Package: release.debian.org User: release.debian....@packages.debian.org Usertags: unblock
Hi Release Team, Current version of tiff in the archive is 4.0.7 and the package already have 28 security patches that got attention (CVE id). Upstream released 4.0.8 which contains only security related changes[1] including memory leaks, division by zero, undefined behaviour, integer overflows and excessive memory allocation fixes. There are no major or software configuration changes[2]. Diffstat between the versions: ChangeLog | 464 +++++++++++++++++++++++++++++++++++++++++++++- RELEASE-DATE | 2 VERSION | 2 configure | 24 +- configure.ac | 6 html/Makefile.am | 3 html/Makefile.in | 3 html/index.html | 4 html/man/CMakeLists.txt | 2 html/man/Makefile.am | 2 html/man/Makefile.in | 2 html/man/rgb2ycbcr.1.html | 155 --------------- html/man/thumbnail.1.html | 148 -------------- html/v4.0.7.html | 2 html/v4.0.8.html | 445 ++++++++++++++++++++++++++++++++++++++++++++ libtiff/tif_color.c | 40 ++- libtiff/tif_dir.c | 48 ++++ libtiff/tif_dirread.c | 62 ++++-- libtiff/tif_dirwrite.c | 101 ++++++++-- libtiff/tif_fax3.c | 71 +++++-- libtiff/tif_fax3.h | 6 libtiff/tif_getimage.c | 95 ++++++--- libtiff/tif_jpeg.c | 29 ++ libtiff/tif_luv.c | 47 ++-- libtiff/tif_lzw.c | 33 ++- libtiff/tif_ojpeg.c | 25 ++ libtiff/tif_open.c | 6 libtiff/tif_packbits.c | 12 - libtiff/tif_pixarlog.c | 60 ++++- libtiff/tif_predict.c | 18 + libtiff/tif_print.c | 10 libtiff/tif_read.c | 344 +++++++++++++++++++++++++++++----- libtiff/tif_strip.c | 11 - libtiff/tif_unix.c | 10 libtiff/tif_win32.c | 10 libtiff/tif_write.c | 32 +-- libtiff/tif_zip.c | 8 libtiff/tiffio.h | 5 libtiff/tiffiop.h | 6 libtiff/tiffvers.h | 4 man/CMakeLists.txt | 2 man/Makefile.am | 2 man/Makefile.in | 2 man/rgb2ycbcr.1 | 99 --------- man/thumbnail.1 | 90 -------- tools/fax2tiff.c | 9 tools/raw2tiff.c | 10 tools/tiff2bw.c | 9 tools/tiff2pdf.c | 31 +-- tools/tiff2ps.c | 15 + tools/tiffcp.c | 65 +++++- tools/tiffcrop.c | 23 +- tools/tiffinfo.c | 4 53 files changed, 1920 insertions(+), 798 deletions(-) Tests done. 1) Using it on my Stretch/amd64 machine without problems, including gimp and firefox. 2) Built successfully on amd64 / arm64 / armel / i386 / mipsel. 3) Built some reverse dependencies with it: graphicsmagick and gimp. Proposed package is available[3]. Would be nice to upload it to Sid and target Stretch instead of backporting even more fixes as those get public exploits and/or CVE ids. Of course, I'm open for even more testing if that's required. Thanks for considering, Laszlo/GCS [1] http://libtiff.maptools.org/v4.0.8.html#libtiff [2] http://libtiff.maptools.org/v4.0.8.html#highlights [3] dget -x http://www.barcikacomp.hu/gcs/tiff_4.0.8-1.dsc
