7 @@ void t2p_read_tiff_size_tile(T2P* t2p, T + uint16 xuint16=0; + unsigned char* jpt; + #endif ++ uint64 k; + + edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); +@@ -1874,32 +1930,50 @@ void t2p_read_tiff_size_tile(T2P* t2p, T + #endif + ){ + t2p->tiff_datasize=TIFFTileSize(input); ++ if (t2p->tiff_datasize == 0) { ++ /* Assume we had overflow inside TIFFTileSize */ ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } else { + TIFFGetField(input, TIFFTAG_TILEBYTECOUNTS, &tbc); +- t2p->tiff_datasize=tbc[tile]; ++ k=tbc[tile]; + #ifdef OJPEG_SUPPORT + if(t2p->tiff_compression==COMPRESSION_OJPEG){ +- t2p->tiff_datasize+=2048; +- return; ++ k = checkAdd64(k, 2048, t2p); + } + #endif + #ifdef JPEG_SUPPORT + if(t2p->tiff_compression==COMPRESSION_JPEG){ + if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &xuint16, &jpt)!=0){ + if(xuint16>4){ +- t2p->tiff_datasize+=xuint16; +- t2p->tiff_datasize-=4; /* don't use EOI of header or SOI of tile */ ++ k = checkAdd64(k, xuint16, t2p); ++ k -= 4; /* don't use EOI of header or SOI of tile */ + } + } + } + #endif ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } + return; + } + } +- t2p->tiff_datasize=TIFFTileSize(input); ++ k = TIFFTileSize(input); + if(t2p->tiff_planar==PLANARCONFIG_SEPARATE){ +- t2p->tiff_datasize*= t2p->tiff_samplesperpixel; ++ k = checkMultiply64(k, t2p->tiff_samplesperpixel, t2p); ++ } ++ if (k == 0) { ++ /* Assume we had overflow inside TIFFTileSize */ ++ t2p->t2p_error = T2P_ERR_ERROR; ++ } ++ ++ t2p->tiff_datasize = (tsize_t) k; ++ if ((uint64) t2p->tiff_datasize != k) { ++ TIFFError(TIFF2PDF_MODULE, "Integer overflow"); ++ t2p->t2p_error = T2P_ERR_ERROR; + } + + return; +@@ -2045,6 +2119,10 @@ tsize_t t2p_readwrite_pdf_image(T2P* t2p + uint32 max_striplength=0; + #endif + ++ /* Fail if prior error (in particular, can't trust tiff_datasize) */ ++ if (t2p->t2p_error != T2P_ERR_OK) ++ return(0); ++ + if(t2p->pdf_transcode == T2P_TRANSCODE_RAW){ + #ifdef CCITT_SUPPORT + if(t2p->pdf_compression == T2P_COMPRESS_G4){ +@@ -2582,6 +2660,10 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P + uint32 xuint32=0; + #endif + ++ /* Fail if prior error (in particular, can't trust tiff_datasize) */ ++ if (t2p->t2p_error != T2P_ERR_OK) ++ return(0); ++ + edge |= t2p_tile_is_right_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + edge |= t2p_tile_is_bottom_edge(t2p->tiff_tiles[t2p->pdf_page], tile); + --- tiff-3.8.2.orig/debian/patches/tiff2pdf-compression.patch +++ tiff-3.8.2/debian/patches/tiff2pdf-compression.patch @@ -0,0 +1,44 @@ +--- tiff-3.8.2/tools/tiff2pdf.c 8 Jun 2006 11:27:11 -0000 1.35 ++++ tiff-3.8.2/tools/tiff2pdf.c 19 Jun 2006 20:12:08 -0000 1.36 +@@ -937,7 +937,7 @@ + + #ifdef JPEG_SUPPORT + if(t2p->pdf_defaultcompression==T2P_COMPRESS_JPEG){ +- if(t2p->pdf_defaultcompressionquality<100 || ++ if(t2p->pdf_defaultcompressionquality>100 || + t2p->pdf_defaultcompressionquality<1){ + t2p->pdf_defaultcompressionquality=0; + } +@@ -945,25 +945,17 @@ + #endif + #ifdef ZIP_SUPPORT + if(t2p->pdf_defaultcompression==T2P_COMPRESS_ZIP){ +- switch (t2p->pdf_defaultcompressionquality){ +- case 1: case 10: case 11: case 12: case 13: case 14: case 15: +- case 101: case 110: case 111: case 112: case 113: case 114: case 115: +- case 201: case 210: case 211: case 212: case 213: case 214: case 215: +- case 301: case 310: case 311: case 312: case 313: case 314: case 315: +- case 401: case 410: case 411: case 412: case 413: case 414: case 415: +- case 501: case 510: case 511: case 512: case 513: case 514: case 515: +- case 601: case 610: case 611: case 612: case 613: case 614: case 615: +- case 701: case 710: case 711: case 712: case 713: case 714: case 715: +- case 801: case 810: case 811: case 812: case 813: case 814: case 815: +- case 901: case 910: case 911: case 912: case 913: case 914: case 915: +- break; +- default: +- t2p->pdf_defaultcompressionquality=0; ++ uint16 m=t2p->pdf_defaultcompressionquality%100; ++ if(t2p->pdf_defaultcompressionquality/100 > 9 || ++ (m>1 && m<10) || m>15){ ++ t2p->pdf_defaultcompressionquality=0; + } + if(t2p->pdf_defaultcompressionquality%100 !=0){ ++ t2p->pdf_defaultcompressionquality/=100; ++ t2p->pdf_defaultcompressionquality*=100; + TIFFError( + TIFF2PDF_MODULE, +- "PNG Group predictor differencing not implemented, assuming compresion quality %u", ++ "PNG Group predictor differencing not implemented, assuming compression quality %u", + t2p->pdf_defaultcompressionquality); + } + t2p->pdf_defaultcompressionquality%=100; --- tiff-3.8.2.orig/debian/patches/z_CVE-2012-3401.patch +++ tiff-3.8.2/debian/patches/z_CVE-2012-3401.patch @@ -0,0 +1,15 @@ +Description: fix possible arbitrary code execution via heap overflow + in tiff2pdf. +Origin: Patch thanks to Huzaifa Sidhpurwala + +diff -Naur tiff-3.8.2.ori/tools/tiff2pdf.c tiff-3.8.2/tools/tiff2pdf.c +--- tiff-3.8.2.ori/tools/tiff2pdf.c 2012-07-16 10:05:01.888998438 -0400 ++++ tiff-3.8.2/tools/tiff2pdf.c 2012-07-16 10:05:25.768999050 -0400 +@@ -1046,6 +1046,7 @@ + "Can't set directory %u of input file %s", + i, + TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){ --- tiff-3.8.2.orig/debian/patches/CVE-2009-2285.patch +++ tiff-3.8.2/debian/patches/CVE-2009-2285.patch @@ -0,0 +1,29 @@ +# +# Description: fix denial of service via buffer underflow in the LZWDecodeCompat function +# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/380149 +# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534137 +# Upstream: http://bugzilla.maptools.org/show_bug.cgi?id=2065 +# Upstream: http://bugzilla.maptools.org/show_bug.cgi?id=1985 +# Patch: http://bugzilla.maptools.org/attachment.cgi?id=279 +# +diff -Naur tiff-3.8.2.orig/libtiff/tif_lzw.c tiff-3.8.2/libtiff/tif_lzw.c +--- tiff-3.8.2.orig/libtiff/tif_lzw.c 2009-07-03 14:53:12.000000000 -0400 ++++ tiff-3.8.2/libtiff/tif_lzw.c 2009-07-03 14:53:37.000000000 -0400 +@@ -422,7 +422,7 @@ + NextCode(tif, sp, bp, code, GetNextCode); + if (code == CODE_EOI) + break; +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); +@@ -626,7 +626,7 @@ + NextCode(tif, sp, bp, code, GetNextCodeCompat); + if (code == CODE_EOI) + break; +- if (code == CODE_CLEAR) { ++ if (code >= CODE_CLEAR) { + TIFFErrorExt(tif->tif_clientdata, tif->tif_name, + "LZWDecode: Corrupted LZW table at scanline %d", + tif->tif_row); --- tiff-3.8.2.orig/debian/libtiff-tools.lintian +++ tiff-3.8.2/debian/libtiff-tools.lintian @@ -0,0 +1,5 @@ +# +# The synopsis line starts with a capital letter because of the TIFF +# acronym, not because it contains a sentence. +# +libtiff-tools: description-synopsis-starts-with-a-capital-letter --- tiff-3.8.2.orig/debian/all-preinst +++ tiff-3.8.2/debian/all-preinst @@ -0,0 +1,6 @@ +#!/bin/sh + +if [ "x$1" = "xupgrade" -a \ + -d /usr/share/doc/PKG -a ! -h /usr/share/doc/PKG ]; then + rm -rf /usr/share/doc/PKG +fi --- tiff-3.8.2.orig/debian/libtiffxx0c2.shlibs +++ tiff-3.8.2/debian/libtiffxx0c2.shlibs @@ -0,0 +1 @@ +libtiffxx 0 libtiffxx0c2 --- tiff-3.8.2.orig/debian/libtiff4-dev.doc-base +++ tiff-3.8.2/debian/libtiff4-dev.doc-base @@ -0,0 +1,9 @@ +Document: libtiff4 +Title: TIFF Software +Author: Sam Leffler +Abstract: Support for the Tag Image File Format (TIFF) for storing image data. +Section: Apps/Graphics + +Format: HTML +Index: /usr/share/doc/libtiff4/html/index.html +Files: /usr/share/doc/libtiff4/html/*.html --- tiff-3.8.2.orig/debian/README.Debian +++ tiff-3.8.2/debian/README.Debian @@ -0,0 +1,26 @@ +libtiff for Debian ++----------------+ + +This version of libtiff is installed with a different shared library +soname from the upstream version. This is because an accidental +change to the library's ABI was introduced somewhere between 3.5.7 and +3.6.1. There are no source-level incompatibilities between 3.5.7 and +the current version, so any application that worked with 3.5.7 should +work fine when recompiled with the libtiff4 packages. + +libtiff version 3.7.1 introduced an experimental and minimal C++ +interface. To use it, you must link against -ltiffxx. + +libtiff version 3.8.0 upstream introduced another binary +incompatibility, but it was fixed within a few days of 3.8.0's +release, and the binary incompatible never appeared in any debian +version of the tiff packages. + +Example tiff files are available: + + ftp://ftp.remotesensing.org/pub/libtiff/pics-.tar.gz + +These files may be useful for people testing software to make sure it +can work with a wide variety of tiff files. + + -- Jay Berkenbilt , Tue, 28 Mar 2006 21:39:25 -0500 --- tiff-3.8.2.orig/debian/libtiff4.shlibs +++ tiff-3.8.2/debian/libtiff4.shlibs @@ -0,0 +1 @@ +libtiff 4 libtiff4 --- tiff-3.8.2.orig/debian/libtiff-opengl.lintian +++ tiff-3.8.2/debian/libtiff-opengl.lintian @@ -0,0 +1,5 @@ +# +# The synopsis line starts with a capital letter because of the TIFF +# acronym, not because it contains a sentence. +# +libtiff-opengl: description-synopsis-starts-with-a-capital-letter --- tiff-3.8.2.orig/README.maintainer +++ tiff-3.8.2/README.maintainer @@ -0,0 +1,16 @@ + +The tiff upstream maintainers have a tendency to make mistakes that +introduce binary incompatibility between one version of tiff and +another. In order to verify binary compatibility, it is strongly +recommended to build a new library and install the new library without +installing the new tools. Then test the tools with the test images +provided by upstream. + +Additionally, when checking the sources to look for ABI changes, you +must check both the public header files (tiff.h and tiffio.h) and the +source file libtiff/tif_dirinfo.c which maps tag names to types. +Changes in the tag name to type mapping also result in binary +incompatibility because of the field setting and getting functions +using variable arguments. + + -- Jay Berkenbilt , Tue Mar 28 21:37:40 2006