[Bug 1016987] Re: Sync tiff 4.0.1-8 (main) from Debian unstable (main)

Sun Jun 24 04:01:24 UTC 2012

I guess this would actually need tiff3 to be synced also. An entry in
http://people.canonical.com/~ubuntu-archive/sync-blacklist.txt says...

# cjwatson, 2012-06-01
# Temporary blacklist entries for quantal, requiring manual resolution due
# to conflicts with existing Ubuntu-versioned binaries.
...
tiff3 # requires jbigkit MIR

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1016987

Title:
  Sync tiff 4.0.1-8 (main) from Debian unstable (main)

Status in “tiff” package in Ubuntu:
  New

Bug description:
  Please sync tiff 4.0.1-8 (main) from Debian unstable (main)

  Explanation of the Ubuntu delta and why it can be dropped:
    * SECURITY UPDATE: arbitrary code execution via size overflow
      - debian/patches/CVE-2012-1173.patch: use TIFFSafeMultiply in
        libtiff/tif_getimage.c, fix TIFFSafeMultiply in libtiff/tiffiop.h.
      - CVE-2012-1173

  Fixed in 4.0.1-2.

  Changelog entries since current quantal version 3.9.5-2ubuntu1:

  tiff (4.0.1-8) unstable; urgency=low

    * Call glFlush() in tiffgt to fix display problems.  From
      https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/797166.

   -- Jay Berkenbilt <qjb at debian.org>  Sat, 16 Jun 2012 21:20:04 -0400

  tiff (4.0.1-7) unstable; urgency=low

    * Add new temporary package libtiff5-alt-dev, which provides libtiff5
      development files in a location that doesn't conflict with
      libtiff4-dev.  See README.Debian for details.

   -- Jay Berkenbilt <qjb at debian.org>  Thu, 24 May 2012 15:24:36 -0400

  tiff (4.0.1-6) unstable; urgency=low

    * Include pkg-config files

   -- Jay Berkenbilt <qjb at debian.org>  Sun, 13 May 2012 12:53:38 -0400

  tiff (4.0.1-5) unstable; urgency=low

    * Fix shlibs again.

   -- Jay Berkenbilt <qjb at debian.org>  Sun, 22 Apr 2012 11:41:44 -0400

  tiff (4.0.1-4) unstable; urgency=low

    * Use >= instead of > in shlibs file.

   -- Jay Berkenbilt <qjb at debian.org>  Sun, 22 Apr 2012 10:57:02 -0400

  tiff (4.0.1-3) unstable; urgency=low

    * Support JBIG now that patents have expired. (Closes: #667835)
    * Support LZMA.

   -- Jay Berkenbilt <qjb at debian.org>  Sat, 14 Apr 2012 19:03:04 -0400

  tiff (4.0.1-2) unstable; urgency=high

    * Incorporated fix to CVE-2012-1173, a problem in the parsing of the
      TileSize entry, which could result in the execution of arbitrary code
      if a malformed image is opened.
    * Updated standards to 3.9.3

   -- Jay Berkenbilt <qjb at debian.org>  Fri, 06 Apr 2012 10:10:48 -0400

  tiff (4.0.1-1) unstable; urgency=low

    * New upstream release
    * Point watch file to new download location

   -- Jay Berkenbilt <qjb at debian.org>  Mon, 20 Feb 2012 09:43:54 -0500

  tiff (4.0.0-2) experimental; urgency=low

    * Rename libtiff-dev -> libtiff5-dev to avoid premature transition for
      packages that explicitly depend on libtiff-dev.  At some future time,
      libtiff5-dev will provide or be renamed back to libtiff-dev.

   -- Jay Berkenbilt <qjb at debian.org>  Sat, 04 Feb 2012 09:41:19 -0500

  tiff (4.0.0-1) experimental; urgency=low

    * New upstream release
    * Enable versioned symbols

   -- Jay Berkenbilt <qjb at debian.org>  Sat, 28 Jan 2012 10:56:23 -0500

  tiff (4.0.0~beta7-2) experimental; urgency=low

    * Incorporated changes from 3.9.5-2: security hardening and
  multiarch

   -- Jay Berkenbilt <qjb at debian.org>  Sat, 17 Sep 2011 10:28:53 -0400

  tiff (4.0.0~beta7-1) experimental; urgency=low

    * New upstream release including many security fixes and other
      improvements
    * Updated changelog with changes from 3.x series.
    * Updated standards version to 3.9.2.  No changes required.

   -- Jay Berkenbilt <qjb at debian.org>  Sat, 16 Apr 2011 13:45:33 -0400

  tiff (4.0.0~beta6-3) experimental; urgency=low

    * Incorporated fix to CVE-2010-2483, "fix crash on OOB reads in
      putcontig8bitYCbCr11tile", from 3.9.4-4.

   -- Jay Berkenbilt <qjb at debian.org>  Sat, 02 Oct 2010 13:31:41 -0400

  tiff (4.0.0~beta6-2) experimental; urgency=low

    * Incorporate changes from 3.9.4-{2,3} including updating standards
      version to 3.9.1 along with associated fixes.  (CVE-2010-2233 was
      already fixed in this version.)

   -- Jay Berkenbilt <qjb at debian.org>  Sat, 14 Aug 2010 16:36:44 -0400

  tiff (4.0.0~beta6-1) experimental; urgency=low

    * New upstream release

   -- Jay Berkenbilt <qjb at debian.org>  Fri, 18 Jun 2010 21:42:57 -0400

  tiff (4.0.0~beta5-2) experimental; urgency=low

    * Depend on libjpeg-dev instead of libjpeg62-dev.
    * Change source format to '3.0 (quilt)'
    * Update standards version to 3.8.4.  No changes required.

   -- Jay Berkenbilt <qjb at debian.org>  Wed, 10 Feb 2010 19:36:43 -0500

  tiff (4.0.0~beta5-1) experimental; urgency=low

    * New upstream release

   -- Jay Berkenbilt <qjb at debian.org>  Fri, 06 Nov 2009 22:58:07 -0500

  tiff (4.0.0~beta4-1) experimental; urgency=low

    * New upstream release.  All debian patches incorporated among many
      other fixes and enhancements.

   -- Jay Berkenbilt <qjb at debian.org>  Fri, 28 Aug 2009 11:30:09 -0400

  tiff (4.0.0~beta3-2) experimental; urgency=low

    * Fixed previously incorrect patch to lzw problem.

   -- Jay Berkenbilt <qjb at debian.org>  Mon, 24 Aug 2009 14:45:10 -0400

  tiff (4.0.0~beta3-1) experimental; urgency=low

    * New upstream release.  This version is not binary compatible with the
      3.x series, nor is it entirely source compatible, but most
      applications should port easily.

   -- Jay Berkenbilt <qjb at debian.org>  Fri, 21 Aug 2009 13:39:37 -0400

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1016987/+subscriptions