tiff: CVE-2013-4243

Debian Bug report logs - #742917
tiff: CVE-2013-4243

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tiff: CVE-2013-4243

Date: Fri, 28 Mar 2014 18:38:07 -0400

package: src:tiff
version: 3.9.4-5
severity: important

This issue is currently unfixed in the tiff packages:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243

No DSA needed since it only affects the gif2tiff command-line tool.

Best wishes,
Mike

Message #12 received at 742917@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 742917@bugs.debian.org

Subject: Re: tiff: CVE-2013-4243

Date: Mon, 7 Apr 2014 14:22:43 +0200

[Message part 1 (text/plain, inline)]

On Fri, Mar 28, 2014 at 06:38:07PM -0400, Michael Gilbert wrote:
> package: src:tiff
> version: 3.9.4-5
> severity: important
> 
> This issue is currently unfixed in the tiff packages:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243

This wasn't fixed in DSA 2744 since no patch was available back then.

Since then Red Hat has used the attached patch in security update
for RHEL.

Cheers,
        Moritz

[libtiff-CVE-2013-4243.patch (text/x-diff, attachment)]

Message #17 received at 742917@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 742917@bugs.debian.org, Michael Gilbert <mgilbert@debian.org>

Subject: Re: Bug#742917: tiff: CVE-2013-4243

Date: Sat, 21 Jun 2014 18:32:07 -0400

[Message part 1 (text/plain, inline)]

Moritz Muehlenhoff <jmm@inutil.org> wrote:

> On Fri, Mar 28, 2014 at 06:38:07PM -0400, Michael Gilbert wrote:
>> package: src:tiff
>> version: 3.9.4-5
>> severity: important
>> 
>> This issue is currently unfixed in the tiff packages:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
>
> This wasn't fixed in DSA 2744 since no patch was available back then.
>
> Since then Red Hat has used the attached patch in security update
> for RHEL.
>
> Cheers,
>         Moritz

I've finally had a chance to deal with this. The patch applies cleanly
with offsets to the versions in squeeze, wheezy, and sid, so I've
prepared packages for all three distributions. I'm attaching the debdiff
files here. Please let me know if I should proceed to upload.

For sid, this will be fixed in 4.0.3-9. I realize there is no DSA.

-- 
Jay Berkenbilt <qjb@debian.org>

[tiff_3.9.4-5+squeeze10-to-11.debdiff (text/x-patch, inline)]

diff -Nru tiff-3.9.4/debian/changelog tiff-3.9.4/debian/changelog
--- tiff-3.9.4/debian/changelog	2013-08-24 11:23:06.000000000 -0400
+++ tiff-3.9.4/debian/changelog	2014-06-21 18:13:22.000000000 -0400
@@ -1,3 +1,10 @@
+tiff (3.9.4-5+squeeze11) oldstable-security; urgency=high
+
+  * Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
+    #742917)
+
+ -- Jay Berkenbilt <qjb@debian.org>  Sat, 21 Jun 2014 17:55:02 -0400
+
 tiff (3.9.4-5+squeeze10) oldstable-security; urgency=high
 
   * Incorporated fixes to security issues CVE-2013-4231, CVE-2013-4232.
diff -Nru tiff-3.9.4/debian/patches/CVE-2013-4243.patch tiff-3.9.4/debian/patches/CVE-2013-4243.patch
--- tiff-3.9.4/debian/patches/CVE-2013-4243.patch	1969-12-31 19:00:00.000000000 -0500
+++ tiff-3.9.4/debian/patches/CVE-2013-4243.patch	2014-06-21 18:13:22.000000000 -0400
@@ -0,0 +1,37 @@
+Index: tiff/tools/gif2tiff.c
+===================================================================
+--- tiff.orig/tools/gif2tiff.c	2014-06-21 17:53:57.819546749 -0400
++++ tiff/tools/gif2tiff.c	2014-06-21 17:53:57.815546727 -0400
+@@ -276,6 +276,10 @@
+         fprintf(stderr, "no colormap present for image\n");
+         return (0);
+     }
++    if (width == 0 || height == 0) {
++        fprintf(stderr, "Invalid value of width or height\n");
++        return(0);
++    }
+     if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+         fprintf(stderr, "not enough memory for image\n");
+         return (0);
+@@ -400,6 +404,10 @@
+             fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+             return 0;
+         }
++        if (*fill >= raster + width*height) {
++            fprintf(stderr, "raster full before eoi code\n");
++            return 0;
++        }
+ 	*(*fill)++ = suffix[code];
+ 	firstchar = oldcode = code;
+ 	return 1;
+@@ -430,6 +438,10 @@
+     }
+     oldcode = incode;
+     do {
++        if (*fill >= raster + width*height) {
++            fprintf(stderr, "raster full before eoi code\n");
++            return 0;
++        }
+ 	*(*fill)++ = *--stackp;
+     } while (stackp > stack);
+     return 1;
diff -Nru tiff-3.9.4/debian/patches/series tiff-3.9.4/debian/patches/series
--- tiff-3.9.4/debian/patches/series	2013-08-24 11:22:20.000000000 -0400
+++ tiff-3.9.4/debian/patches/series	2014-06-21 18:13:22.000000000 -0400
@@ -24,3 +24,4 @@
 CVE-2013-4231.patch
 CVE-2013-4232.patch
 CVE-2013-4244.patch
+CVE-2013-4243.patch

[tiff_4.0.2-6_deb7u2-to-3.debdiff (text/x-patch, inline)]

diff -Nru tiff-4.0.2/debian/changelog tiff-4.0.2/debian/changelog
--- tiff-4.0.2/debian/changelog	2013-08-24 11:25:11.000000000 -0400
+++ tiff-4.0.2/debian/changelog	2014-06-21 18:15:31.000000000 -0400
@@ -1,3 +1,10 @@
+tiff (4.0.2-6+deb7u3) stable-security; urgency=high
+
+  * Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
+    #742917)
+
+ -- Jay Berkenbilt <qjb@debian.org>  Sat, 21 Jun 2014 18:12:58 -0400
+
 tiff (4.0.2-6+deb7u2) stable-security; urgency=high
 
   * Incorporated fixes to security issues CVE-2013-4231, CVE-2013-4232.
diff -Nru tiff-4.0.2/debian/patches/CVE-2013-4243.patch tiff-4.0.2/debian/patches/CVE-2013-4243.patch
--- tiff-4.0.2/debian/patches/CVE-2013-4243.patch	1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/CVE-2013-4243.patch	2014-06-21 18:15:31.000000000 -0400
@@ -0,0 +1,37 @@
+Index: tiff/tools/gif2tiff.c
+===================================================================
+--- tiff.orig/tools/gif2tiff.c
++++ tiff/tools/gif2tiff.c
+@@ -280,6 +280,10 @@ readgifimage(char* mode)
+         fprintf(stderr, "no colormap present for image\n");
+         return (0);
+     }
++    if (width == 0 || height == 0) {
++        fprintf(stderr, "Invalid value of width or height\n");
++        return(0);
++    }
+     if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+         fprintf(stderr, "not enough memory for image\n");
+         return (0);
+@@ -404,6 +408,10 @@ process(register int code, unsigned char
+             fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+             return 0;
+         }
++        if (*fill >= raster + width*height) {
++            fprintf(stderr, "raster full before eoi code\n");
++            return 0;
++        }
+ 	*(*fill)++ = suffix[code];
+ 	firstchar = oldcode = code;
+ 	return 1;
+@@ -434,6 +442,10 @@ process(register int code, unsigned char
+     }
+     oldcode = incode;
+     do {
++        if (*fill >= raster + width*height) {
++            fprintf(stderr, "raster full before eoi code\n");
++            return 0;
++        }
+ 	*(*fill)++ = *--stackp;
+     } while (stackp > stack);
+     return 1;
diff -Nru tiff-4.0.2/debian/patches/series tiff-4.0.2/debian/patches/series
--- tiff-4.0.2/debian/patches/series	2013-08-24 11:24:44.000000000 -0400
+++ tiff-4.0.2/debian/patches/series	2014-06-21 18:15:31.000000000 -0400
@@ -7,3 +7,4 @@
 CVE-2013-4231.patch
 CVE-2013-4232.patch
 CVE-2013-4244.patch
+CVE-2013-4243.patch

Message #22 received at 742917-close@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: 742917-close@bugs.debian.org

Subject: Bug#742917: fixed in tiff 4.0.3-9

Date: Sat, 21 Jun 2014 22:49:07 +0000

Source: tiff
Source-Version: 4.0.3-9

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742917@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 Jun 2014 18:12:40 -0400
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc libtiff4-dev
Architecture: source all amd64
Version: 4.0.3-9
Distribution: unstable
Urgency: medium
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description:
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff4-dev - Tag Image File Format library (TIFF), transitional package
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 742917
Changes:
 tiff (4.0.3-9) unstable; urgency=medium
 .
   * Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
     #742917)
Checksums-Sha1:
 e910b91104940602dfee4857411e5b8660700d35 2184 tiff_4.0.3-9.dsc
 af63aba58cd0fdaca0e88ac6f0355fc0216f650c 20968 tiff_4.0.3-9.debian.tar.xz
 d49264afadb50afd1978cfb04f4fae74c1789d17 362730 libtiff-doc_4.0.3-9_all.deb
 981ea208050338c4fae146d70cf79d7ef330e45b 210870 libtiff5_4.0.3-9_amd64.deb
 f0c12ee5cacd0683c99b6ebb115aa390a44541df 73862 libtiffxx5_4.0.3-9_amd64.deb
 c90c96583873c610f3678f7344d37944cb37c043 333066 libtiff5-dev_4.0.3-9_amd64.deb
 ea3ea94a0f504548c4b78c371ecc43d7c0d8a889 283108 libtiff-tools_4.0.3-9_amd64.deb
 0bb2b709150d73ea99f7014fd8b046f389e6a7b7 78894 libtiff-opengl_4.0.3-9_amd64.deb
 b7caa17efbf84bfd49029c88ef58d23397a2d9e0 70518 libtiff4-dev_4.0.3-9_amd64.deb
Checksums-Sha256:
 2099bb47cdcf971d8afc18fcf1006d2be5968ae10c6e09d1db578240dfdba540 2184 tiff_4.0.3-9.dsc
 83b013102627b31ba34487b3dcabaa2587a4825ffca3942ea106bccd57931d70 20968 tiff_4.0.3-9.debian.tar.xz
 4b9dfa3b473c44ddb2e0ae3d9d91af5ea25e142480c6d164abf7ff1bbe1ec515 362730 libtiff-doc_4.0.3-9_all.deb
 bf784913067f81000de8f4657abedf772c77fce53fa557ee6fd75c4a518c5a5a 210870 libtiff5_4.0.3-9_amd64.deb
 e626e18f58d84ee75d1c33aab5bee91faf46d7594fe61c6937f30f19ffa33746 73862 libtiffxx5_4.0.3-9_amd64.deb
 c43ba639d9b340caf3ae89216d5ddf6e9b7a23fc08f69f7e688170cfbc490698 333066 libtiff5-dev_4.0.3-9_amd64.deb
 724e2c148f1dc51f551f234062f48d740e62e1fb0eb92f57d9ca9aba07ff1c13 283108 libtiff-tools_4.0.3-9_amd64.deb
 6efbc66b984ca4a3d30a5082d88e459b7817830aec3cded48efe5b1d563de803 78894 libtiff-opengl_4.0.3-9_amd64.deb
 59dc02dacdcd17ad292d4066e24ef3543ba48cd8d775f15c201c9244e457cc12 70518 libtiff4-dev_4.0.3-9_amd64.deb
Files:
 7b36035d6591ff1284550c4eb0fdfaf1 362730 doc optional libtiff-doc_4.0.3-9_all.deb
 f55222addbea793422375fbb402eabb8 210870 libs optional libtiff5_4.0.3-9_amd64.deb
 7b6f5faa70530029ae0c90ac27ce951a 73862 libs optional libtiffxx5_4.0.3-9_amd64.deb
 d7df73f244ce710f69863d9877f668c6 333066 libdevel optional libtiff5-dev_4.0.3-9_amd64.deb
 988b55e6dd23a38bf734fa71bc956845 283108 graphics optional libtiff-tools_4.0.3-9_amd64.deb
 7710e9bae3c493062d0bcd0e17ba9cca 78894 graphics optional libtiff-opengl_4.0.3-9_amd64.deb
 59fd2ee7ccadba8c1a88672f2efc897c 70518 oldlibs extra libtiff4-dev_4.0.3-9_amd64.deb
 7414f80a7c1a4ff003cd334574827462 2184 libs optional tiff_4.0.3-9.dsc
 e9a593929aacdbb633dec5460064b9d7 20968 libs optional tiff_4.0.3-9.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTpgbQAAoJEIp10QmYASx+wyMP/1quqoP+dC195+wYGcGzuZBO
Y8kfBWd9jVDs56Xj+C/eWzS0vSmzDSUs21MpdcrgO6nwR6IupRWehGBDOL/TC11T
S34uGaKsr5ZoXruCl62Tcm13hypAYkzsM9PLixqOsuWG+0ClGP3NWf5X86CgnEyR
t/C0I5rIm4T84hmGpvcuaDc+Gbe+mEZcTbRg/2EQjNiIv5sJmSj7RGmtOnt4CiO2
Hj8kXlY6AtiFMKyI/igNccxyQTlDHpdoU8KldVoLm6198ihOhZmzGtFpG4/V1+me
g7IKvDNxrSCMwMuhvaiysOpE53dUu3KrCc7/HNWSiDXL389JEeNKZLzaXtnAfVif
3whOZsphYsB6IsRHY8YgXqyUI9Cwi11ft1JwoIeQw+A11D1WvfprWuHn3ocTJQUM
W40KuAf+yhpDF41xt0P10b0oW8baoeV4TFnDnIN4A6+rqE2TsBDf47r5Fv4rrir0
hO0/wUBMbqkBWTrYV/CjZrx6qhGOJMoD7aTTVnz5OkDBeBVc3ddOUMjjvGwm7QwA
EMLcfHNcAQ+F3FiAuQf3Lkh9lKryocbGEGuT5tNd2QS/+bb7ZZcPVmrmoRCNrxwX
XDS6gK2hATMRSKhvidiINrtTXLS4JpSd9VLxr3s0iOl4GHPqhW+q2OD5y6ptQz6d
pZd2Rtnl1fzAwfS6Xi3I
=6rDz
-----END PGP SIGNATURE-----

Message #27 received at 742917@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Jay Berkenbilt <qjb@debian.org>

Cc: 742917@bugs.debian.org

Subject: Re: Bug#742917: tiff: CVE-2013-4243

Date: Sat, 21 Jun 2014 18:58:45 -0400

On Sat, Jun 21, 2014 at 6:32 PM, Jay Berkenbilt wrote:
> I've finally had a chance to deal with this. The patch applies cleanly
> with offsets to the versions in squeeze, wheezy, and sid, so I've
> prepared packages for all three distributions. I'm attaching the debdiff
> files here. Please let me know if I should proceed to upload.
>
> For sid, this will be fixed in 4.0.3-9. I realize there is no DSA.

The diff looks ok to me. Other distros did security announcements for
this, so it would be ok to do a DSA also.  If you want, upload to
security-master and I'll handle the DSA, otherwise you should discuss
as a proposed update with the release team.

In the meantime, please go ahead with the unstable upload.

Best wishes,
Mike

Message #32 received at 742917@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 742917@bugs.debian.org

Subject: Re: Bug#742917: tiff: CVE-2013-4243

Date: Sat, 21 Jun 2014 20:54:26 -0400

Michael Gilbert <mgilbert@debian.org> wrote:

> On Sat, Jun 21, 2014 at 6:32 PM, Jay Berkenbilt wrote:
>> I've finally had a chance to deal with this. The patch applies cleanly
>> with offsets to the versions in squeeze, wheezy, and sid, so I've
>> prepared packages for all three distributions. I'm attaching the debdiff
>> files here. Please let me know if I should proceed to upload.
>>
>> For sid, this will be fixed in 4.0.3-9. I realize there is no DSA.
>
> The diff looks ok to me. Other distros did security announcements for
> this, so it would be ok to do a DSA also.  If you want, upload to
> security-master and I'll handle the DSA, otherwise you should discuss
> as a proposed update with the release team.

Okay, I've uploaded to security-master.

> In the meantime, please go ahead with the unstable upload.

Done.

-- 
Jay Berkenbilt <qjb@debian.org>

Message #37 received at 742917@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>

To: Jay Berkenbilt <qjb@debian.org>

Cc: 742917@bugs.debian.org

Subject: Re: Bug#742917: tiff: CVE-2013-4243

Date: Sat, 21 Jun 2014 20:58:11 -0400

>> The diff looks ok to me. Other distros did security announcements for
>> this, so it would be ok to do a DSA also.  If you want, upload to
>> security-master and I'll handle the DSA, otherwise you should discuss
>> as a proposed update with the release team.
>
> Okay, I've uploaded to security-master.

I should have clarified, squeeze no longer gets security support, so
I'll have to reject that.  You'll need to do an lts upload for
squeeze.

Best wishes,
Mike

Message #42 received at 742917-close@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: 742917-close@bugs.debian.org

Subject: Bug#742917: fixed in tiff 4.0.2-6+deb7u3

Date: Sun, 22 Jun 2014 18:32:10 +0000

Source: tiff
Source-Version: 4.0.2-6+deb7u3

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 742917@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 Jun 2014 18:12:58 -0400
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff5-alt-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.2-6+deb7u3
Distribution: stable-security
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-alt-dev - Tag Image File Format library (TIFF), alternative development fil
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 742917
Changes: 
 tiff (4.0.2-6+deb7u3) stable-security; urgency=high
 .
   * Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
     #742917)
Checksums-Sha1: 
 d05d1ae56ffad682ec391a59b9eb366802a8c581 2135 tiff_4.0.2-6+deb7u3.dsc
 99ab6e9a5e8a491055255a1972f97821adf84b59 23494 tiff_4.0.2-6+deb7u3.debian.tar.gz
 d8eb4734cc27a1d9cd9658d6bb253553b3bd89eb 395642 libtiff-doc_4.0.2-6+deb7u3_all.deb
 bf9dff42031c65d2ecbdd178a0d61296cf02c344 234230 libtiff5_4.0.2-6+deb7u3_amd64.deb
 1a039f38f93d9272806579bf0283beb4dddb80e2 73392 libtiffxx5_4.0.2-6+deb7u3_amd64.deb
 bdc54c3bde7545e9020546460db227548adaaef2 376062 libtiff5-dev_4.0.2-6+deb7u3_amd64.deb
 e0e1ca59e2aa0edddca7fb1d9be1831c70fe3b0e 296082 libtiff5-alt-dev_4.0.2-6+deb7u3_amd64.deb
 6710159f159c254f9396be3345f2e1e2a40864d9 337500 libtiff-tools_4.0.2-6+deb7u3_amd64.deb
 11c818712e0ef679d787ecf36093fce64e740e03 79048 libtiff-opengl_4.0.2-6+deb7u3_amd64.deb
Checksums-Sha256: 
 19d26d6cd0d1bb0aecb11cec27464026a355762f775a01c5fb7596bdfb8f0e2c 2135 tiff_4.0.2-6+deb7u3.dsc
 63892e9a99d8e6e880468873a145020affab1402c5cf323301756fd29748d0f7 23494 tiff_4.0.2-6+deb7u3.debian.tar.gz
 a34abb8e122f570bbc892e21970ef2b8e5313906c6019a7c62d0b0c0e340f109 395642 libtiff-doc_4.0.2-6+deb7u3_all.deb
 305a6a7a0d271423f40ae08ddd6dfc194044f252b18d8786ddfedb6756f67a99 234230 libtiff5_4.0.2-6+deb7u3_amd64.deb
 ea28d5875f2a35166bff0e65638a381f3a73e68a39133f1487a20d357c58fcf6 73392 libtiffxx5_4.0.2-6+deb7u3_amd64.deb
 b687b42df7af7b5f81c2617741137686d44903e715080067b9d0a9fbef46b5ba 376062 libtiff5-dev_4.0.2-6+deb7u3_amd64.deb
 5e554caa60e800dd3d14ca22d08467d75e76d2ccf05470dd992456dac0248ff8 296082 libtiff5-alt-dev_4.0.2-6+deb7u3_amd64.deb
 3e5a0eac2892a2eb4a89b3f61990192b174413120537f012fc1f6c0e4bf99ca4 337500 libtiff-tools_4.0.2-6+deb7u3_amd64.deb
 0fec744b1b7e898af7f8b29c10a26169542269f6afacbf37a70ba97272e98ead 79048 libtiff-opengl_4.0.2-6+deb7u3_amd64.deb
Files: 
 22781d21976bde2021cf95fe21819a71 2135 libs optional tiff_4.0.2-6+deb7u3.dsc
 640cbf487b27c85ea4c2b11ddf3a1cbc 23494 libs optional tiff_4.0.2-6+deb7u3.debian.tar.gz
 8708d63540259aed3fde3aec4c9d7f5e 395642 doc optional libtiff-doc_4.0.2-6+deb7u3_all.deb
 57431a85445be3863e0a1b755adc1fb0 234230 libs optional libtiff5_4.0.2-6+deb7u3_amd64.deb
 fe1211e29c15e5fdb02b4851b8fce79f 73392 libs optional libtiffxx5_4.0.2-6+deb7u3_amd64.deb
 89861e5dd6a1ba30cabc284d3d0d43eb 376062 libdevel optional libtiff5-dev_4.0.2-6+deb7u3_amd64.deb
 34f79e44660c740e4be398986f2b3200 296082 libdevel optional libtiff5-alt-dev_4.0.2-6+deb7u3_amd64.deb
 7373dd0a37b06858ddfff121bf02d91d 337500 graphics optional libtiff-tools_4.0.2-6+deb7u3_amd64.deb
 858ce8244930b5701f38cca8170f74fd 79048 graphics optional libtiff-opengl_4.0.2-6+deb7u3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTpg0gAAoJEIp10QmYASx+AKAP/09l5bw6zvjUhlwtAriWkSZq
ohgM0YoYwtI5eOO3kFAUqrlgDHuWMJwfJOK7hnZ70dxPBNKwro0P2sWjRFusm+ks
ZpK4y4B2VO9/mgcAjXwkRPpHoreFa+eKYPz9I0ANGui1/6Gc/uKkJ3lQ2AAvsgkB
TTqQW00CTBeJ69oyvsB35/jc0XptBrTZyeQ6rSGeHoUtdZI37NkF091NpY6LxD94
GXv6EXHDsRZT+wlMJ15TMBZk+vBi4SaHEg4m2isnsr9M/ZtRbkXEQG85j3ioFlvJ
B49odkF58vQPuUtHVwOjp2hxXoq2BwTpec0ZrIZmS31Bg16aGi15Z5v15P+DX1hv
xGltkc8l+vMFlOdOocvqWG2Xrf7tmTUke3g4vC+LENEo1ojOdO0/UaOha/R1gQe3
rEPtmUujBtArqdxu88Tu1zq10VyBKOt+N8MwYNjvXAT44kt2i2iSZEyPZMfiGVn6
INeaJvD5FU6kM0uS0Wo9a6FR64WitlXC81Pmq3EC8J5eeuifmQH2BuSTBDeqVUtM
EbANgv277TaRKQP/vfSlZo0qK9SBGahbDlM0c/LkNa/Mm9uEwhu0DglWEfXLoYBo
AvnoZA4LQjs+6zkzKG7WjZdKY/AD6Zj9XF8MOCthQR6i+ksFye2x2GzxsIfVmUN/
nEVqWUeAzfGGXKdTJtia
=ktQu
-----END PGP SIGNATURE-----

Message #47 received at 742917@bugs.debian.org (full text, mbox, reply):

From: Jay Berkenbilt <qjb@debian.org>

To: Michael Gilbert <mgilbert@debian.org>

Cc: 742917@bugs.debian.org

Subject: Re: Bug#742917: tiff: CVE-2013-4243

Date: Mon, 23 Jun 2014 09:24:31 -0400

Michael Gilbert <mgilbert@debian.org> wrote:

>>> The diff looks ok to me. Other distros did security announcements for
>>> this, so it would be ok to do a DSA also.  If you want, upload to
>>> security-master and I'll handle the DSA, otherwise you should discuss
>>> as a proposed update with the release team.
>>
>> Okay, I've uploaded to security-master.
>
> I should have clarified, squeeze no longer gets security support, so
> I'll have to reject that.  You'll need to do an lts upload for
> squeeze.

Yeah, I knew that squeeze's security support was over, but I wasn't sure
who/what had responsibility for the long-term support for squeeze. I
remember the announcement about LTS but hadn't realized/remembered that
there was a separate upload path. I found the information about how to
do it. Thanks!

-- 
Jay Berkenbilt <qjb@debian.org>

Send a report that this bug log contains spam.