please Update to 3.9.7 in R

Bug #1065637 reported by Matt Fischer
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tiff3 (Ubuntu)
Fix Released
Low
Matt Fischer

Bug Description

Please update to 3.9.7 for R. Note that the 3.x tree is stable, there's also a 4.x branch which is unstable. It's also possible that 3.9.7 is superseded before R opens, if that happens, I'll redo this.

Lots of fixes in 3.9.7 and removes the need for several patches:

2012-09-22 Bob Friesenhahn <email address hidden>

    * libtiff 3.9.7 released.

    * automake: Update to use GNU automake 1.12.4

2012-07-19 Tom Lane <email address hidden>

    * tools/tiff2pdf.c: Fix two places where t2p_error didn't get set
    after a malloc failure. No crash risk AFAICS, but the program
    might not report exit code 1 as desired. h/t <email address hidden>

2012-07-18 Tom Lane <email address hidden>

    * tools/tiff2pdf.c: Fail when TIFFSetDirectory() fails. This
    prevents core dumps or perhaps even arbitrary code execution when
    processing a corrupt input file (CVE-2012-3401).

2012-06-15 Tom Lane <email address hidden>

    * libtiff/tif_strip.c, libtiff/tif_tile.c: Back-patch the 4.0
    behavior of treating signed overflow as an error in TIFFVStripSize
    and TIFFVTileSize. This is needed since the result is declared as
    tsize_t which is signed, and callers are likely to do the wrong
    thing entirely when the returned value is negative (CVE-2012-2088).

    * tools/tiff2pdf.c: Defend against integer overflows while
    calculating required buffer sizes (CVE-2012-2113).

2012-06-04 Frank Warmerdam <email address hidden>

    * libtiff/tif_dirread.c: Avoid trusting samplesperpixel's default
    of 1 for purposes of trimming tags. This is to get some super
    crappy OJPEG files to work again. Grr.
    http://bugzilla.maptools.org/show_bug.cgi?id=2348

2012-06-01 Frank Warmerdam <email address hidden>

    * libtiff/tif_dir.c: Avoid generic handling of TIFFTAG_WHITELEVEL.
    http://bugzilla.maptools.org/show_bug.cgi?id=2321

2012-05-19 Bob Friesenhahn <email address hidden>

    * man/TIFFGetField.3tiff: Correct the 'count' field type in the
    example for how to retreive the value of unsupported tags.

2012-03-30 Frank Warmerdam <email address hidden>

    * tif_getimage.c: Fix size overflow (zdi-can-1221,CVE-2012-1173)
    care of Tom Lane @ Red Hat.

Matt Fischer (mfisch)
description: updated
Revision history for this message
Matt Fischer (mfisch) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "3.9.6_to_3.9.7.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Matt Fischer (mfisch)
Changed in tiff3 (Ubuntu):
milestone: none → ubuntu-13.04
Revision history for this message
Iain Lane (laney) wrote :

Hey,

Thanks for the patch. It's a bit hard to review at the moment though. Do you think you could just attach the .diff.gz or .debian.tar.gz that you get from the source package build and provide a link to the new tarball? This should make it easier to review.

Also, I think I noticed an erroneous 'changelog.dch' file in there that you probably want to delete. :-)

Cheers!

Revision history for this message
Matt Fischer (mfisch) wrote :

I just noticed the 300k diff, ouch. Anyway, all the files are posted here:

http://people.canonical.com/~mfisch/tiff3/

Revision history for this message
Iain Lane (laney) wrote :

Thanks. I just had a look. Some comments

  - 'quantal' in changelog and #XXXXXX could be filled in now (I did this)
  - Please actually delete the unused patches to avoid any confusion, and explain these changes in the changelog

Revision history for this message
Matt Fischer (mfisch) wrote :

I must have uploaded the wrong version, the changelog should have been okay except for the distroseries. I did remove the patches and rebuild. Make sure you refresh your browser, on mine at least the old copy of the source.changes was cached.

 tiff3 (3.9.7-0ubuntu1) raring; urgency=low
 .
   * New upstream release (LP: #1065637)
   * Removed the following patches which were incorporated upstream:
     - CVE-2012-1173.patch
     - CVE-2012-2088.patch
     - CVE-2012-3401.patch

Revision history for this message
Daniel Holbach (dholbach) wrote :

Uploaded. For some reason this was not automatically closed.(?)

Changed in tiff3 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.