Merge tiff 4.4.0-5 (main) from Debian unstable (main)

Bug #1997278 reported by Amin Bandali
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tiff (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Please merge tiff 4.4.0-5 (main) from Debian unstable (main)

Changelog entries since current kinetic version 4.4.0-4ubuntu3:

tiff (4.4.0-5) unstable; urgency=high

  * Backport security fix for CVE-2022-3597, CVE-2022-3626 and CVE-2022-3627,
    out of bounds write and denial of service via a crafted TIFF file.
  * Backport security fix for CVE-2022-3570, multiple heap buffer overflows
    via crafted TIFF file.
  * Backport security fix for CVE-2022-3599, denial-of-service via a crafted
    TIFF file.
  * Backport security fix for CVE-2022-3598, denial-of-service via a crafted
    TIFF file (closes: #1022555).

 -- Laszlo Boszormenyi (GCS) <email address hidden> Sun, 23 Oct 2022 22:38:15 +0200

Tags: patch

CVE References

Revision history for this message
Amin Bandali (bandali) wrote :

Attaching debdiff with kinetic per wiki's Merging guide.

Changed in tiff (Ubuntu):
assignee: Amin Bandali (bandali) → nobody
Revision history for this message
Amin Bandali (bandali) wrote :

Attaching debdiff with debian unstable per wiki's Merging guide.

Revision history for this message
Amin Bandali (bandali) wrote :

Please disregard the above two patches; this needs some more work.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "tiff_4.4.0-5ubuntu1-kinetic-to-lunar.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Amin Bandali (bandali)
Changed in tiff (Ubuntu):
assignee: nobody → Amin Bandali (bandali)
Revision history for this message
Amin Bandali (bandali) wrote :

Ok please disregard the two earlier debdiffs, and use the following instead.

Revision history for this message
Amin Bandali (bandali) wrote :

And here's a debdiff to 4.4.0-5 from debian unstable, for reference.

Changed in tiff (Ubuntu):
assignee: Amin Bandali (bandali) → nobody
Revision history for this message
Amin Bandali (bandali) wrote :

Remaining differences with tiff from Debian unstable:

  * Merge from Debian unstable (LP #1997278). Also we take Debian's security
    fixes for the recent CVEs, except for CVE-2022-2519_2520_2521_2953.patch
    which is not included in Debian, at least as of now.

  * Don't build with LERC on i386 because it requires numpy (Closes: #1017958)

In summary, we are adapting Debian's security fixes, and adding in our CVE-2022-2519_2520_2521_2953.patch as well, since they don't have in Debian yet (I'll see about opening a bug report with them on whether they want to add this patch as well), and we also don't build with LERC on i386 (Debian folks weren't interested in taking this).

Revision history for this message
Jeremy Bícha (jbicha) wrote :

I adjusted your changelog entry to include the remaining differences in the changelog message. I think that makes things more clear to the next person who will work on merging new versions.

I did a second upload because we accidentally missed the symbols file update when we manually merged later.

I am unsubscribing ubuntu-sponsors now because I have uploaded this to Ubuntu. Feel free to resubscribe if you have something else that needs to be sponsored.

I saw that you opened a Debian bug for the security patch. Could you forward the patch there too?

Changed in tiff (Ubuntu):
status: In Progress → Fix Committed
Jeremy Bícha (jbicha)
Changed in tiff (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.