Debian Bug report logs -
#742917
tiff: CVE-2013-4243
Reported by: Michael Gilbert <mgilbert@debian.org>
Date: Fri, 28 Mar 2014 22:42:02 UTC
Severity: important
Tags: security
Found in version tiff/3.9.4-5
Fixed in versions tiff/4.0.3-9, tiff/4.0.2-6+deb7u3
Done: Jay Berkenbilt <qjb@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>
:
Bug#742917
; Package src:tiff
.
(Fri, 28 Mar 2014 22:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>
:
New Bug report received and forwarded. Copy sent to Jay Berkenbilt <qjb@debian.org>
.
(Fri, 28 Mar 2014 22:42:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: src:tiff
version: 3.9.4-5
severity: important
This issue is currently unfixed in the tiff packages:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
No DSA needed since it only affects the gif2tiff command-line tool.
Best wishes,
Mike
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 29 Mar 2014 06:57:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>
:
Bug#742917
; Package src:tiff
.
(Mon, 07 Apr 2014 12:36:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>
.
(Mon, 07 Apr 2014 12:36:08 GMT) (full text, mbox, link).
Message #12 received at 742917@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Mar 28, 2014 at 06:38:07PM -0400, Michael Gilbert wrote:
> package: src:tiff
> version: 3.9.4-5
> severity: important
>
> This issue is currently unfixed in the tiff packages:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
This wasn't fixed in DSA 2744 since no patch was available back then.
Since then Red Hat has used the attached patch in security update
for RHEL.
Cheers,
Moritz
[libtiff-CVE-2013-4243.patch (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#742917
; Package src:tiff
.
(Sat, 21 Jun 2014 22:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jay Berkenbilt <qjb@debian.org>
:
Extra info received and forwarded to list.
(Sat, 21 Jun 2014 22:42:04 GMT) (full text, mbox, link).
Message #17 received at 742917@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Fri, Mar 28, 2014 at 06:38:07PM -0400, Michael Gilbert wrote:
>> package: src:tiff
>> version: 3.9.4-5
>> severity: important
>>
>> This issue is currently unfixed in the tiff packages:
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4243
>
> This wasn't fixed in DSA 2744 since no patch was available back then.
>
> Since then Red Hat has used the attached patch in security update
> for RHEL.
>
> Cheers,
> Moritz
I've finally had a chance to deal with this. The patch applies cleanly
with offsets to the versions in squeeze, wheezy, and sid, so I've
prepared packages for all three distributions. I'm attaching the debdiff
files here. Please let me know if I should proceed to upload.
For sid, this will be fixed in 4.0.3-9. I realize there is no DSA.
--
Jay Berkenbilt <qjb@debian.org>
[tiff_3.9.4-5+squeeze10-to-11.debdiff (text/x-patch, inline)]
diff -Nru tiff-3.9.4/debian/changelog tiff-3.9.4/debian/changelog
--- tiff-3.9.4/debian/changelog 2013-08-24 11:23:06.000000000 -0400
+++ tiff-3.9.4/debian/changelog 2014-06-21 18:13:22.000000000 -0400
@@ -1,3 +1,10 @@
+tiff (3.9.4-5+squeeze11) oldstable-security; urgency=high
+
+ * Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
+ #742917)
+
+ -- Jay Berkenbilt <qjb@debian.org> Sat, 21 Jun 2014 17:55:02 -0400
+
tiff (3.9.4-5+squeeze10) oldstable-security; urgency=high
* Incorporated fixes to security issues CVE-2013-4231, CVE-2013-4232.
diff -Nru tiff-3.9.4/debian/patches/CVE-2013-4243.patch tiff-3.9.4/debian/patches/CVE-2013-4243.patch
--- tiff-3.9.4/debian/patches/CVE-2013-4243.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-3.9.4/debian/patches/CVE-2013-4243.patch 2014-06-21 18:13:22.000000000 -0400
@@ -0,0 +1,37 @@
+Index: tiff/tools/gif2tiff.c
+===================================================================
+--- tiff.orig/tools/gif2tiff.c 2014-06-21 17:53:57.819546749 -0400
++++ tiff/tools/gif2tiff.c 2014-06-21 17:53:57.815546727 -0400
+@@ -276,6 +276,10 @@
+ fprintf(stderr, "no colormap present for image\n");
+ return (0);
+ }
++ if (width == 0 || height == 0) {
++ fprintf(stderr, "Invalid value of width or height\n");
++ return(0);
++ }
+ if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+ fprintf(stderr, "not enough memory for image\n");
+ return (0);
+@@ -400,6 +404,10 @@
+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+ return 0;
+ }
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ *(*fill)++ = suffix[code];
+ firstchar = oldcode = code;
+ return 1;
+@@ -430,6 +438,10 @@
+ }
+ oldcode = incode;
+ do {
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ *(*fill)++ = *--stackp;
+ } while (stackp > stack);
+ return 1;
diff -Nru tiff-3.9.4/debian/patches/series tiff-3.9.4/debian/patches/series
--- tiff-3.9.4/debian/patches/series 2013-08-24 11:22:20.000000000 -0400
+++ tiff-3.9.4/debian/patches/series 2014-06-21 18:13:22.000000000 -0400
@@ -24,3 +24,4 @@
CVE-2013-4231.patch
CVE-2013-4232.patch
CVE-2013-4244.patch
+CVE-2013-4243.patch
[tiff_4.0.2-6_deb7u2-to-3.debdiff (text/x-patch, inline)]
diff -Nru tiff-4.0.2/debian/changelog tiff-4.0.2/debian/changelog
--- tiff-4.0.2/debian/changelog 2013-08-24 11:25:11.000000000 -0400
+++ tiff-4.0.2/debian/changelog 2014-06-21 18:15:31.000000000 -0400
@@ -1,3 +1,10 @@
+tiff (4.0.2-6+deb7u3) stable-security; urgency=high
+
+ * Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
+ #742917)
+
+ -- Jay Berkenbilt <qjb@debian.org> Sat, 21 Jun 2014 18:12:58 -0400
+
tiff (4.0.2-6+deb7u2) stable-security; urgency=high
* Incorporated fixes to security issues CVE-2013-4231, CVE-2013-4232.
diff -Nru tiff-4.0.2/debian/patches/CVE-2013-4243.patch tiff-4.0.2/debian/patches/CVE-2013-4243.patch
--- tiff-4.0.2/debian/patches/CVE-2013-4243.patch 1969-12-31 19:00:00.000000000 -0500
+++ tiff-4.0.2/debian/patches/CVE-2013-4243.patch 2014-06-21 18:15:31.000000000 -0400
@@ -0,0 +1,37 @@
+Index: tiff/tools/gif2tiff.c
+===================================================================
+--- tiff.orig/tools/gif2tiff.c
++++ tiff/tools/gif2tiff.c
+@@ -280,6 +280,10 @@ readgifimage(char* mode)
+ fprintf(stderr, "no colormap present for image\n");
+ return (0);
+ }
++ if (width == 0 || height == 0) {
++ fprintf(stderr, "Invalid value of width or height\n");
++ return(0);
++ }
+ if ((raster = (unsigned char*) _TIFFmalloc(width*height+EXTRAFUDGE)) == NULL) {
+ fprintf(stderr, "not enough memory for image\n");
+ return (0);
+@@ -404,6 +408,10 @@ process(register int code, unsigned char
+ fprintf(stderr, "bad input: code=%d is larger than clear=%d\n",code, clear);
+ return 0;
+ }
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ *(*fill)++ = suffix[code];
+ firstchar = oldcode = code;
+ return 1;
+@@ -434,6 +442,10 @@ process(register int code, unsigned char
+ }
+ oldcode = incode;
+ do {
++ if (*fill >= raster + width*height) {
++ fprintf(stderr, "raster full before eoi code\n");
++ return 0;
++ }
+ *(*fill)++ = *--stackp;
+ } while (stackp > stack);
+ return 1;
diff -Nru tiff-4.0.2/debian/patches/series tiff-4.0.2/debian/patches/series
--- tiff-4.0.2/debian/patches/series 2013-08-24 11:24:44.000000000 -0400
+++ tiff-4.0.2/debian/patches/series 2014-06-21 18:15:31.000000000 -0400
@@ -7,3 +7,4 @@
CVE-2013-4231.patch
CVE-2013-4232.patch
CVE-2013-4244.patch
+CVE-2013-4243.patch
Reply sent
to Jay Berkenbilt <qjb@debian.org>
:
You have taken responsibility.
(Sat, 21 Jun 2014 22:51:05 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>
:
Bug acknowledged by developer.
(Sat, 21 Jun 2014 22:51:05 GMT) (full text, mbox, link).
Message #22 received at 742917-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 4.0.3-9
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742917@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 21 Jun 2014 18:12:40 -0400
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl libtiff-doc libtiff4-dev
Architecture: source all amd64
Version: 4.0.3-9
Distribution: unstable
Urgency: medium
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description:
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff4-dev - Tag Image File Format library (TIFF), transitional package
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 742917
Changes:
tiff (4.0.3-9) unstable; urgency=medium
.
* Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
#742917)
Checksums-Sha1:
e910b91104940602dfee4857411e5b8660700d35 2184 tiff_4.0.3-9.dsc
af63aba58cd0fdaca0e88ac6f0355fc0216f650c 20968 tiff_4.0.3-9.debian.tar.xz
d49264afadb50afd1978cfb04f4fae74c1789d17 362730 libtiff-doc_4.0.3-9_all.deb
981ea208050338c4fae146d70cf79d7ef330e45b 210870 libtiff5_4.0.3-9_amd64.deb
f0c12ee5cacd0683c99b6ebb115aa390a44541df 73862 libtiffxx5_4.0.3-9_amd64.deb
c90c96583873c610f3678f7344d37944cb37c043 333066 libtiff5-dev_4.0.3-9_amd64.deb
ea3ea94a0f504548c4b78c371ecc43d7c0d8a889 283108 libtiff-tools_4.0.3-9_amd64.deb
0bb2b709150d73ea99f7014fd8b046f389e6a7b7 78894 libtiff-opengl_4.0.3-9_amd64.deb
b7caa17efbf84bfd49029c88ef58d23397a2d9e0 70518 libtiff4-dev_4.0.3-9_amd64.deb
Checksums-Sha256:
2099bb47cdcf971d8afc18fcf1006d2be5968ae10c6e09d1db578240dfdba540 2184 tiff_4.0.3-9.dsc
83b013102627b31ba34487b3dcabaa2587a4825ffca3942ea106bccd57931d70 20968 tiff_4.0.3-9.debian.tar.xz
4b9dfa3b473c44ddb2e0ae3d9d91af5ea25e142480c6d164abf7ff1bbe1ec515 362730 libtiff-doc_4.0.3-9_all.deb
bf784913067f81000de8f4657abedf772c77fce53fa557ee6fd75c4a518c5a5a 210870 libtiff5_4.0.3-9_amd64.deb
e626e18f58d84ee75d1c33aab5bee91faf46d7594fe61c6937f30f19ffa33746 73862 libtiffxx5_4.0.3-9_amd64.deb
c43ba639d9b340caf3ae89216d5ddf6e9b7a23fc08f69f7e688170cfbc490698 333066 libtiff5-dev_4.0.3-9_amd64.deb
724e2c148f1dc51f551f234062f48d740e62e1fb0eb92f57d9ca9aba07ff1c13 283108 libtiff-tools_4.0.3-9_amd64.deb
6efbc66b984ca4a3d30a5082d88e459b7817830aec3cded48efe5b1d563de803 78894 libtiff-opengl_4.0.3-9_amd64.deb
59dc02dacdcd17ad292d4066e24ef3543ba48cd8d775f15c201c9244e457cc12 70518 libtiff4-dev_4.0.3-9_amd64.deb
Files:
7b36035d6591ff1284550c4eb0fdfaf1 362730 doc optional libtiff-doc_4.0.3-9_all.deb
f55222addbea793422375fbb402eabb8 210870 libs optional libtiff5_4.0.3-9_amd64.deb
7b6f5faa70530029ae0c90ac27ce951a 73862 libs optional libtiffxx5_4.0.3-9_amd64.deb
d7df73f244ce710f69863d9877f668c6 333066 libdevel optional libtiff5-dev_4.0.3-9_amd64.deb
988b55e6dd23a38bf734fa71bc956845 283108 graphics optional libtiff-tools_4.0.3-9_amd64.deb
7710e9bae3c493062d0bcd0e17ba9cca 78894 graphics optional libtiff-opengl_4.0.3-9_amd64.deb
59fd2ee7ccadba8c1a88672f2efc897c 70518 oldlibs extra libtiff4-dev_4.0.3-9_amd64.deb
7414f80a7c1a4ff003cd334574827462 2184 libs optional tiff_4.0.3-9.dsc
e9a593929aacdbb633dec5460064b9d7 20968 libs optional tiff_4.0.3-9.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTpgbQAAoJEIp10QmYASx+wyMP/1quqoP+dC195+wYGcGzuZBO
Y8kfBWd9jVDs56Xj+C/eWzS0vSmzDSUs21MpdcrgO6nwR6IupRWehGBDOL/TC11T
S34uGaKsr5ZoXruCl62Tcm13hypAYkzsM9PLixqOsuWG+0ClGP3NWf5X86CgnEyR
t/C0I5rIm4T84hmGpvcuaDc+Gbe+mEZcTbRg/2EQjNiIv5sJmSj7RGmtOnt4CiO2
Hj8kXlY6AtiFMKyI/igNccxyQTlDHpdoU8KldVoLm6198ihOhZmzGtFpG4/V1+me
g7IKvDNxrSCMwMuhvaiysOpE53dUu3KrCc7/HNWSiDXL389JEeNKZLzaXtnAfVif
3whOZsphYsB6IsRHY8YgXqyUI9Cwi11ft1JwoIeQw+A11D1WvfprWuHn3ocTJQUM
W40KuAf+yhpDF41xt0P10b0oW8baoeV4TFnDnIN4A6+rqE2TsBDf47r5Fv4rrir0
hO0/wUBMbqkBWTrYV/CjZrx6qhGOJMoD7aTTVnz5OkDBeBVc3ddOUMjjvGwm7QwA
EMLcfHNcAQ+F3FiAuQf3Lkh9lKryocbGEGuT5tNd2QS/+bb7ZZcPVmrmoRCNrxwX
XDS6gK2hATMRSKhvidiINrtTXLS4JpSd9VLxr3s0iOl4GHPqhW+q2OD5y6ptQz6d
pZd2Rtnl1fzAwfS6Xi3I
=6rDz
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>
:
Bug#742917
; Package src:tiff
.
(Sat, 21 Jun 2014 23:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>
:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>
.
(Sat, 21 Jun 2014 23:03:08 GMT) (full text, mbox, link).
Message #27 received at 742917@bugs.debian.org (full text, mbox, reply):
On Sat, Jun 21, 2014 at 6:32 PM, Jay Berkenbilt wrote:
> I've finally had a chance to deal with this. The patch applies cleanly
> with offsets to the versions in squeeze, wheezy, and sid, so I've
> prepared packages for all three distributions. I'm attaching the debdiff
> files here. Please let me know if I should proceed to upload.
>
> For sid, this will be fixed in 4.0.3-9. I realize there is no DSA.
The diff looks ok to me. Other distros did security announcements for
this, so it would be ok to do a DSA also. If you want, upload to
security-master and I'll handle the DSA, otherwise you should discuss
as a proposed update with the release team.
In the meantime, please go ahead with the unstable upload.
Best wishes,
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#742917
; Package src:tiff
.
(Sun, 22 Jun 2014 00:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jay Berkenbilt <qjb@debian.org>
:
Extra info received and forwarded to list.
(Sun, 22 Jun 2014 00:57:04 GMT) (full text, mbox, link).
Message #32 received at 742917@bugs.debian.org (full text, mbox, reply):
Michael Gilbert <mgilbert@debian.org> wrote:
> On Sat, Jun 21, 2014 at 6:32 PM, Jay Berkenbilt wrote:
>> I've finally had a chance to deal with this. The patch applies cleanly
>> with offsets to the versions in squeeze, wheezy, and sid, so I've
>> prepared packages for all three distributions. I'm attaching the debdiff
>> files here. Please let me know if I should proceed to upload.
>>
>> For sid, this will be fixed in 4.0.3-9. I realize there is no DSA.
>
> The diff looks ok to me. Other distros did security announcements for
> this, so it would be ok to do a DSA also. If you want, upload to
> security-master and I'll handle the DSA, otherwise you should discuss
> as a proposed update with the release team.
Okay, I've uploaded to security-master.
> In the meantime, please go ahead with the unstable upload.
Done.
--
Jay Berkenbilt <qjb@debian.org>
Information forwarded
to debian-bugs-dist@lists.debian.org, Jay Berkenbilt <qjb@debian.org>
:
Bug#742917
; Package src:tiff
.
(Sun, 22 Jun 2014 01:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>
:
Extra info received and forwarded to list. Copy sent to Jay Berkenbilt <qjb@debian.org>
.
(Sun, 22 Jun 2014 01:03:04 GMT) (full text, mbox, link).
Message #37 received at 742917@bugs.debian.org (full text, mbox, reply):
>> The diff looks ok to me. Other distros did security announcements for
>> this, so it would be ok to do a DSA also. If you want, upload to
>> security-master and I'll handle the DSA, otherwise you should discuss
>> as a proposed update with the release team.
>
> Okay, I've uploaded to security-master.
I should have clarified, squeeze no longer gets security support, so
I'll have to reject that. You'll need to do an lts upload for
squeeze.
Best wishes,
Mike
Reply sent
to Jay Berkenbilt <qjb@debian.org>
:
You have taken responsibility.
(Sun, 22 Jun 2014 18:36:06 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>
:
Bug acknowledged by developer.
(Sun, 22 Jun 2014 18:36:06 GMT) (full text, mbox, link).
Message #42 received at 742917-close@bugs.debian.org (full text, mbox, reply):
Source: tiff
Source-Version: 4.0.2-6+deb7u3
We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 742917@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 21 Jun 2014 18:12:58 -0400
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff5-alt-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 4.0.2-6+deb7u3
Distribution: stable-security
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description:
libtiff-doc - TIFF manipulation and conversion documentation
libtiff-opengl - TIFF manipulation and conversion tools
libtiff-tools - TIFF manipulation and conversion tools
libtiff5 - Tag Image File Format (TIFF) library
libtiff5-alt-dev - Tag Image File Format library (TIFF), alternative development fil
libtiff5-dev - Tag Image File Format library (TIFF), development files
libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 742917
Changes:
tiff (4.0.2-6+deb7u3) stable-security; urgency=high
.
* Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
#742917)
Checksums-Sha1:
d05d1ae56ffad682ec391a59b9eb366802a8c581 2135 tiff_4.0.2-6+deb7u3.dsc
99ab6e9a5e8a491055255a1972f97821adf84b59 23494 tiff_4.0.2-6+deb7u3.debian.tar.gz
d8eb4734cc27a1d9cd9658d6bb253553b3bd89eb 395642 libtiff-doc_4.0.2-6+deb7u3_all.deb
bf9dff42031c65d2ecbdd178a0d61296cf02c344 234230 libtiff5_4.0.2-6+deb7u3_amd64.deb
1a039f38f93d9272806579bf0283beb4dddb80e2 73392 libtiffxx5_4.0.2-6+deb7u3_amd64.deb
bdc54c3bde7545e9020546460db227548adaaef2 376062 libtiff5-dev_4.0.2-6+deb7u3_amd64.deb
e0e1ca59e2aa0edddca7fb1d9be1831c70fe3b0e 296082 libtiff5-alt-dev_4.0.2-6+deb7u3_amd64.deb
6710159f159c254f9396be3345f2e1e2a40864d9 337500 libtiff-tools_4.0.2-6+deb7u3_amd64.deb
11c818712e0ef679d787ecf36093fce64e740e03 79048 libtiff-opengl_4.0.2-6+deb7u3_amd64.deb
Checksums-Sha256:
19d26d6cd0d1bb0aecb11cec27464026a355762f775a01c5fb7596bdfb8f0e2c 2135 tiff_4.0.2-6+deb7u3.dsc
63892e9a99d8e6e880468873a145020affab1402c5cf323301756fd29748d0f7 23494 tiff_4.0.2-6+deb7u3.debian.tar.gz
a34abb8e122f570bbc892e21970ef2b8e5313906c6019a7c62d0b0c0e340f109 395642 libtiff-doc_4.0.2-6+deb7u3_all.deb
305a6a7a0d271423f40ae08ddd6dfc194044f252b18d8786ddfedb6756f67a99 234230 libtiff5_4.0.2-6+deb7u3_amd64.deb
ea28d5875f2a35166bff0e65638a381f3a73e68a39133f1487a20d357c58fcf6 73392 libtiffxx5_4.0.2-6+deb7u3_amd64.deb
b687b42df7af7b5f81c2617741137686d44903e715080067b9d0a9fbef46b5ba 376062 libtiff5-dev_4.0.2-6+deb7u3_amd64.deb
5e554caa60e800dd3d14ca22d08467d75e76d2ccf05470dd992456dac0248ff8 296082 libtiff5-alt-dev_4.0.2-6+deb7u3_amd64.deb
3e5a0eac2892a2eb4a89b3f61990192b174413120537f012fc1f6c0e4bf99ca4 337500 libtiff-tools_4.0.2-6+deb7u3_amd64.deb
0fec744b1b7e898af7f8b29c10a26169542269f6afacbf37a70ba97272e98ead 79048 libtiff-opengl_4.0.2-6+deb7u3_amd64.deb
Files:
22781d21976bde2021cf95fe21819a71 2135 libs optional tiff_4.0.2-6+deb7u3.dsc
640cbf487b27c85ea4c2b11ddf3a1cbc 23494 libs optional tiff_4.0.2-6+deb7u3.debian.tar.gz
8708d63540259aed3fde3aec4c9d7f5e 395642 doc optional libtiff-doc_4.0.2-6+deb7u3_all.deb
57431a85445be3863e0a1b755adc1fb0 234230 libs optional libtiff5_4.0.2-6+deb7u3_amd64.deb
fe1211e29c15e5fdb02b4851b8fce79f 73392 libs optional libtiffxx5_4.0.2-6+deb7u3_amd64.deb
89861e5dd6a1ba30cabc284d3d0d43eb 376062 libdevel optional libtiff5-dev_4.0.2-6+deb7u3_amd64.deb
34f79e44660c740e4be398986f2b3200 296082 libdevel optional libtiff5-alt-dev_4.0.2-6+deb7u3_amd64.deb
7373dd0a37b06858ddfff121bf02d91d 337500 graphics optional libtiff-tools_4.0.2-6+deb7u3_amd64.deb
858ce8244930b5701f38cca8170f74fd 79048 graphics optional libtiff-opengl_4.0.2-6+deb7u3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTpg0gAAoJEIp10QmYASx+AKAP/09l5bw6zvjUhlwtAriWkSZq
ohgM0YoYwtI5eOO3kFAUqrlgDHuWMJwfJOK7hnZ70dxPBNKwro0P2sWjRFusm+ks
ZpK4y4B2VO9/mgcAjXwkRPpHoreFa+eKYPz9I0ANGui1/6Gc/uKkJ3lQ2AAvsgkB
TTqQW00CTBeJ69oyvsB35/jc0XptBrTZyeQ6rSGeHoUtdZI37NkF091NpY6LxD94
GXv6EXHDsRZT+wlMJ15TMBZk+vBi4SaHEg4m2isnsr9M/ZtRbkXEQG85j3ioFlvJ
B49odkF58vQPuUtHVwOjp2hxXoq2BwTpec0ZrIZmS31Bg16aGi15Z5v15P+DX1hv
xGltkc8l+vMFlOdOocvqWG2Xrf7tmTUke3g4vC+LENEo1ojOdO0/UaOha/R1gQe3
rEPtmUujBtArqdxu88Tu1zq10VyBKOt+N8MwYNjvXAT44kt2i2iSZEyPZMfiGVn6
INeaJvD5FU6kM0uS0Wo9a6FR64WitlXC81Pmq3EC8J5eeuifmQH2BuSTBDeqVUtM
EbANgv277TaRKQP/vfSlZo0qK9SBGahbDlM0c/LkNa/Mm9uEwhu0DglWEfXLoYBo
AvnoZA4LQjs+6zkzKG7WjZdKY/AD6Zj9XF8MOCthQR6i+ksFye2x2GzxsIfVmUN/
nEVqWUeAzfGGXKdTJtia
=ktQu
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#742917
; Package src:tiff
.
(Mon, 23 Jun 2014 13:27:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Jay Berkenbilt <qjb@debian.org>
:
Extra info received and forwarded to list.
(Mon, 23 Jun 2014 13:27:12 GMT) (full text, mbox, link).
Message #47 received at 742917@bugs.debian.org (full text, mbox, reply):
Michael Gilbert <mgilbert@debian.org> wrote:
>>> The diff looks ok to me. Other distros did security announcements for
>>> this, so it would be ok to do a DSA also. If you want, upload to
>>> security-master and I'll handle the DSA, otherwise you should discuss
>>> as a proposed update with the release team.
>>
>> Okay, I've uploaded to security-master.
>
> I should have clarified, squeeze no longer gets security support, so
> I'll have to reject that. You'll need to do an lts upload for
> squeeze.
Yeah, I knew that squeeze's security support was over, but I wasn't sure
who/what had responsibility for the long-term support for squeeze. I
remember the announcement about LTS but hadn't realized/remembered that
there was a separate upload path. I found the information about how to
do it. Thanks!
--
Jay Berkenbilt <qjb@debian.org>
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 25 Jul 2014 07:26:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:46:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.