Bug#783555: marked as done ([REGRESSION] Predictor tag fails to be written correctly)

[Debian Bug Tracking System]

Your message dated Mon, 29 May 2017 13:48:02 +0000
with message-id <e1dfl1e-000fpg...@fasolo.debian.org>
and subject line Bug#783555: fixed in tiff 4.0.3-12.3+deb8u3
has caused the Debian Bug report #783555,
regarding [REGRESSION] Predictor tag fails to be written correctly
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
783555: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783555
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: src:tiff
Version: 4.0.3-12.3
Severity: important
Tags: upstream

It is reported in
<http://bugzilla.maptools.org/show_bug.cgi?id=2499#c11> and
<https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/1439186> that
patch CVE-2014-8128-5.patch causes a regression for files written with
a predictor tag.

The Launchpad report includes a test case and an alternate patch, but
so far the response in Ubuntu was only to drop the original patch.

Ben.

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Source: tiff
Source-Version: 4.0.3-12.3+deb8u3

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 21 Apr 2017 20:22:02 +0000
Source: tiff
Binary: libtiff5 libtiffxx5 libtiff5-dev libtiff-tools libtiff-opengl 
libtiff-doc
Architecture: source all amd64
Version: 4.0.3-12.3+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Ondřej Surý <ond...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff5   - Tag Image File Format (TIFF) library
 libtiff5-dev - Tag Image File Format library (TIFF), development files
 libtiffxx5 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 783555 818360
Changes:
 tiff (4.0.3-12.3+deb8u3) jessie-security; urgency=high
 .
   * Backport fix for the following vulnerabilities:
     - CVE-2014-8127 and CVE-2016-3658: out-of-bounds read in the tiffset tool,
     - CVE-2016-9535: replace assertions by runtime checks to avoid assertions
       in debug mode, or buffer overflows in release mode,
     - CVE-2016-10266: divide-by-zero in TIFFReadEncodedStrip,
     - CVE-2016-10267: divide-by-zero in OJPEGDecodeRaw,
     - CVE-2016-10269: heap-based buffer overflow in _TIFFmemcpy,
     - CVE-2016-10270: heap-based buffer overflow in TIFFFillStrip,
     - CVE-2017-5225: heap buffer overflow via a crafted BitsPerSample value,
     - CVE-2017-7592: left-shift undefined behavior issue in putagreytile,
     - CVE-2017-7593: unitialized-memory access from tif_rawdata,
     - CVE-2017-7594: leak in OJPEGReadHeaderInfoSecTablesAcTable,
     - CVE-2017-7595: divide-by-zero in JPEGSetupEncode,
     - CVE-2017-7596, CVE-2017-7597, CVE-2017-7598, CVE-2017-7599,
       CVE-2017-7600, CVE-2017-7601 and CVE-2017-7602: multiple UBSAN crashes.
   * Add required _TIFFcalloc@LIBTIFF_4.0 symbol to the libtiff5 package.
 .
   [ Tobias Lippert <lippertto_...@fastmail.com> ]
   * Fix a regression introduced by patch CVE-2014-8128-5 where enabling
     compression of tif files results in corrupt files
     (closes: #783555, #818360).
Checksums-Sha1:
 9e49b7faf0894a9d89ebf9274c9a5a1eaa8a7e4b 2240 tiff_4.0.3-12.3+deb8u3.dsc
 59c40b9fa8dc52899f47e471a18c5183851f2232 54732 
tiff_4.0.3-12.3+deb8u3.debian.tar.xz
 bc84253e98ffd0f1f7e6caaf905aee40f2d07ed1 369810 
libtiff-doc_4.0.3-12.3+deb8u3_all.deb
 9c2d75a3cf4b669d828933b7e4d4387e22457ea0 219180 
libtiff5_4.0.3-12.3+deb8u3_amd64.deb
 ff677e9905dbbdc48627f29871b2c2bde1b1793a 79568 
libtiffxx5_4.0.3-12.3+deb8u3_amd64.deb
 d6e7309a2c5a4041360d2be78ea7b219c1f49960 341852 
libtiff5-dev_4.0.3-12.3+deb8u3_amd64.deb
 a0322a3bb3e36a6de4a52fe78d35878bf860e5e5 273602 
libtiff-tools_4.0.3-12.3+deb8u3_amd64.deb
 4661aada1b0a971dada7b90e27753b6d94b77e76 84508 
libtiff-opengl_4.0.3-12.3+deb8u3_amd64.deb
Checksums-Sha256:
 b28cf94a08ce2b4412818fca5b2cf76eccc6c5be9959dbe3e0cb8813c86ec19e 2240 
tiff_4.0.3-12.3+deb8u3.dsc
 e40cde6d95c4243c73f6d8a927f4c32cf31cbcca9a3614280822811d52576fe8 54732 
tiff_4.0.3-12.3+deb8u3.debian.tar.xz
 b5d0877eb6bbd7548f6cca349b7dd2080c2120e70f03b87151a344a2af286de1 369810 
libtiff-doc_4.0.3-12.3+deb8u3_all.deb
 95d94fe0aa132febabecd308b669fbe4806c619ae32b99c3ad19f85c715314ff 219180 
libtiff5_4.0.3-12.3+deb8u3_amd64.deb
 f596c8fa89a7ac86b11f062d7c7426911656f35ea87ed338abdac91143709330 79568 
libtiffxx5_4.0.3-12.3+deb8u3_amd64.deb
 f24928acd4601c6103ea00fe9f4320afb9769f41aa4ee0cf64388a33042c7e74 341852 
libtiff5-dev_4.0.3-12.3+deb8u3_amd64.deb
 3f7dffd29887d973d4b628edf36ac687fedd1c58f9f40c8f5c08fa2018cc96f4 273602 
libtiff-tools_4.0.3-12.3+deb8u3_amd64.deb
 f57220ffa40ea2cdecc959e5bd593d6e40e3eb5b2cf453564f21acdaf1d554fd 84508 
libtiff-opengl_4.0.3-12.3+deb8u3_amd64.deb
Files:
 cf6dbe77d5f6c948f992ee0fb85da9b1 2240 libs optional tiff_4.0.3-12.3+deb8u3.dsc
 29d02f77500ababc6c53e699c06e33a6 54732 libs optional 
tiff_4.0.3-12.3+deb8u3.debian.tar.xz
 3cd4a263ce02d786ce55e4961f1a5ed0 369810 doc optional 
libtiff-doc_4.0.3-12.3+deb8u3_all.deb
 5ad3705d9f3b84ff7021bc9a6141b1b1 219180 libs optional 
libtiff5_4.0.3-12.3+deb8u3_amd64.deb
 cad48a9dfeb508078f92772ed01d95db 79568 libs optional 
libtiffxx5_4.0.3-12.3+deb8u3_amd64.deb
 68bd3fb31d224346fe1afd420846c7ce 341852 libdevel optional 
libtiff5-dev_4.0.3-12.3+deb8u3_amd64.deb
 5a75ac3fced01feec38ad948c873d819 273602 graphics optional 
libtiff-tools_4.0.3-12.3+deb8u3_amd64.deb
 4df36aa0aa142d8ffbe4215dfae5677d 84508 graphics optional 
libtiff-opengl_4.0.3-12.3+deb8u3_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlkCaI4ACgkQ3OMQ54ZM
yL9hLw/9G8ywIH+GHZ9Ebtr4tm7e++LQBpiK1CZOtd6y5M4vsSkjG2CBh4flvfWx
fv4jXl1ZXOSTqHQJoI6H6TAf++2AowuunxKuBe6yOD14yiSYFEgniQ5pOE1PtnCd
P8lJTrdB3phadTDaZ3w7yYwh5HLReH5MbleCPVcA+2zONQhwxRzr8qkHcmVhelSU
jtE96utCjQf+lYbmLvq7LhnE2o85vhaEoyfaKWMUSLOFVhJQzu6dLbXhP470A01B
naurOHIfQ5vFVcnswqIzyjDh0YU3eM06xDrx06DKEnBVtRVUDT72FCIuwVaeI7nb
QRcQv8MV2FCFrx7IaLUiNnt4wFS0s8HilNHdYtA90BNugxsazH/Dx1Fh6Sg4zwRM
wrm45AFa5vHcXKjmQeKzicisJrOE9bzsx2gX4xDWTEZn+XrvDdZbRpCn//kii4u3
njpyod7dXm3ul2XdRl270dCDKxSfYTjwg9hxaX6vAaWv9NyJZGOzGbeRu3oobZQF
K2RQtD8R6Hi2Cem6Sro56e6JfKPhptThWsnbixwES0Tk7tCjsriuEjr29F/MkKdN
siirUcVAKbfIY5y3CVGbtbfVZrD4kGZ41+c/jh3IpQsXwtB7oiYMN9yCRSj/UinL
GS0XTYGgfd+fSX8lD4AwYDYSIZ1afv8FnZCiLEvTJ9CPXjNoQbU=
=+7tg
-----END PGP SIGNATURE-----

--- End Message ---