Skip to content

Changelog tiff (4.1.0+git191117-2ubuntu0.20.04.2)

2021

tiff (4.1.0+git191117-2ubuntu0.20.04.2) focal-security; urgency=medium

   * SECURITY UPDATE: buffer overflow via TIFFTAG_PREDICTOR
     - debian/patches/CVE-2020-19143.patch: TIFFTAG_PREDICTOR is not
       supported for WebP in libtiff/tif_dirinfo.c, tools/tiffcp.c.
     - CVE-2020-19143

tiff (4.1.0+git191117-2ubuntu0.20.04.1) focal-security; urgency=medium

   * SECURITY UPDATE: Integer overflow in tif_getimage.c
     - debian/patches/CVE-2020-35523.patch: check Tile width for overflow in
       libtiff/tif_getimage.c.
     - CVE-2020-35523
   * SECURITY UPDATE: Heap-based buffer overflow in TIFF2PDF tool
     - debian/patches/CVE-2020-35524.patch: properly calculate datasize when
       saving to JPEG YCbCr in tools/tiff2pdf.c.
     - CVE-2020-35524

2020

tiff (4.1.0+git191117-2build1) focal; urgency=medium

   * No-change rebuild for libgcc-s1 package name change.

tiff (4.1.0+git191117-2) unstable; urgency=medium

   * Backport upstream fix for rowsperstrip parse regression in
     OJPEGReadHeaderInfo() (closes: #945402).

2019

tiff (4.1.0+git191117-1) unstable; urgency=medium

   * Git snapshot, fixing the following issues:
     - missing TIFFClose in rgb2ycbcr tool,
     - missing checks on TIFFGetField in tiffcrop tool,
     - broken sanity check in OJPEG,
     - missing generated .sh files for tests.

tiff (4.1.0-1) unstable; urgency=medium

   * New upstream release.
   * Update Standards-Version to 4.4.1 .

tiff (4.0.10+git191003-1) unstable; urgency=high

   * Git snapshot, fixing the following security issue:
     - TIFFReadAndRealloc(): avoid too large memory allocation attempts.

tiff (4.0.10+git190903-1) unstable; urgency=high

   * Git snapshot, fixing the following security issues:
     - setByteArray(): avoid potential signed integer overflow,
     - EstimateStripByteCounts(): avoid several unsigned integer overflows,
     - tif_ojpeg: avoid two unsigned integer overflows,
     - OJPEGWriteHeaderInfo(): avoid unsigned integer overflow on strile
       dimensions close to UINT32_MAX,
     - _TIFFPartialReadStripArray(): avoid unsigned integer overflow,
     - JPEG: avoid use of uninitialized memory on corrupted files,
     - TIFFFetchDirectory(): fix invalid cast from uint64 to tmsize_t,
     - allocChoppedUpStripArrays(): avoid unsigned integer overflow,
     - tif_ojpeg: avoid use of uninitialized memory on edge/broken file,
     - ByteCountLooksBad and EstimateStripByteCounts: avoid unsigned integer
       overflows.

tiff (4.0.10+git190818-1) unstable; urgency=high

   * Git snapshot, fixing the following security issues:
     - RGBA interface: fix integer overflow potentially causing write heap
       buffer overflow,
     - setByteArray(): avoid potential signed integer overflow.

tiff (4.0.10+git190814-1) unstable; urgency=high

   * Git snapshot, fixing the following security issues:
     - TryChopUpUncompressedBigTiff(): avoid potential division by zero,
     - fix vulnerability introduced by defer strile loading,
     - fix vulnerability in 'D' (DeferStrileLoad) mode,
     - return infinite distance when denominator is zero,
     - OJPEG: avoid use of uninitialized memory on corrupted files,
     - OJPEG: fix integer division by zero on corrupted subsampling factors,
     - OJPEGReadBufferFill(): avoid very long processing time on corrupted
       files,
     - TIFFClientOpen(): fix memory leak if one of the required callbacks is
       not provided,
     - CVE-2019-14973, fix integer overflow in _TIFFCheckMalloc() and other
       implementation-defined behaviour (closes: #934780).
   * Update libtiff5 symbols.
   * Update Standards-Version to 4.4.0 .

tiff (4.0.10-4) unstable; urgency=high

   * Backport security fixes:
     - CVE-2018-12900: heap-based buffer overflow in
       cpSeparateBufToContigBuf() cause remote DoS (closes: #902718),
     - CVE-2018-17000: NULL pointer dereference in _TIFFmemcmp() cause DoS
       (closes: #908778),
     - CVE-2018-19210: NULL pointer dereference in TIFFWriteDirectorySec()
       cause DoS (closes: #913675),
     - CVE-2019-6128: TIFFFdOpen() memory leak (closes: #921157).
   * Update watch file.
   * Update Standards-Version to 4.3.0 .

2018

tiff (4.0.10-3) unstable; urgency=medium

   * Backport fix for lossless WebP compression config.

tiff (4.0.10-2) unstable; urgency=medium

   * Add libegl1-mesa-dev as build dependency until mesa-common-dev is fixed.

tiff (4.0.10-1) unstable; urgency=high

   * New upstream release.
   * Fix CVE-2018-18661: NULL pointer dereference in LZWDecode()
     (closes: #912012).
   * Move libtiff5-dev contents to libtiff-dev .
   * Mark libtiff-dev as Multi-Arch same (closes: #884978).
   * Mark libtiff-{tools,opengl} as Multi-Arch foreign (closes: #904165).
   * Mark libtiff-doc as Multi-Arch foreign (closes: #907794).
   * Fix TIFFReadRawStrip man page typo (closes: #672858).
   * Update Standards-Version to 4.2.1 .

tiff (4.0.9+git181026-1) unstable; urgency=high

   * Git snapshot, fixing the following security issues:
     - CVE-2018-17100, int32 overflow in multiply_ms() which can cause a DoS
       or possibly have unspecified other impact via a crafted image file
       (closes: #909038),
     - CVE-2018-17101, two out-of-bounds writes in cpTags() which can cause a
       DoS or possibly have unspecified other impact via a crafted image file
       (closes: #909037),
     - CVE-2018-18557, out-of-bounds write in JBIGDecode() (closes: #911635).
   * Remove previously backported security patches.
   * Build with Zstandard, a fast lossless compression algorithm.
   * Build with WebP, the modern VP8 compression format.
   * Update libtiff5 symbols.

tiff (4.0.9-6) unstable; urgency=high

   * Fix CVE-2018-8905: eap-based buffer overflow in LZWDecodeCompat()
     (closes: #893806).
   * Fix CVE-2018-10963: remote denial of service (closes: #898348).

tiff (4.0.9-5) unstable; urgency=high

   * Fix CVE-2017-11613: avoid memory exhaustion in
     ChopUpSingleUncompressedStrip() (closes: #869823).
   * Fix CVE-2018-7456: NULL pointer dereference in TIFFPrintDirectory()
     (closes: #891288).
   * Fix CVE-2017-17095: heap-based buffer overflow in pal2rgb tool
     (closes: #883320).
   * Don't specify parallel to debhelper.
   * Update Standards-Version to 4.1.4 .

tiff (4.0.9-4) unstable; urgency=high

   * Fix CVE-2018-5784: uncontrolled resource consumption in TIFFSetDirectory()
     (closes: #890441).

tiff (4.0.9-3) unstable; urgency=high

   * Fix CVE-2017-18013: NULL pointer dereference in TIFFPrintDirectory()
     (closes: #885985).

2017

tiff (4.0.9-2) unstable; urgency=high

   * Fix CVE-2017-9935: heap-based buffer overflow in the t2p_write_pdf()
     function  (closes: #866109).
   * Update debhelper level to 11 .
   * Update Standards-Version to 4.1.2 .

tiff (4.0.9-1) unstable; urgency=medium

   * New upstream release.
   * Remove previously backported security patches.
   * Update libtiff5 symbols.
   * Make -dev recommend pkg-config (closes: #814417).
   * Update debhelper level to 10:
     - don't need to specify 'with autotools-dev' anymore,
     - remove autotools-dev build dependency,
     - remove dh-autoreconf build dependency.
 
   [ Helmut Grohne <helmut@subdivi.de> ]
   * Turn libtiff-dev into a real package (closes: #780807).

tiff (4.0.8-6) unstable; urgency=high

   * Backport security fixes:
     - prevent OOM in gtTileContig() ,
     - prevent OOM in TIFFFetchStripThing() ,
     - CVE-2017-12944, OOM prevention in TIFFReadDirEntryArray()
       (closes: #872607),
     - avoid floating point division by zero in initCIELabConversion() .

tiff (4.0.8-5) unstable; urgency=high

   * Backport security fixes:
     - CVE-2017-13726, reachable assertion abort in TIFFWriteDirectorySec()
       (closes: #873880),
     - CVE-2017-13727, reachable assertion abort in
       TIFFWriteDirectoryTagSubifd() (closes: #873879).

tiff (4.0.8-4) unstable; urgency=high

   * Fix regression in the decoding of old-style LZW compressed files.
   * Fix CVE-2017-11335: heap based buffer write overflow in tiff2pdf
     (closes: #868513).

tiff (4.0.8-3) unstable; urgency=high

   * Backport security fixes:
     - CVE-2017-9936, memory leak in error code path of JBIGDecode()
       (closes: #866113),
     - prevent out of memory in gtTileContig() on corrupted files,
     - CVE-2017-10688, assertion failure in TIFFWriteDirectoryTagCheckedXXXX()
       (closes: #866611).
   * Add required _TIFFReadEncodedStripAndAllocBuffer@LIBTIFF_4.0 symbol to the
     libtiff5 package.
   * Update Standards-Version to 4.0.0 .

tiff (4.0.8-2) unstable; urgency=high

   * Backport security fixes:
     - TIFFYCbCrToRGBInit(): stricter clamping to avoid int32 overflow in
       TIFFYCbCrtoRGB(),
     - initYCbCrConversion(): stricter validation for refBlackWhite
       coefficients values - to avoid invalid float->int32 conversion,
     - CVE-2016-10095 and CVE-2017-9147: add _TIFFCheckFieldIsValidForCodec()
       and use it in TIFFReadDirectory() (closes: #850316, #863185).
   * Add required _TIFFCheckFieldIsValidForCodec@LIBTIFF_4.0 symbol to the
     libtiff5 package.

tiff (4.0.8-1) unstable; urgency=high

   * New upstream release of merged security fixes.
   * Add required TIFFReadRGBAStripExt@LIBTIFF_4.0 and
     TIFFReadRGBATileExt@LIBTIFF_4.0 symbols to the libtiff5 package.

tiff (4.0.7-7) unstable; urgency=high

   * Backport security fix for CVE-2016-10371 (closes: #862929).
   * Backport security fix for CVE-2015-7554 (closes: #809066, #842043).

tiff (4.0.7-6) unstable; urgency=high

   * Backport security fixes:
     - CVE-2017-7595, divide-by-zero in JPEGSetupEncode (closes: #860003),
     - CVE-2017-7596, CVE-2017-7597, CVE-2017-7598,CVE-2017-7599 CVE-2017-7600,
       CVE-2017-7601 and CVE-2017-7602, multiple UBSAN crashes,
     - CVE-2017-7592, left-shift undefined behavior issue in putagreytile
       (closes: #859998),
     - CVE-2017-7593, unitialized-memory access from tif_rawdata
       (closes: #860000),
     - CVE-2017-7594, leak in OJPEGReadHeaderInfoSecTablesAcTable
       (closes: #860001).
   * Add required _TIFFcalloc@LIBTIFF_4.0 symbol to the libtiff5 package.

tiff (4.0.7-5) unstable; urgency=high

   * Fix CVE-2017-5225: heap buffer overflow via a crafted BitsPerSample value
     (closes: #851297).

tiff (4.0.7-4) unstable; urgency=high

   * Fix CVE-2016-10094: heap-based overflow in t2p_readwrite_pdf_image_tile().

2016

tiff (4.0.7-3) unstable; urgency=medium

   * Backport upstream fix of TIFFFaxTabEnt structure.

tiff (4.0.7-2) unstable; urgency=high

   * Backport security fixes:
     - fix uint32 overflow in TIFFReadEncodedStrip() that caused an integer
       division by zero,
     - avoid uint32 underflow in cpDecodedStrips that can cause various
       issues, such as buffer overflows in the library,
     - fix heap-based buffer overflow on generation of PixarLog / LUV
       compressed files, with ColorMap, TransferFunction attached and nasty
       plays with bitspersample,
     - fix ChopUpSingleUncompressedStrip() in reading outside of the
       StripByCounts/StripOffsets arrays when using TIFFReadScanline()
       (closes: #846837),
     - make OJPEGDecode() early exit in case of failure in OJPEGPreDecode() to
       avoid a divide by zero, and potential other issues,
     - fix readContigStripsIntoBuffer() in -i (ignore) mode so that the
       output buffer is correctly incremented to avoid write outside bounds,
     - add 3 extra bytes at end of strip buffer in
       readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
       buffer,
     - fix integer division by zero when BitsPerSample is missing
       (closes: #846838),
     - fix null pointer dereference in -r mode when the image has no
       StripByteCount tag,
     - avoid potential division by zero if BitsPerSamples tag is missing,
     - limit the return number of inks to SamplesPerPixel in
       TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) , so that code that parses ink
       names doesn't go past the end of the buffer,
     - avoid another potential division by zero if BitsPerSamples tag is
       missing,
     - fix uint32 underflow/overflow that can cause heap-based buffer overflow,
     - replace assert( (bps % 8) == 0 ) by a non assert check.
   * Remove thumbnail and rgb2ycbcr documentations, these tools no longer
     present.

tiff (4.0.7-1) unstable; urgency=high

   * New upstream release.
   * Fixes the following vulnerabilities:
     - CVE-2015-7313, OOM when parsing crafted tiff files (closes: #800124),
     - CVE-2016-3622, denial of service (divide-by-zero error) via
       the fpAcc function in tif_predict.c (closes: #820365),
     - CVE-2016-3945, multiple integer overflows in the tiff2rgba tool,
     - CVE-2016-3990, write buffer overflow in PixarLogEncode,
     - CVE-2016-3991 and CVE-2016-5322, heap-based buffer overflow in the
       loadImage function,
     - CVE-2016-9273, heap-buffer-overflow in cpStrips (closes: #844013),
     - CVE-2016-9297, segfault in _TIFFPrintField() (closes: #844226),
     - CVE-2016-9448, in TIFFFetchNormalTag(), do not dereference NULL pointer
       (regression of CVE-2016-9297),
     - heap buffer overflow via writeBufferToSeparateStrips() in tiffcrop.
   * Remove backported vulnerability fixes, this release contains those.
   * Update libtiff5 symbols.

tiff (4.0.6-3) unstable; urgency=high

   * Fix architecture independent only build (closes: #806118).
   * Fix CVE-2015-8668 , CVE-2016-3619 , CVE-2016-3620 (closes: #820363),
     CVE-2016-3621 (closes: #820364) and CVE-2016-5319 with removing bmp2tiff
     (closes: #820364).
   * Fix CVE-2016-3186 and CVE-2016-5102 with removing gif2tiff.
   * Fix CVE-2016-3631 (closes: #820366), CVE-2016-3632 , CVE-2016-3633 ,
     CVE-2016-3634 and CVE-2016-8331 with removing thumbnail.
   * Backport upstream fix for CVE-2016-3623 and CVE-2016-3624 .
   * Backport upstream fix for CVE-2016-5652 (closes: #842361).
   * Backport upstream fix for CVE-2016-3658 .
   * Removed vulnerable, unsupported tools (closes: #827484, #842046).
   * Comment out Vcs fields for now.

tiff (4.0.6-2) unstable; urgency=high

   * Backport fix for the following vulnerabilities:
     - CVE-2016-5314, PixarLogDecode() heap-based buffer overflow
       (closes: #830700),
     - CVE-2016-5316, PixarLogCleanup() Segmentation fault,
     - CVE-2016-5320, rgb2ycbcr: command excution,
     - CVE-2016-5875, heap-based buffer overflow when using the PixarLog
       compression format,
     - CVE-2016-6223, information leak in libtiff/tif_read.c ,
     - CVE-2016-5321, DumpModeDecode(): Ddos,
     - CVE-2016-5323, tiffcrop _TIFFFax3fillruns(): NULL pointer dereference.
   * Be primary maintainer and keep Ondřej as uploader.
   * Update Standards-Version to 3.9.8 .

2015

tiff (4.0.6-1) unstable; urgency=high

   * New upstream release.
   * Backport upstream fixes for:
     - CVE-2015-8665 an out-of-bound read in TIFFRGBAImage interface,
     - CVE-2015-8683 an out-of-bounds read in CIE Lab image format.
   * Backport fix for potential out-of-bound writes in decode.
   * Backport fix for potential out-of-bound write in NeXTDecode().

tiff (4.0.5-1) unstable; urgency=medium

   * Update László Böszörményi to Laszlo Boszormenyi (GCS)
   * Add Vcs URLs to debian/control
   * Imported Upstream version 4.0.5
   * Remove all patches - they have been merged upstream
   * Convert the package to pure debhelper and remove some legacy stuff

tiff (4.0.3-13) unstable; urgency=medium

   * Thanks Jay for maintaining tiff for so long
   * Add me as a new maintainer, and add László Böszörményi to Uploaders
   * Cleanup debian a bit:
    - Run wrap-and-sortize -a)
    - Update d/copyright to Copyright Format 1.0
    - Remove files related to libtiff4->libtiff5 transition
   * Add C++ symbols file for libtiffxx5

tiff (4.0.3-12.3) unstable; urgency=medium

   * Add another (final) patch for CVE-2014-8128 (Bug #2499). Thanks to
     Petr Gajdos

tiff (4.0.3-12.2) unstable; urgency=medium

   * Add another patch for CVE-2014-8128 (Bug #2501)

tiff (4.0.3-12.1) unstable; urgency=medium

   * NMU as discussed with Ondrej, the future adopter of tiff
   * Fix multiple security issues, exact details will be recorded in the
     Debian security tracker

2014

tiff (4.0.3-12) unstable; urgency=high

   * Fix integer overflow in bmp2tiff. CVE-2014-9330. (Closes: #773987)

tiff (4.0.3-11) unstable; urgency=medium

   * Don't crash on JPEG => non-JPEG conversion (Closes: #741451)
   * Thanks Tomasz Buchert <tomasz.buchert@inria.fr> for preparing the fix!

tiff (4.0.3-10) unstable; urgency=medium

   * Remove libtiff4-dev, completing the tiff transition. Packages that
     still declare build dependencies on libtiff4-dev must now build depend
     on libtiff-dev instead, or if a versioned dependency is required,
     libtiff5-dev with a specific version.

tiff (4.0.3-9) unstable; urgency=medium

   * Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
     #742917)

tiff (4.0.3-8) unstable; urgency=medium

   * Remove libtiff5-alt-dev transitional package now that no one is
     build-depending on it anymore.

2013

tiff (4.0.3-7) unstable; urgency=medium

   * Use dh-autoreconf to support new architectures in Ubuntu.

tiff (4.0.3-6) unstable; urgency=low

   * Update standards to 3.9.5.  No changes required.
   * libtiff4 -> libtiff5 transition.  libtiff5-dev now provides
     libtiff-dev.  libtiff5-alt-dev and libtiff4-dev are transitional
     packages that depend on libtiff5-dev.  They will both be removed
     before jessie.

tiff (4.0.3-5) unstable; urgency=low

   * Replace shlibs file with symbols file
   * Update standards to 3.9.4

tiff (4.0.3-4) unstable; urgency=low

   * Complete Multi-Arch conversion for dev packages.  (Closes: #689085)

tiff (4.0.3-3) unstable; urgency=high

   * Incorporated fixes to security issues CVE-2013-4244.

tiff (4.0.3-2) unstable; urgency=high

   * Incorporated fixes to security issues CVE-2013-4231, CVE-2013-4232.
     (Closes: #719303)

tiff (4.0.3-1) unstable; urgency=low

   * Acknowledge/incorporate NMU.  Thanks!
   * New upstream version.  Patches incorporated:
      CVE-2012-3401.patch
      CVE-2012-4447.patch
   * Add build dependency on autotools-dev to help porters.

tiff (4.0.2-6+nmu1) unstable; urgency=high

   * Non-maintainer upload by the Security Team.
   * Fix cve-2013-1960: heap-based buffer overlow in tiff2pdf
     (closes: #706675).
   * Fix cve-2013-1961: stack-based buffer overflow in tiff2pdf
     (closes: #706674).

tiff (4.0.2-6) unstable; urgency=high

   * Fix /usr/share/doc symlink to directory transition.  When upgrading
     from very old versions (pre 3.8.2-8), /usr/share/doc may contain
     symbolic links that should be removed.  (Closes: #687645)

2012

tiff (4.0.2-5) unstable; urgency=high

   * Add fix for CVE-2012-4564, a heap-buffer overflow.  Thanks Adrian La
     Duca for doing all the work to prepare this upload.  (Closes: #692345)

tiff (4.0.2-4) unstable; urgency=high

   * Previous change was uploaded with the wrong CVE number.  I updated the
     last changelog entry.  The correct CVE number is CVE-2012-4447.

tiff (4.0.2-3) unstable; urgency=high

   * Add fix for CVE-2012-4447, a buffer overrun.  (Closes: #688944)

tiff (4.0.2-2) unstable; urgency=high

   * SECURITY UPDATE: possible arbitrary code execution via heap overflow
     in tiff2pdf.  (Closes: #682115)
     - debian/patches/CVE-2012-3401.patch: properly set t2p->t2p_error in
       tools/tiff2pdf.c.
     - CVE-2012-3401
     Changes prepared by Marc Deslauriers for Ubuntu.  Thanks!

tiff (4.0.2-1) unstable; urgency=low

   * New upstream release

tiff (4.0.1-8) unstable; urgency=low

   * Call glFlush() in tiffgt to fix display problems.  From
     https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/797166.

tiff (4.0.1-7) unstable; urgency=low

   * Add new temporary package libtiff5-alt-dev, which provides libtiff5
     development files in a location that doesn't conflict with
     libtiff4-dev.  See README.Debian for details.

tiff (4.0.1-6) unstable; urgency=low

   * Include pkg-config files

tiff (4.0.1-5) unstable; urgency=low

   * Fix shlibs again.

tiff (4.0.1-4) unstable; urgency=low

   * Use >= instead of > in shlibs file.

tiff (4.0.1-3) unstable; urgency=low

   * Support JBIG now that patents have expired. (Closes: #667835)
   * Support LZMA.

tiff (4.0.1-2) unstable; urgency=high

   * Incorporated fix to CVE-2012-1173, a problem in the parsing of the
     TileSize entry, which could result in the execution of arbitrary code
     if a malformed image is opened.
   * Updated standards to 3.9.3

tiff (4.0.1-1) unstable; urgency=low

   * New upstream release
   * Point watch file to new download location

tiff (4.0.0-2) experimental; urgency=low

   * Rename libtiff-dev -> libtiff5-dev to avoid premature transition for
     packages that explicitly depend on libtiff-dev.  At some future time,
     libtiff5-dev will provide or be renamed back to libtiff-dev.

tiff (4.0.0-1) experimental; urgency=low

   * New upstream release
   * Enable versioned symbols

2011

tiff (4.0.0~beta7-2) experimental; urgency=low

   * Incorporated changes from 3.9.5-2: security hardening and multiarch

tiff (4.0.0~beta7-1) experimental; urgency=low

   * New upstream release including many security fixes and other
     improvements
   * Updated changelog with changes from 3.x series.
   * Updated standards version to 3.9.2.  No changes required.

2010

tiff (4.0.0~beta6-3) experimental; urgency=low

   * Incorporated fix to CVE-2010-2483, "fix crash on OOB reads in
     putcontig8bitYCbCr11tile", from 3.9.4-4.

tiff (4.0.0~beta6-2) experimental; urgency=low

   * Incorporate changes from 3.9.4-{2,3} including updating standards
     version to 3.9.1 along with associated fixes.  (CVE-2010-2233 was
     already fixed in this version.)

tiff (4.0.0~beta6-1) experimental; urgency=low

   * New upstream release

tiff (4.0.0~beta5-2) experimental; urgency=low

   * Depend on libjpeg-dev instead of libjpeg62-dev.
   * Change source format to '3.0 (quilt)'
   * Update standards version to 3.8.4.  No changes required.

2009

tiff (4.0.0~beta5-1) experimental; urgency=low

   * New upstream release

tiff (4.0.0~beta4-1) experimental; urgency=low

   * New upstream release.  All debian patches incorporated among many
     other fixes and enhancements.

tiff (4.0.0~beta3-2) experimental; urgency=low

   * Fixed previously incorrect patch to lzw problem.

tiff (4.0.0~beta3-1) experimental; urgency=low

   * New upstream release.  This version is not binary compatible with the
     3.x series, nor is it entirely source compatible, but most
     applications should port easily.

tiff (3.9.5-2) unstable; urgency=low

   * Implemented mulitarch and and PIE build for security hardening by
     integrating the changes from the Ubuntu tiff packages.  Thanks to Marc
     Deslauriers and anyone else who did the actual work.

tiff (3.9.5-1) unstable; urgency=low

   * New upstream release.  All security patches are fully incorporated
     into this version, as are many other bug fixes.
   * Updated standards version to 3.9.2.  No changes needed.

tiff (3.9.4-9) unstable; urgency=high

   * CVE-2011-1167: correct potential buffer overflow with thunder encoded
     files with wrong bitspersample set.  (Closes: #619614)

tiff (3.9.4-8) unstable; urgency=low

   * Enable PIE (position independent executable) build for security
     hardening.  Patch from Ubuntu.  (Closes: #613759)

tiff (3.9.4-7) unstable; urgency=high

   * Incorporate revised fix to CVE-2011-0192.

tiff (3.9.4-6) unstable; urgency=high

   * Incorporated fix to CVE-2011-0192, "Buffer overflow in Fax4Decode".

tiff (3.9.4-5) unstable; urgency=high

   * Incorporated fix to CVE-2010-3087, a potential denial of service
     exploitable with a specially crafted TIFF file.  (Closes: #600188)

tiff (3.9.4-4) unstable; urgency=high

   * Incorporated fix to CVE-2010-2483, "fix crash on OOB reads in
     putcontig8bitYCbCr11tile".  (Closes: #595064)

tiff (3.9.4-3) unstable; urgency=low

   * Updated control file to remove obsolete Conflicts/Replaces for ancient
     packages.
   * Empty dependency_libs in all .la files as part of the .la file.  This
     also resolves the problem of having hard-coded paths in the .la file.
     (Closes: #509016)
   * Updated standards version to 3.9.1.

tiff (3.9.4-2) unstable; urgency=high

   * Incorporated patch to fix CVE-2010-2233, which fixes a specific
     failure of tif_getimage on 64-bit platforms.

tiff (3.9.4-1) unstable; urgency=low

   * New upstream release

tiff (3.9.2-3) unstable; urgency=low

   * Depend on libjpeg-dev instead of libjpeg62-dev.  (Closes: #569242)
   * Change source format to '3.0 (quilt)'
   * Update standards version to 3.8.4.  No changes required.

tiff (3.9.2-2) unstable; urgency=low

   * Include patch from upstream to fix problems with TIFFReadScanline()
     and ycbcr-encoded JPEG images.  (Closes: #510792)
   * Fix some manual page spelling errors found by lintian.

tiff (3.9.2-1) unstable; urgency=low

   * New upstream release

tiff (3.9.1-1) unstable; urgency=low

   * New upstream release

tiff (3.9.0-2) unstable; urgency=low

   * Fix critical bug that could cause corrupt files to be written in some
     cases.  (Closes: #543079)

tiff (3.9.0-1) unstable; urgency=low

   * New upstream release.  All previous security patches have been
     integrated.

tiff (3.9.0beta+deb1-1) experimental; urgency=low

   * New upstream release (binary compatible with 3.8.2) -- release based
     on 3.9 branch from upstream CVS; see README.Debian for details.
     (Closes: #537118)
   * Updated standards to 3.8.3; no changes required.
   * Stopped using tarball in tarball packaging.  (Closes: #538565)

tiff (3.8.2-13) unstable; urgency=high

   * Apply patches to fix CVE-2009-2347, which covers two integer overflow
     conditions.
   * LZW patch from last update addressed CVE-2009-2285.  Renamed the patch
     to make this clearer.

tiff (3.8.2-12) unstable; urgency=low

   * Apply patch to fix crash in lzw decoder that can be caused by certain
     invalid image files.  (Closes: #534137)
   * No longer ignore errors in preinst
   * Fixed new lintian warnings; updated standards version to 3.8.2.

2008

tiff (3.8.2-11) unstable; urgency=high

   * Apply security patches (CVE-2008-2327)
   * Convert patch system to quilt
   * Create README.source
   * Set standards version to 3.8.0

tiff (3.8.2-10+lenny1) testing-security; urgency=high

   * Apply patches from Drew Yao of Apple Product Security to fix
     CVE-2008-2327, a potential buffer underflow in the LZW decoder
     (tif_lzw.c).

tiff (3.8.2-10) unstable; urgency=low

   * Fix segmentation fault on subsequent parts of a file with an invalid
     directory tag.  (Closes: #475489)

tiff (3.8.2-9) unstable; urgency=low

   * Backported tiff2pdf from 4.0.0 beta 2.  This fixes many tiff2pdf bugs,
     though unfortunately none of the ones opened in the debian bug
     database!
   * Added upstream homepage to debian control file.

tiff (3.8.2-8) unstable; urgency=low

   * Accepted tmpfile patch tiff2pdf to fix bug that has been fixed
     upstream since upstream release appears stalled.  Thanks Jesse Long.
     (Closes: #419773)
   * Update standards version to 3.7.3; no changes required.
   * ${Source-Version} -> ${binary:Version} in control
   * Split documentation into separate libtiff-doc package.  (Closes:
     #472189)

tiff (3.8.2-7+etch1) stable-security; urgency=high

   * Apply patches from Drew Yao of Apple Product Security to fix
     CVE-2008-2327, a potential buffer underflow in the LZW decoder
     (tif_lzw.c).

2007

tiff (3.8.2-7) unstable; urgency=high

   * Replace empty directories in /usr/share/doc with links during package
     upgrade.  (Closes: #404631)

2006

tiff (3.8.2-6) unstable; urgency=high

   * Add watch file
   * Tavis Ormandy of the Google Security Team discovered several problems
     in the TIFF library.  The Common Vulnerabilities and Exposures project
     identifies the following issues:
      - CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in
        tif_dirread.c
      - CVE-2006-3460: A heap overflow vulnerability was discovered in the
        jpeg decoder
      - CVE-2006-3461: A heap overflow exists in the PixarLog decoder
      - CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap
        overflow
      - CVE-2006-3463: An infinite loop was discovered in
        EstimateStripByteCounts()
      - CVE-2006-3464: Multiple unchecked arithmetic operations were
        uncovered, including a number of the range checking operations
        deisgned to ensure the offsets specified in tiff directories are
        legitimate.
      - A number of codepaths were uncovered where assertions did not hold
        true, resulting in the client application calling abort()
      - CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag
        support

tiff (3.8.2-5) unstable; urgency=low

   * Fix logic error that caused -q flag to be ignored when doing jpeg
     compression with tiff2pdf.  (Closes: #373102)

tiff (3.8.2-4) unstable; urgency=high

   * SECURITY UPDATE: Arbitrary command execution with crafted TIF files.
     Thanks to Martin Pitt.  (Closes: #371064)
   * Add debian/patches/tiff2pdf-octal-printf.patch:
     - tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal
       signed char (it printed a signed integer, which overflew the buffer and
       was wrong anyway).
     - CVE-2006-2193

tiff (3.8.2-3) unstable; urgency=high

   * SECURITY UPDATE: Arbitrary command execution with crafted long file
     names.  Thanks to Martin Pitt for forwarding this.
     Add debian/patches/tiffsplit-fname-overflow.patch:
     - tools/tiffsplit.c: Use snprintf instead of strcpy for copying the
       user-specified file name into a statically sized buffer.
     CVE-2006-2656.  (Closes: #369819)
   * Update standards version to 3.7.2.  No changes required.
   * Moved doc-base information to libtiff4 instead of libtiff4-dev.

tiff (3.8.2-2) unstable; urgency=low

   * Fix build dependencies to get OpenGL utility libraries after new Xorg
     packaging.  (Closes: #365722)
   * Updated standards version to 3.7.0; no changes required to package.

tiff (3.8.2-1) unstable; urgency=low

   * New upstream release

tiff (3.8.0-3) unstable; urgency=low

   * Switched build dependency from xlibmesa-gl-dev to libgl1-mesa-dev
     (incorporating Ubunutu patch)
   * Incorporated patch from upstream to fix handling of RGBA tiffs in
     tiff2pdf.  (Closes: #352849)

tiff (3.8.0-2) unstable; urgency=low

   * Applied fixes from upstream to address a memory access violation
     [CVE-2006-0405].  (Closes: #350715, #351223)

tiff (3.8.0-1) unstable; urgency=low

   * New upstream release.  (Closes: #349921)
   * NOTE: The debian version of 3.8.0 includes a patch to correct a binary
     incompatibility in the original 3.8.0 release.  This libtiff package
     is binary compatible with 3.7.4 and will be binary compatible with the
     upcoming 3.8.1 release.

2005

tiff (3.7.4-1) unstable; urgency=low

   * New upstream release
   * Fix typos in manual page (Closes: #327921, #327922, #327923, #327924)

tiff (3.7.3-1) unstable; urgency=low

   * New upstream release
   * g++ 4.0 transition: libtiffxx0 is now libtiffxx0c2.

tiff (3.7.2-3) unstable; urgency=high

   * Fix for exploitable segmentation fault on files with bad BitsPerSample
     values.  (Closes: #309739)
     [libtiff/tif_dirread.c, CAN-2005-1544]
     Thanks to Martin Pitt for the report.

tiff (3.7.2-2) unstable; urgency=high

   * Fix zero pagesize bug with tiff2ps -a2 and tiff2ps -a3.  Thanks to
     Patrice Fournier for the patch.  (Closes: #303583)
   * Note: uploading with urgency=high since this very small fix impacts
     tools only (not the library), and we don't want to block tiff's many
     reverse dependencies from transitioning to sarge.

tiff (3.7.2-1) unstable; urgency=low

   * New upstream release

tiff (3.7.1-4) unstable; urgency=low

   * Fix from upstream: include a better workaround for tiff files with
     invalid strip byte counts.  (Closes: #183268)

tiff (3.7.1-3) unstable; urgency=low

   * Disable C++ new experimental interfaces for now; will reappear in a
     future version in the separate libtiffxx0 package.

tiff (3.7.1+pre3.7.2-1) experimental; urgency=low

   * New upstream release
   * Separate experimental C++ interface into separate libtiffxx library.

tiff (3.7.1-2) unstable; urgency=low

   * Make -dev package depend upon other -dev packages referenced in the
     .la file created by libtool.  (Closes: #291136)
   * tiff2ps: Allow one of -w and -h without the other.  (Closes: #244247)

tiff (3.7.1-1) unstable; urgency=low

   * New upstream release
   * Correct error in doc-base file (Closes: #285652)

2004

tiff (3.7.0-2) experimental; urgency=low

   * Replace hard-coded libc6-dev dependency with something friendlier to
     porters (libc6-dev | libc-dev).  (Closes: #179727)
   * Fixed upstream: proper netbsdelf*-gnu support in configure.  Actually
     fixed in 3.7.0-1 but left out of changelog.  (Closes: #179728)
   * Include opengl support; adds new libtiff-opengl package. (Closes: #219456)
   * Fixed upstream: fax2ps now allows access to first page. (Closes: #244251)

tiff (3.7.0-1) experimental; urgency=low

   * New upstream release (Closes: #276996)
   * New maintainer (Thanks Joy!)
   * Repackage using cdbs and simple-patchsys to fix some errors and
     simplify patch management
   * Fixed upstream: tiff2pdf ignores -z and -j (Closes: #280682)
   * Fixed upstream: Memory leak in TIFFClientOpen (Closes: #256657)

tiff (3.6.1-5) unstable; urgency=high

   * New maintainer (thanks Joy!)
   * Applied patch by Dmitry V. Levin to fix a segmentation fault
     [tools/tiffdump.c, CAN-2004-1183]
     Thanks to Martin Schulze for forwarding the patch.
   * Fixed section of -dev package (devel -> libdevel)

tiff (3.6.1-4) unstable; urgency=high

   * Fix heap overflow security bug [CAN-2004-1308].  (Closes: #286815)

tiff (3.6.1-3) unstable; urgency=medium

   * Patches from upstream to fix zero-size tile and integer overflow
     problems created by previous security patches, closes: #276783.
   * Added Jay Berkenbilt as co-maintainer. Jay thanks Joy for letting him
     help and eventually take over maintenance of these packages!

tiff (3.6.1-2) unstable; urgency=low

   * Included security fixes for:
     + CAN-2004-0803
       - libtiff/tif_luv.c
       - libtiff/tif_next.c
       - libtiff/tif_thunder.c
     + CAN-2004-0804 (but this one is already applied upstream, it seems)
       - libtiff/tif_dirread.c
     + CAN-2004-0886
       - libtiff/tif_aux.c
       - libtiff/tif_compress.c
       - libtiff/tif_dir.c
       - libtiff/tif_dirinfo.c
       - libtiff/tif_dirread.c
       - libtiff/tif_dirwrite.c
       - libtiff/tif_extension.c
       - libtiff/tif_fax3.c
       - libtiff/tiffiop.h
       - libtiff/tif_getimage.c
       - libtiff/tif_luv.c
       - libtiff/tif_pixarlog.c
       - libtiff/tif_strip.c
       - libtiff/tif_tile.c
       - libtiff/tif_write.c
     Thanks to Martin Schulze for forwarding the patches.

tiff (3.6.1-1.1) unstable; urgency=medium

   * Non-maintainer upload; thanks to Jay Berkenbilt <ejb@ql.org> for
     preparing the patches
   * Rename shared library and development packages to resolve accidental
     upstream ABI change.  Closes: #236247
   * Include patch from upstream to fix multistrip g3 fax bug.
     Closes: #243405
   * Include LZW support.  Closes: #260242, #248490
   * Fix URL in copyright file.  Closes: #261357
   * Install missing documentation files.  Closes: #261356

tiff (3.6.1-1) unstable; urgency=low

   * New upstream version, closes: #231977.
   * Slightly fixed up the static lib build rules so that the build process
     does the normal stuff for the dynamic lib and then does the static with
     the same tiffvers.h.

2002

tiff (3.5.7-2) unstable; urgency=high

   * Added back the patch that used -src static/libtiff.a in the install
     rule. Wonder how that disappeared... closes: #170914.
   * Fake it's a GNU system in order for the configure script to use our
     toolchain stuff on the NetBSD port, thanks to Joel Baker, closes: #130636.

tiff (3.5.7-1) unstable; urgency=low

   * New upstream version, closes: #144940.
   * A whole new set of patches for the breakage in the build system :)

2001

tiff (3.5.5-6) unstable; urgency=low

   * It appears that the general 64-bit detection code, isn't.
     We have to include all of those three conditions, feh.
     This really closes: #106706.

tiff (3.5.5-5) unstable; urgency=low

   * Changed two Alpha/Mips-isms into general 64-bit detection code,
     patch from John Daily <jdaily@progeny.com>, closes: #106706.
   * Patched man/Makefile.in to generate a manual page file for
     TIFFClientOpen(3t), as a .so link to TIFFOpen(3t), closes: #99577.
   * Used /usr/share/doc in the doc-base file, closes: #74122.
   * Changed libtiff3g-dev's section back to devel, since graphics was,
     according to elmo, "hysterical raisins". :))

tiff (3.5.5-4) unstable; urgency=low

   * Updated config.* files, closes: #94696.
   * Fixed libtiff3g-dev's section, closes: #85533.

2000

tiff (3.5.5-3) unstable; urgency=low

   * Build shared library on Hurd, too, closes: #72482.
   * Upped Standards-Version to 3.5.0.

tiff (3.5.5-2) unstable; urgency=low

   * Make `dynamic shared object' on Linux unconditionally, fixes the problem
     with libc.so.6.1 on alpha, thanks Chris C. Chimelis.

tiff (3.5.5-1) unstable; urgency=low

   * New upstream version.
   * The upstream build system sucks. There, I said it. Back to work now. :)
   * Added a build dependencies on make (>= 3.77) (closes: #67747) and
     debhelper.
   * Standards-Version: 3.2.1:
     + added DEB_BUILD_OPTIONS checks in debian/rules

tiff (3.5.4-5) frozen unstable; urgency=low

   * Fixed 16-bit/32-bit values bug in fax2ps from libtiff-tools, that
     also breaks printing from hylafax, using provided oneliner patch
     from Bernd Herd (accepted upstream), closes: #49232 and probably #62235.

tiff (3.5.4-4) frozen unstable; urgency=low

   * Weird dpkg-shlibdeps from dpkg 1.6.8-pre has done it again, this time
     with libz.so, making the packages depend on zlib1 (instead of zlib1g).
     Closes: #56134, #56137, #56140, #56155.

tiff (3.5.4-3) frozen unstable; urgency=low

   * Included libtiff.so file in libtiff3g-dev, dammit :( My eye hurts,
     a lot, but this was easy to fix, thank goodness :) (closes: #55814).
     This bugfix deserves to get into frozen because the bug cripples
     libtiff3g-dev, a lot.

1999

tiff (3.5.4-2) unstable; urgency=low

   * Fixed upstream build system to use ${DESTDIR}, and with that working,
     created install: rule in debian/rules and used it.
   * Fixed the way rules file gets the version from upstream sources,
     and fixed dist/tiff.alpha, it didn't work.
   * Removed README file from libtiff3g binary package, useless.
   * Fixed configure script not to emit the wrong warning about
     zlib/jpeg dirs not specified (they're in /usr/include, stupid :).

tiff (3.5.4-1) unstable; urgency=low

   * New upstream version, closes: #50338.
   * Disabled libc5 build, it wouldn't compile. :(

tiff (3.5.2-4) unstable; urgency=low

   * Castrated the rules file, to make it actually work on !(i386 m68k).
     Closes: #49316.

tiff (3.5.2-3) unstable; urgency=low

   * Removed sparc from the libtiff3 arches list, as BenC advised.

tiff (3.5.2-2) unstable; urgency=low

   * Changed Architecture: line for libtiff3 from "any" to "i386 m68k sparc"
     as it is actually only built on those. Changed description a little bit.
   * Minor fixes to the rules file.

tiff (3.5.2-1) unstable; urgency=low

   * New upstream version.
   * Renamed source package to just "tiff", like upstream tarball name.
   * New maintainer (thanks Guy!). Renewed packaging, with debhelper,
     using Joey's nifty multi2 example, with several adjustments.
   * Ditched libtiff3-altdev, nobody's using that and nobody should be
     using that. Packaging for it still exists, it's just commented out.
   * Uses doc-base for -dev docs now. Uncompressed HTML docs, 100kb space
     saved is pointless when you can't use any links between documents.

libtiff3 (3.4beta037-8) unstable; urgency=low

   * Argh, same bug in the prerm, closes: #36990, #36850, #36855,
     #36866, #36988.

libtiff3 (3.4beta037-7) unstable; urgency=low

   * Don't error when dhelp is not installed, closes: #36879, #36922.

libtiff3 (3.4beta037-6) unstable; urgency=low

   * Only build libc5 packages on appropriate archs, closes: #27083, #32007.
   * Apply NMU patch, closes: #26413, #26887.
   * Add dhelp support, closes: #35154.
   * Recompile removes invalid dependency, closes: #30961.

1998

libtiff3 (3.4beta037-5.1) frozen unstable; urgency=low

   * NMU to not use install -s to strip static .a libraries. Fixes: #26413
   * Build with recent libjpeg. Fixes: #26887
   * Add Section: and Priority: headers to debian/control.

libtiff3 (3.4beta037-5) unstable; urgency=low

   * Explicit link with -lm (and don't need -lc now), fixes: #19167, #22180.

libtiff3 (3.4beta037-4) unstable; urgency=low

   * libtiff3-tools conflicts & replaces with libtiff3-gif (13521,15107).

1997

libtiff3 (3.4beta037-3) unstable; urgency=low

   * New libjpegg contains shlibs file, so don't need shlibs.local.
   * Compile with -D_REENTRANT.
   * Add shlibs for libtiff3g (13423).

libtiff3 (3.4beta037-2) unstable; urgency=low

   * Add libjpegg6a to shlibs.local to correct for broken dependency.

libtiff3 (3.4beta037-1) unstable; urgency=low

   * New upstream version, libc6 compile, policy 2.3.0.0 (5136, 7470, 7627, 8166
     8312, 9479, 9492, 9531, 11700, 11702).
   * Fix check for shared lib support (10805).