Bug#863459: unblock (pre-approval): tiff/4.0.8

[GCS]

Control: tags -1 -moreinfo

Hi Ivo,

On Sat, May 27, 2017 at 11:27 AM, Ivo De Decker  wrote:
> On Sat, May 27, 2017 at 09:48:21AM +0200, László Böszörményi (GCS) wrote:
>> Current version of tiff in the archive is 4.0.7 and the package
>> already have 28 security patches that got attention (CVE id). Upstream
>> released 4.0.8 which contains only security related changes[1]
>> including memory leaks, division by zero, undefined behaviour, integer
>> overflows and excessive memory allocation fixes.
>> There are no major or software configuration changes[2].
>
> Please go ahead and remove the moreinfo tag from this bug once the upload is
> in unstable and the builds are done on all the relevant architectures.
 It is built, uploaded and installed on _all_ architectures, Ubuntu
adopted it as-is as well.

Thanks,
Laszlo/GCS

Bug#863459: unblock (pre-approval): tiff/4.0.8

[Ivo De Decker]

Control: tags -1 confirmed moreinfo

Hi,

On Sat, May 27, 2017 at 09:48:21AM +0200, László Böszörményi (GCS) wrote:
> Current version of tiff in the archive is 4.0.7 and the package
> already have 28 security patches that got attention (CVE id). Upstream
> released 4.0.8 which contains only security related changes[1]
> including memory leaks, division by zero, undefined behaviour, integer
> overflows and excessive memory allocation fixes.
> There are no major or software configuration changes[2].

Please go ahead and remove the moreinfo tag from this bug once the upload is
in unstable and the builds are done on all the relevant architectures.

Cheers,

Ivo

Bug#863459: unblock (pre-approval): tiff/4.0.8

[GCS]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: unblock

Hi Release Team,

Current version of tiff in the archive is 4.0.7 and the package
already have 28 security patches that got attention (CVE id). Upstream
released 4.0.8 which contains only security related changes[1]
including memory leaks, division by zero, undefined behaviour, integer
overflows and excessive memory allocation fixes.
There are no major or software configuration changes[2].

Diffstat between the versions:
 ChangeLog |  464 +-
 RELEASE-DATE  |2
 VERSION   |2
 configure |   24 +-
 configure.ac  |6
 html/Makefile.am  |3
 html/Makefile.in  |3
 html/index.html   |4
 html/man/CMakeLists.txt   |2
 html/man/Makefile.am  |2
 html/man/Makefile.in  |2
 html/man/rgb2ycbcr.1.html |  155 ---
 html/man/thumbnail.1.html |  148 --
 html/v4.0.7.html  |2
 html/v4.0.8.html  |  445 
 libtiff/tif_color.c   |   40 ++-
 libtiff/tif_dir.c |   48 
 libtiff/tif_dirread.c |   62 --
 libtiff/tif_dirwrite.c|  101 --
 libtiff/tif_fax3.c|   71 +--
 libtiff/tif_fax3.h|6
 libtiff/tif_getimage.c|   95 ++---
 libtiff/tif_jpeg.c|   29 ++
 libtiff/tif_luv.c |   47 ++--
 libtiff/tif_lzw.c |   33 ++-
 libtiff/tif_ojpeg.c   |   25 ++
 libtiff/tif_open.c|6
 libtiff/tif_packbits.c|   12 -
 libtiff/tif_pixarlog.c|   60 -
 libtiff/tif_predict.c |   18 +
 libtiff/tif_print.c   |   10
 libtiff/tif_read.c|  344 +-
 libtiff/tif_strip.c   |   11 -
 libtiff/tif_unix.c|   10
 libtiff/tif_win32.c   |   10
 libtiff/tif_write.c   |   32 +--
 libtiff/tif_zip.c |8
 libtiff/tiffio.h  |5
 libtiff/tiffiop.h |6
 libtiff/tiffvers.h|4
 man/CMakeLists.txt|2
 man/Makefile.am   |2
 man/Makefile.in   |2
 man/rgb2ycbcr.1   |   99 -
 man/thumbnail.1   |   90 
 tools/fax2tiff.c  |9
 tools/raw2tiff.c  |   10
 tools/tiff2bw.c   |9
 tools/tiff2pdf.c  |   31 +--
 tools/tiff2ps.c   |   15 +
 tools/tiffcp.c|   65 +-
 tools/tiffcrop.c  |   23 +-
 tools/tiffinfo.c  |4
 53 files changed, 1920 insertions(+), 798 deletions(-)

Tests done.
1) Using it on my Stretch/amd64 machine without problems, including
gimp and firefox.
2) Built successfully on amd64 / arm64 / armel / i386 / mipsel.
3) Built some reverse dependencies with it: graphicsmagick and gimp.

Proposed package is available[3]. Would be nice to upload it to Sid
and target Stretch instead of backporting even more fixes as those get
public exploits and/or CVE ids. Of course, I'm open for even more
testing if that's required.

Thanks for considering,
Laszlo/GCS
[1] http://libtiff.maptools.org/v4.0.8.html#libtiff
[2] http://libtiff.maptools.org/v4.0.8.html#highlights
[3] dget -x http://www.barcikacomp.hu/gcs/tiff_4.0.8-1.dsc