diff -Nru freeimage-3.17.0+ds1/debian/changelog freeimage-3.17.0+ds1/debian/changelog
--- freeimage-3.17.0+ds1/debian/changelog	2017-07-28 03:55:40.000000000 +0000
+++ freeimage-3.17.0+ds1/debian/changelog	2020-09-14 16:39:37.000000000 +0000
@@ -1,14 +1,18 @@
-freeimage (3.17.0+ds1-5build2) artful; urgency=medium
+freeimage (3.17.0+ds1-5+deb9u1build0.18.04.1) bionic-security; urgency=medium
 
-  * No-change rebuild against libwebpmux3
+  * fake sync from Debian
 
- -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 28 Jul 2017 03:55:40 +0000
+ -- Eduardo Barretto <eduardo.barretto@canonical.com>  Mon, 14 Sep 2020 13:39:37 -0300
 
-freeimage (3.17.0+ds1-5build1) zesty; urgency=medium
+freeimage (3.17.0+ds1-5+deb9u1) stretch-security; urgency=high
 
-  * No-change rebuild against latest libraw
+  * Non-maintainer upload by the Security Team.
+  * CVE-2019-12213: stack exhaustion caused by unwanted recursion in
+    ReadThumbnail (Closes: #929597).
+  * CVE-2019-12211: heap buffer overflow caused by invalid memcpy in
+    PluginTIFF.
 
- -- Jeremy Bicha <jbicha@ubuntu.com>  Sun, 15 Jan 2017 19:00:18 -0500
+ -- Hugo Lefeuvre <hle@debian.org>  Tue, 10 Dec 2019 16:35:54 +0100
 
 freeimage (3.17.0+ds1-5) unstable; urgency=medium
 
diff -Nru freeimage-3.17.0+ds1/debian/control freeimage-3.17.0+ds1/debian/control
--- freeimage-3.17.0+ds1/debian/control	2017-07-28 03:55:40.000000000 +0000
+++ freeimage-3.17.0+ds1/debian/control	2016-10-12 16:56:57.000000000 +0000
@@ -1,6 +1,5 @@
 Source: freeimage
-Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
-XSBC-Original-Maintainer: Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
+Maintainer: Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>
 Uploaders: Anton Gladky <gladk@debian.org>,
            Ghislain Antony Vaillant <ghisvail@gmail.com>
 Section: libs
diff -Nru freeimage-3.17.0+ds1/debian/patches/CVE-2019-12211-13.patch freeimage-3.17.0+ds1/debian/patches/CVE-2019-12211-13.patch
--- freeimage-3.17.0+ds1/debian/patches/CVE-2019-12211-13.patch	1970-01-01 00:00:00.000000000 +0000
+++ freeimage-3.17.0+ds1/debian/patches/CVE-2019-12211-13.patch	2019-12-10 15:35:54.000000000 +0000
@@ -0,0 +1,149 @@
+Subject: fix CVE-2019-12213 and CVE-2019-12211
+Author: Herve Drolon <drolon@infonie.fr>
+Origin: upstream, https://sourceforge.net/p/freeimage/svn/1825/
+--- a/Source/FreeImage/PluginTIFF.cpp	2019-12-16 14:05:02.150620798 +0100
++++ b/Source/FreeImage/PluginTIFF.cpp	2019-12-16 14:05:02.146620830 +0100
+@@ -122,9 +122,14 @@
+ static int s_format_id;
+ 
+ typedef struct {
++    //! FreeImage IO functions
+     FreeImageIO *io;
+-	fi_handle handle;
+-	TIFF *tif;
++    //! FreeImage handle
++    fi_handle handle;
++    //! LibTIFF handle
++    TIFF *tif;
++    //! Count the number of thumbnails already read (used to avoid recursion on loading)
++    unsigned thumbnailCount;
+ } fi_TIFFIO;
+ 
+ // ----------------------------------------------------------
+@@ -184,10 +189,8 @@
+ */
+ TIFF *
+ TIFFFdOpen(thandle_t handle, const char *name, const char *mode) {
+-	TIFF *tif;
+-	
+ 	// Open the file; the callback will set everything up
+-	tif = TIFFClientOpen(name, mode, handle,
++	TIFF *tif = TIFFClientOpen(name, mode, handle,
+ 	    _tiffReadProc, _tiffWriteProc, _tiffSeekProc, _tiffCloseProc,
+ 	    _tiffSizeProc, _tiffMapProc, _tiffUnmapProc);
+ 
+@@ -452,9 +455,9 @@
+ 			}
+ 			
+ 		}
+-		else {
++		else if (bpp <= 32) {
+ 
+-			dib = FreeImage_AllocateHeader(header_only, width, height, MIN(bpp, 32), FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
++			dib = FreeImage_AllocateHeader(header_only, width, height, bpp, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+ 		}
+ 
+ 
+@@ -1041,6 +1044,7 @@
+ 	if(!fio) return NULL;
+ 	fio->io = io;
+ 	fio->handle = handle;
++	fio->thumbnailCount = 0;
+ 
+ 	if (read) {
+ 		fio->tif = TIFFFdOpen((thandle_t)fio, "", "r");
+@@ -1096,6 +1100,27 @@
+ */
+ static BOOL 
+ IsValidBitsPerSample(uint16 photometric, uint16 bitspersample, uint16 samplesperpixel) {
++        // get the pixel depth in bits
++        const uint16 pixel_depth = bitspersample * samplesperpixel;
++
++        // check for a supported pixel depth
++        switch (pixel_depth) {
++            case 1:
++            case 4:
++            case 8:
++            case 16:
++            case 24:
++            case 32:
++            case 48:
++            case 64:
++            case 96:
++            case 128:
++                // OK, go on
++                break;
++            default:
++                // unsupported pixel depth
++                return FALSE;
++        }
+ 
+ 	switch(bitspersample) {
+ 		case 1:
+@@ -1136,6 +1161,8 @@
+ 		default:
+ 			return FALSE;
+ 	}
++
++    return FALSE;
+ }
+ 
+ static TIFFLoadMethod  
+@@ -1226,11 +1253,30 @@
+ ReadThumbnail(FreeImageIO *io, fi_handle handle, void *data, TIFF *tiff, FIBITMAP *dib) {
+ 	FIBITMAP* thumbnail = NULL;
+ 
++        fi_TIFFIO *fio = (fi_TIFFIO*)data;
++
++        /*
++        Thumbnail loading can cause recursions because of the way
++        functions TIFFLastDirectory and TIFFSetSubDirectory are working.
++        We use here a hack to count the number of times the ReadThumbnail function was called.
++        We only allow one call, check for this
++        */
++        if (fio->thumbnailCount > 0) {
++            return;
++        }
++        else {
++            // update the thumbnail count (used to avoid recursion)
++            fio->thumbnailCount++;
++        }
++
+ 	// read exif thumbnail (IFD 1) ...
+ 
+ 	uint32 exif_offset = 0;
+ 	if(TIFFGetField(tiff, TIFFTAG_EXIFIFD, &exif_offset)) {
+ 
++        // this code can cause unwanted recursion causing an overflow, because of the way TIFFLastDirectory work
++        // => this is checked using
++
+ 		if(TIFFLastDirectory(tiff) != 0) {
+ 			// save current position
+ 			long tell_pos = io->tell_proc(handle);
+@@ -1261,6 +1307,8 @@
+ 				// save current position
+ 				long tell_pos = io->tell_proc(handle);
+ 				uint16 cur_dir = TIFFCurrentDirectory(tiff);
++
++                                // this code can cause unwanted recursion causing an overflow, because of the way TIFFSetSubDirectory work
+ 				if(TIFFSetSubDirectory(tiff, subIFD_offsets[0])) {
+ 					// load the thumbnail
+ 					int page = -1; 
+@@ -2021,7 +2069,7 @@
+ 				}
+ 
+ 				// calculate src line and dst pitch
+-				int dst_pitch = FreeImage_GetPitch(dib);
++				unsigned dst_pitch = FreeImage_GetPitch(dib);
+ 				uint32 tileRowSize = (uint32)TIFFTileRowSize(tif);
+ 				uint32 imageRowSize = (uint32)TIFFScanlineSize(tif);
+ 
+@@ -2051,7 +2099,7 @@
+ 						BYTE *src_bits = tileBuffer;
+ 						BYTE *dst_bits = bits + rowSize;
+ 						for(int k = 0; k < nrows; k++) {
+-							memcpy(dst_bits, src_bits, src_line);
++							memcpy(dst_bits, src_bits, MIN(dst_pitch, src_line));
+ 							src_bits += tileRowSize;
+ 							dst_bits -= dst_pitch;
+ 						}
diff -Nru freeimage-3.17.0+ds1/debian/patches/fix-loading-rgbaf.patch freeimage-3.17.0+ds1/debian/patches/fix-loading-rgbaf.patch
--- freeimage-3.17.0+ds1/debian/patches/fix-loading-rgbaf.patch	1970-01-01 00:00:00.000000000 +0000
+++ freeimage-3.17.0+ds1/debian/patches/fix-loading-rgbaf.patch	2019-12-10 15:35:54.000000000 +0000
@@ -0,0 +1,40 @@
+Description: fixed TIFF loader with loading of RGB[A]F float images
+ Reintroduce samplesperpixel arguments to IsValidBitsPerSample, removed in
+ https://sourceforge.net/p/freeimage/svn/1547/
+ Necessary to apply r1825, fixing CVE-2019-12213 and CVE-2019-12211.
+Author: Herve Drolon <drolon@infonie.fr>
+Origin: upstream, https://sourceforge.net/p/freeimage/svn/1670/
+--- a/Source/FreeImage/PluginTIFF.cpp	2019-12-16 13:57:55.000000000 +0100
++++ b/Source/FreeImage/PluginTIFF.cpp	2019-12-16 14:01:08.000000000 +0100
+@@ -1091,10 +1091,11 @@
+ check for uncommon bitspersample values (e.g. 10, 12, ...)
+ @param photometric TIFFTAG_PHOTOMETRIC tiff tag
+ @param bitspersample TIFFTAG_BITSPERSAMPLE tiff tag
++@param samplesperpixel TIFFTAG_SAMPLESPERPIXEL tiff tag
+ @return Returns FALSE if a uncommon bit-depth is encountered, returns TRUE otherwise
+ */
+ static BOOL 
+-IsValidBitsPerSample(uint16 photometric, uint16 bitspersample) {
++IsValidBitsPerSample(uint16 photometric, uint16 bitspersample, uint16 samplesperpixel) {
+ 
+ 	switch(bitspersample) {
+ 		case 1:
+@@ -1116,6 +1117,9 @@
+ 			break;
+ 		case 32:
+ 			if((photometric == PHOTOMETRIC_MINISWHITE) || (photometric == PHOTOMETRIC_MINISBLACK) || (photometric == PHOTOMETRIC_LOGLUV)) { 
++               return TRUE;
++           } else if((photometric == PHOTOMETRIC_RGB) && (samplesperpixel == 3) || (samplesperpixel == 4)) {
++               // RGB[A]F
+ 				return TRUE;
+ 			} else {
+ 				return FALSE;
+@@ -1365,7 +1369,7 @@
+ 		// check for unsupported formats
+ 		// ---------------------------------------------------------------------------------
+ 
+-		if(IsValidBitsPerSample(photometric, bitspersample) == FALSE) {
++       if(IsValidBitsPerSample(photometric, bitspersample, samplesperpixel) == FALSE) {
+ 			FreeImage_OutputMessageProc(s_format_id, 
+ 				"Unable to handle this format: bitspersample = %d, samplesperpixel = %d, photometric = %d", 
+ 				(int)bitspersample, (int)samplesperpixel, (int)photometric);
diff -Nru freeimage-3.17.0+ds1/debian/patches/series freeimage-3.17.0+ds1/debian/patches/series
--- freeimage-3.17.0+ds1/debian/patches/series	2016-12-13 18:48:01.000000000 +0000
+++ freeimage-3.17.0+ds1/debian/patches/series	2019-12-10 15:35:54.000000000 +0000
@@ -13,3 +13,5 @@
 Fix-encoding-of-fi-header.patch
 Fix-CVE-2016-5684.patch
 Enable-substitution-of-pkg-config.patch
+fix-loading-rgbaf.patch
+CVE-2019-12211-13.patch