Bug#712840: marked as done (tiff3: multiple security issues)

[Debian Bug Tracking System]

Your message dated Sun, 23 Jun 2013 15:26:19 +0000
with message-id <e1uqmbh-0005yy...@franck.debian.org>
and subject line Bug#712840: fixed in tiff3 3.9.7-1
has caused the Debian Bug report #712840,
regarding tiff3: multiple security issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
712840: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712840
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

package: src:tiff3
severity: grave
version: 3.9.6-11
tag: security

The tiff package has had multiple security issues recently.  tiff3,
being an old version, is also affected by a subset of them, of which I
haven't fully checked yet:
https://security-tracker.debian.org/tracker/source-package/tiff

It is however clear that tiff3 is affected by at least CVE-2013-1960
and CVE-2013-1961, but probably a whole lot more:
http://bugs.debian.org/706674
http://bugs.debian.org/706675

Please review and help make the situation in unstable better.  We will
also need to issue a dsa for wheezy.

Best wishes,
Mike

--- End Message ---

--- Begin Message ---

Source: tiff3
Source-Version: 3.9.7-1

We believe that the bug you reported is fixed in the latest version of
tiff3, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 712...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <q...@debian.org> (supplier of updated tiff3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 23 Jun 2013 10:55:29 -0400
Source: tiff3
Binary: libtiff4 libtiffxx0c2 libtiff4-dev
Architecture: source amd64
Version: 3.9.7-1
Distribution: unstable
Urgency: low
Maintainer: Jay Berkenbilt <q...@debian.org>
Changed-By: Jay Berkenbilt <q...@debian.org>
Description: 
 libtiff4   - Tag Image File Format (TIFF) library (old version)
 libtiff4-dev - Tag Image File Format (TIFF) library (old version), development 
f
 libtiffxx0c2 - Tag Image File Format (TIFF) library (old version) -- C++ 
interfa
Closes: 712840
Changes: 
 tiff3 (3.9.7-1) unstable; urgency=low
 .
   * New upstream release
   * Patches incorporated by upstream:
      CVE-2012-1173.patch
      CVE-2012-2088.patch
      CVE-2012-3401.patch
      CVE-2012-5581.patch
   * Build depend on autotools-dev
   * Incorporated changes from CVE-2013-1961 that were applied to the
     library.  Ther rest of this CVE and CVE-2013-1960 do not apply to
     tiff3 because tiff3 does not create libtiff-tools.  (Closes: #712840)
Checksums-Sha1: 
 23aba7640d550be017ee23c4b772f4bc034b85e9 1944 tiff3_3.9.7-1.dsc
 3b35071ebef1aad463ffd2a8904bec7037734dcd 1468097 tiff3_3.9.7.orig.tar.gz
 0f64b643d61c4311284d6fb9b384213c1cf7d740 14674 tiff3_3.9.7-1.debian.tar.gz
 add7f2f4256ef6ab16714f84f869e480f2a79f44 205344 libtiff4_3.9.7-1_amd64.deb
 5659d3f08385a129266296de0eb62efca2399f10 63728 libtiffxx0c2_3.9.7-1_amd64.deb
 88048d3b7910b5864e393292fa72fa2015a4bf87 339728 libtiff4-dev_3.9.7-1_amd64.deb
Checksums-Sha256: 
 c0d84e4865b79f5ed07abeffc36a8fd19d7837fdb3c4761daad76bde03eb3470 1944 
tiff3_3.9.7-1.dsc
 f5d64dd4ce61c55f5e9f6dc3920fbe5a41e02c2e607da7117a35eb5c320cef6a 1468097 
tiff3_3.9.7.orig.tar.gz
 d02bb71a9ee132c0924a1bbfc47171f0eefd9922a8689717c00ae1fbd6625834 14674 
tiff3_3.9.7-1.debian.tar.gz
 4930f3ca71282ee6d6ba042ffb98cc02595d7246bef8cada066c63d06027b692 205344 
libtiff4_3.9.7-1_amd64.deb
 a7cfd47836f79dfa2182dbdd36d3bbaf4a980f95f99359d71527a05d7babde9d 63728 
libtiffxx0c2_3.9.7-1_amd64.deb
 f0e280e5bc0f7bc74b0eab567bc1a27afcb106d2f305209d4adc941f013f5bed 339728 
libtiff4-dev_3.9.7-1_amd64.deb
Files: 
 a51113ca5a4c155fe534ca39dabf2596 1944 oldlibs optional tiff3_3.9.7-1.dsc
 626102f448ba441d42e3212538ad67d2 1468097 oldlibs optional 
tiff3_3.9.7.orig.tar.gz
 6f814115815390774c5b967e33491b7b 14674 oldlibs optional 
tiff3_3.9.7-1.debian.tar.gz
 a8ae7e1d7ec639828b07235b30293049 205344 oldlibs optional 
libtiff4_3.9.7-1_amd64.deb
 107fe7c41bc76d8b0f2fe26cf4b25d3b 63728 oldlibs optional 
libtiffxx0c2_3.9.7-1_amd64.deb
 23331163b72137b97ec4c82fdbc1bf09 339728 libdevel optional 
libtiff4-dev_3.9.7-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJRxw72AAoJEIp10QmYASx+pLsP/1bFkpJcCnIX0XbzI59NEkXm
hhE1slEZaaX8zTDHx0Mmjr85HrIjj9K09D2oiOMKT6R08X3oIuKybJAqzPl9O63x
hsSj5TnC0htnpH3/9YhtT+nbHZOiaWbd0n3SOvDHMugjtNnOclXvvOq+ZxigDbIb
lTj3vL2EHzJ9ItDF8Bv7TDL6y6eR5zSxCQhlQ1iOFxkkU/K3AKZIAIz1uNb4V01+
CVEaqoeIBT9fYkQIEo1dLBQwMHDmuc8upjfyKrwO6VZtEaaaXxE2KcOyFvWeuDa9
U953dUubGPNnwr7WDaQAqWPaSgp+Z/f9kMzPp4ov4a1sFY2DN+LK3uulWeDvtZhT
ldnZnKWX7kZQg9dSzdPpFml6DOitOyDqMTD+e4c7e1XnqtqfAdBCHuQbYmrgkig5
LcUkXjnmOePH9NZrlp1HHSP92WQiRrl1Ayu3Vf5wTAXvtZ1eQdNmOw8D8LRtiItf
75kc7VaHToQb7CGjYjlLRfV/Xqbnr1r9kh2pXONbLrKJjnAtwd7RxPoxIT0EMNmH
4BSt0sw0hpzoMirgl2x5BOOCyPXTxBjZMhlIyzrdKCQxgl2lo92DX7xbESPIs4kS
j6Db2LsHP9FBQupgUEiuEDPmoWU+KgM1+mr4bvobhecH5nMU6c9bIEldIXoeS/nW
gyTSSUqaEkxVUYr7xyEg
=9XGm
-----END PGP SIGNATURE-----

--- End Message ---