Please test wheezy updates of tiff and tiff3 packages

To: debian-lts@lists.debian.org
Subject: Please test wheezy updates of tiff and tiff3 packages
From: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 28 Oct 2016 16:25:31 +0200
Message-id: <[🔎] 20161028142531.unir3mg3nimkhzlt@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org

Hello,

I just finished preparing new version of tiff/tiff3 packages.
One of the patch has not been officially acked by upstream yet
(cf http://bugzilla.maptools.org/show_bug.cgi?id=2580 )
and thus I would like some user testing before I release
the DLA to make sure that my changes do not have unexpected
side effects.

Please get the updated packages here (for amd64):
dget https://people.debian.org/~hertzog/packages/tiff_4.0.2-6+deb7u7_amd64.changes
dget https://people.debian.org/~hertzog/packages/tiff3_3.9.6-11+deb7u2_amd64.changes

Note in particular that libtiff-tools_4.0.2-6+deb7u7_amd64.deb drops
the following tools which are no longer supported upstream (I have found
no Debian packages relying on them, cf #827484 too):
bmp2tiff gif2tiff ras2tiff sgi2tiff sgisv ycbcr rgb2ycbcr thumbnail

In wheezy, most tools still link against libtiff4 provided by tiff3 so
testing of tiff3 is important too!

I also attach both debdiff for review by other Debian developers. I intend
to upload the packages early next week. For tiff, my changes are in git
too:
https://anonscm.debian.org/cgit/collab-maint/tiff.git/log/?id=refs/heads/master-wheezy

Thank you!

PS: I BCCed some LTS sponsors which have the libtiff-tools package
installed.
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

diff --git a/debian/changelog b/debian/changelog
index 35e35a9..15cd76f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,25 @@
+tiff (4.0.2-6+deb7u7) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the Debian Long Term Support Team.
+  * 0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch:
+    - CVE-2014-8128, CVE-2015-7554, CVE-2016-5318: memory corruption.
+    Closes: #842043
+  * Drop libtiff tools that are no longer supported upstream:
+    bmp2tiff gif2tiff ras2tiff sgi2tiff sgisv ycbcr rgb2ycbcr thumbnail
+    Fixes CVE-2016-3619, CVE-2016-3620, CVE-2016-3621, CVE-2016-5319,
+    CVE-2015-8668, issues in bmp2tiff.
+    Fixes CVE-2016-3186, CVE-2016-5102, issue in gif2tiff.
+    Fixes CVE-2016-3631, CVE-2016-3632, CVE-2016-3633, CVE-2016-3634,
+    CVE-2016-8331, issues in thumbnail.
+    Fixes CVE-2016-3623, CVE-2016-3624, issues in rgb2ycbcr.
+    Closes: #842046
+  * Apply upstream patch for CVE-2016-6223: information leak in
+    libtiff/tif_read.c. Closes: #842270
+  * Backport upstream patch for CVE-2016-5652: heap based buffer overflow in
+    tiff2pdf. Closes: #842361
+
+ -- Raphaël Hertzog <hertzog@debian.org>  Thu, 27 Oct 2016 15:52:53 +0200
+
 tiff (4.0.2-6+deb7u6) wheezy-security; urgency=medium
 
   * Non-maintainer upload by the Security Team.
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 05f30f1..b8cf8a1 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,8 +1,8 @@
 [DEFAULT]
 debian-branch = master-wheezy
-debian-tag = debian-wheezy/%(version)s
+debian-tag = debian/%(version)s
 upstream-branch = upstream-wheezy
-upstream-tag = upstream-wheezy/%(version)s
+upstream-tag = upstream/%(version)s
 pristine-tar = True
 
 [git-dch]
diff --git a/debian/patches/0035-CVE-2015-8665_and_CVE-2015-8683.patch b/debian/patches/0035-CVE-2015-8665_and_CVE-2015-8683.patch
index 9efd46c..425f7a1 100644
--- a/debian/patches/0035-CVE-2015-8665_and_CVE-2015-8683.patch
+++ b/debian/patches/0035-CVE-2015-8665_and_CVE-2015-8683.patch
@@ -1,11 +1,10 @@
-From f3f0cad770593eaef0766e5be896a6a034fc6313 Mon Sep 17 00:00:00 2001
 From: erouault <erouault>
 Date: Sat, 26 Dec 2015 17:32:03 +0000
-Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
- TIFFRGBAImage interface in case of unsupported values of
- SamplesPerPixel/ExtraSamples for LogLUV / CIELab. Add explicit call to
- TIFFRGBAImageOK() in TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by
- limingxing and CVE-2015-8683 reported by zzf of Alibaba.
+Subject: * libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
+ interface in case of unsupported values of SamplesPerPixel/ExtraSamples for
+ LogLUV / CIELab. Add explicit call to TIFFRGBAImageOK() in
+ TIFFRGBAImageBegin(). Fix CVE-2015-8665 reported by limingxing and
+ CVE-2015-8683 reported by zzf of Alibaba.
 
 ---
  ChangeLog              |  8 ++++++++
@@ -13,7 +12,7 @@ Subject: [PATCH] * libtiff/tif_getimage.c: fix out-of-bound reads in
  2 files changed, 31 insertions(+), 14 deletions(-)
 
 diff --git a/ChangeLog b/ChangeLog
-index a7d283a..4beb30b 100644
+index 4eab3bb..90a4cd4 100644
 --- a/ChangeLog
 +++ b/ChangeLog
 @@ -1,3 +1,11 @@
@@ -28,11 +27,8 @@ index a7d283a..4beb30b 100644
  2012-06-15  Frank Warmerdam  <warmerdam@google.com>
  
  	*  libtiff 4.0.2 released.
- 2012-09-22  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>
- 
- 	* libtiff 4.0.3 released.
 diff --git a/libtiff/tif_getimage.c b/libtiff/tif_getimage.c
-index fd0a4f9..fae1e31 100644
+index 3436bf1..d03631a 100644
 --- a/libtiff/tif_getimage.c
 +++ b/libtiff/tif_getimage.c
 @@ -1,4 +1,4 @@
@@ -119,7 +115,7 @@ index fd0a4f9..fae1e31 100644
  					{
  						if (BuildMapBitdepth16To8(img))
  							img->put.contig = putRGBcontig16bittile;
-@@ -2501,7 +2508,7 @@ PickContigCase(TIFFRGBAImage* img)
+@@ -2501,7 +2510,7 @@ PickContigCase(TIFFRGBAImage* img)
  			}
  			break;
  		case PHOTOMETRIC_SEPARATED:
diff --git a/debian/patches/0036-CVE-2015-8781_CVE-2015-8782_CVE-2015-8783.patch b/debian/patches/0036-CVE-2015-8781_CVE-2015-8782_CVE-2015-8783.patch
index 9ea1233..6d718b2 100644
--- a/debian/patches/0036-CVE-2015-8781_CVE-2015-8782_CVE-2015-8783.patch
+++ b/debian/patches/0036-CVE-2015-8781_CVE-2015-8782_CVE-2015-8783.patch
@@ -1,10 +1,9 @@
-From 3899f0ab62dd307f63f87ec99aaf289e104f4070 Mon Sep 17 00:00:00 2001
 From: erouault <erouault>
 Date: Sun, 27 Dec 2015 16:25:11 +0000
-Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
- decode functions in non debug builds by replacing assert()s by regular if
- checks (bugzilla #2522). Fix potential out-of-bound reads in case of short
- input data.
+Subject: * libtiff/tif_luv.c: fix potential out-of-bound writes in decode
+ functions in non debug builds by replacing assert()s by regular if checks
+ (bugzilla #2522). Fix potential out-of-bound reads in case of short input
+ data.
 
 ---
  ChangeLog         |  7 +++++++
@@ -12,7 +11,7 @@ Subject: [PATCH] * libtiff/tif_luv.c: fix potential out-of-bound writes in
  2 files changed, 52 insertions(+), 12 deletions(-)
 
 diff --git a/ChangeLog b/ChangeLog
-index 4beb30b..b8aa23c 100644
+index 90a4cd4..edd1105 100644
 --- a/ChangeLog
 +++ b/ChangeLog
 @@ -1,3 +1,10 @@
@@ -27,7 +26,7 @@ index 4beb30b..b8aa23c 100644
  
  	* libtiff/tif_getimage.c: fix out-of-bound reads in TIFFRGBAImage
 diff --git a/libtiff/tif_luv.c b/libtiff/tif_luv.c
-index 4e328ba..60a174d 100644
+index eba6c08..01873d6 100644
 --- a/libtiff/tif_luv.c
 +++ b/libtiff/tif_luv.c
 @@ -1,4 +1,4 @@
diff --git a/debian/patches/0037-CVE-2015-8784.patch b/debian/patches/0037-CVE-2015-8784.patch
index 6e02630..8edcabe 100644
--- a/debian/patches/0037-CVE-2015-8784.patch
+++ b/debian/patches/0037-CVE-2015-8784.patch
@@ -1,7 +1,6 @@
-From 237c9c18b0b3479950e54a755ae428bf0f55f754 Mon Sep 17 00:00:00 2001
 From: erouault <erouault>
 Date: Sun, 27 Dec 2015 16:55:20 +0000
-Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
+Subject: * libtiff/tif_next.c: fix potential out-of-bound write in
  NeXTDecode() triggered by http://lcamtuf.coredump.cx/afl/vulns/libtiff5.tif
  (bugzilla #2508)
 
@@ -11,7 +10,7 @@ Subject: [PATCH] * libtiff/tif_next.c: fix potential out-of-bound write in
  2 files changed, 15 insertions(+), 3 deletions(-)
 
 diff --git a/ChangeLog b/ChangeLog
-index b8aa23c..04926a3 100644
+index edd1105..1abf092 100644
 --- a/ChangeLog
 +++ b/ChangeLog
 @@ -1,5 +1,11 @@
@@ -27,7 +26,7 @@ index b8aa23c..04926a3 100644
  	functions in non debug builds by replacing assert()s by regular if
  	checks (bugzilla #2522).
 diff --git a/libtiff/tif_next.c b/libtiff/tif_next.c
-index 17e0311..1248caa 100644
+index 060aab3..1248caa 100644
 --- a/libtiff/tif_next.c
 +++ b/libtiff/tif_next.c
 @@ -1,4 +1,4 @@
diff --git a/debian/patches/0038-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch b/debian/patches/0038-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
index a8ce3e5..14b1aea 100644
--- a/debian/patches/0038-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
+++ b/debian/patches/0038-libtiff-tif_pixarlog.c-fix-potential-buffer-write-ov.patch
@@ -1,18 +1,18 @@
-From 5248f8620acb2a42e63790e2c94222ee603939f8 Mon Sep 17 00:00:00 2001
 From: erouault <erouault>
 Date: Tue, 28 Jun 2016 15:12:19 +0000
-Subject: [PATCH] * libtiff/tif_pixarlog.c: fix potential buffer write overrun
- in PixarLogDecode() on corrupted/unexpected images (reported by Mathias
+Subject: * libtiff/tif_pixarlog.c: fix potential buffer write overrun in
+ PixarLogDecode() on corrupted/unexpected images (reported by Mathias
  Svensson)
 
 ---
- ChangeLog              |  5 +++++
- libtiff/tif_pixarlog.c | 10 +++++++++-
- 2 files changed, 14 insertions(+), 1 deletion(-)
+ libtiff/tif_pixarlog.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
 
+diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
+index 5e60ea6..a54ab3a 100644
 --- a/libtiff/tif_pixarlog.c
 +++ b/libtiff/tif_pixarlog.c
-@@ -457,6 +457,7 @@
+@@ -457,6 +457,7 @@ horizontalAccumulate8abgr(uint16 *wp, int n, int stride, unsigned char *op,
  typedef	struct {
  	TIFFPredictorState	predict;
  	z_stream		stream;
@@ -20,7 +20,7 @@ Subject: [PATCH] * libtiff/tif_pixarlog.c: fix potential buffer write overrun
  	uint16			*tbuf; 
  	uint16			stride;
  	int			state;
-@@ -765,6 +766,12 @@
+@@ -765,6 +766,12 @@ PixarLogDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
  		TIFFErrorExt(tif->tif_clientdata, module, "ZLib cannot deal with buffers this size");
  		return (0);
  	}
@@ -33,7 +33,7 @@ Subject: [PATCH] * libtiff/tif_pixarlog.c: fix potential buffer write overrun
  	do {
  		int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);
  		if (state == Z_STREAM_END) {
-@@ -874,6 +881,7 @@
+@@ -874,6 +881,7 @@ PixarLogSetupEncode(TIFF* tif)
  	sp->tbuf = (uint16 *) _TIFFmalloc(tbuf_size);
  	if (sp->tbuf == NULL)
  		return (0);
diff --git a/debian/patches/0039-tools-tiffcrop.c-Avoid-access-outside-of-stack-alloc.patch b/debian/patches/0039-tools-tiffcrop.c-Avoid-access-outside-of-stack-alloc.patch
index 167e7ac..7908ce4 100644
--- a/debian/patches/0039-tools-tiffcrop.c-Avoid-access-outside-of-stack-alloc.patch
+++ b/debian/patches/0039-tools-tiffcrop.c-Avoid-access-outside-of-stack-alloc.patch
@@ -1,18 +1,16 @@
-From 06f04a30cf8e988939ae9b3b7f6ad03c5d3d6109 Mon Sep 17 00:00:00 2001
 From: erouault <erouault>
 Date: Mon, 11 Jul 2016 21:26:03 +0000
-Subject: [PATCH 1/2] * tools/tiffcrop.c: Avoid access outside of stack
- allocated array on a tiled separate TIFF with more than 8 samples per pixel.
- Reported by Kaixiang Zhang of the Cloud Security Team, Qihoo 360
- (CVE-2016-5321, bugzilla #2558)
+Subject: * tools/tiffcrop.c: Avoid access outside of stack allocated array on
+ a tiled separate TIFF with more than 8 samples per pixel. Reported by
+ Kaixiang Zhang of the Cloud Security Team, Qihoo 360 (CVE-2016-5321,
+ bugzilla #2558)
 
 ---
- ChangeLog        | 7 +++++++
- tools/tiffcrop.c | 4 ++--
- 2 files changed, 9 insertions(+), 2 deletions(-)
+ tools/tiffcrop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index b5a49cc..0bbaadd 100644
+index 0492333..e36030c 100644
 --- a/tools/tiffcrop.c
 +++ b/tools/tiffcrop.c
 @@ -989,7 +989,7 @@ static int  readSeparateTilesIntoBuffer (TIFF* in, uint8 *obuf,
@@ -24,6 +22,3 @@ index b5a49cc..0bbaadd 100644
          {  /* Read each plane of a tile set into srcbuffs[s] */
  	tbytes = TIFFReadTile(in, srcbuffs[s], col, row, 0, s);
          if (tbytes < 0  && !ignore)
--- 
-2.8.1
-
diff --git a/debian/patches/0040-CVE-2016-5321-CVE-2016-5323-bugzilla-2558-2559.patch b/debian/patches/0040-CVE-2016-5321-CVE-2016-5323-bugzilla-2558-2559.patch
index ac9cae6..41156b0 100644
--- a/debian/patches/0040-CVE-2016-5321-CVE-2016-5323-bugzilla-2558-2559.patch
+++ b/debian/patches/0040-CVE-2016-5321-CVE-2016-5323-bugzilla-2558-2559.patch
@@ -1,18 +1,16 @@
-From 0a00def284c468230fb159a69ceb325e46df7e1d Mon Sep 17 00:00:00 2001
 From: erouault <erouault>
 Date: Mon, 11 Jul 2016 21:38:31 +0000
-Subject: [PATCH 2/2] (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
+Subject: (CVE-2016-5321 / CVE-2016-5323 , bugzilla #2558 / #2559)
 
 ---
- ChangeLog        |  2 +-
- tools/tiffcrop.c | 18 +++++++++---------
- 2 files changed, 10 insertions(+), 10 deletions(-)
+ tools/tiffcrop.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
 
 diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 0bbaadd..1b24271 100644
+index e36030c..cfc7d9d 100644
 --- a/tools/tiffcrop.c
 +++ b/tools/tiffcrop.c
-@@ -3738,7 +3738,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
+@@ -3729,7 +3729,7 @@ combineSeparateSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
  
        matchbits = maskbits << (8 - src_bit - bps); 
        /* load up next sample from each plane */
@@ -21,7 +19,7 @@ index 0bbaadd..1b24271 100644
          {
  	src = in[s] + src_offset + src_byte;
          buff1 = ((*src) & matchbits) << (src_bit);
-@@ -3837,7 +3837,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
+@@ -3828,7 +3828,7 @@ combineSeparateSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
        src_bit  = bit_offset % 8;
  
        matchbits = maskbits << (16 - src_bit - bps); 
@@ -30,7 +28,7 @@ index 0bbaadd..1b24271 100644
          {
  	src = in[s] + src_offset + src_byte;
          if (little_endian)
-@@ -3947,7 +3947,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
+@@ -3938,7 +3938,7 @@ combineSeparateSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
        src_bit  = bit_offset % 8;
  
        matchbits = maskbits << (32 - src_bit - bps); 
@@ -39,7 +37,7 @@ index 0bbaadd..1b24271 100644
          {
  	src = in[s] + src_offset + src_byte;
          if (little_endian)
-@@ -4073,7 +4073,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
+@@ -4064,7 +4064,7 @@ combineSeparateSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
        src_bit  = bit_offset % 8;
  
        matchbits = maskbits << (64 - src_bit - bps); 
@@ -48,7 +46,7 @@ index 0bbaadd..1b24271 100644
  	{
  	src = in[s] + src_offset + src_byte;
  	if (little_endian)
-@@ -4263,7 +4263,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
+@@ -4254,7 +4254,7 @@ combineSeparateTileSamples8bits (uint8 *in[], uint8 *out, uint32 cols,
  
        matchbits = maskbits << (8 - src_bit - bps); 
        /* load up next sample from each plane */
@@ -57,7 +55,7 @@ index 0bbaadd..1b24271 100644
          {
  	src = in[s] + src_offset + src_byte;
          buff1 = ((*src) & matchbits) << (src_bit);
-@@ -4362,7 +4362,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
+@@ -4353,7 +4353,7 @@ combineSeparateTileSamples16bits (uint8 *in[], uint8 *out, uint32 cols,
        src_bit  = bit_offset % 8;
  
        matchbits = maskbits << (16 - src_bit - bps); 
@@ -66,7 +64,7 @@ index 0bbaadd..1b24271 100644
          {
  	src = in[s] + src_offset + src_byte;
          if (little_endian)
-@@ -4471,7 +4471,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
+@@ -4462,7 +4462,7 @@ combineSeparateTileSamples24bits (uint8 *in[], uint8 *out, uint32 cols,
        src_bit  = bit_offset % 8;
  
        matchbits = maskbits << (32 - src_bit - bps); 
@@ -75,7 +73,7 @@ index 0bbaadd..1b24271 100644
          {
  	src = in[s] + src_offset + src_byte;
          if (little_endian)
-@@ -4597,7 +4597,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
+@@ -4588,7 +4588,7 @@ combineSeparateTileSamples32bits (uint8 *in[], uint8 *out, uint32 cols,
        src_bit  = bit_offset % 8;
  
        matchbits = maskbits << (64 - src_bit - bps); 
@@ -84,6 +82,3 @@ index 0bbaadd..1b24271 100644
  	{
  	src = in[s] + src_offset + src_byte;
  	if (little_endian)
--- 
-2.8.1
-
diff --git a/debian/patches/0041-tools-tiffcrop.c-Fix-out-of-bounds-write-in-loadImag.patch b/debian/patches/0041-tools-tiffcrop.c-Fix-out-of-bounds-write-in-loadImag.patch
index ddc93d5..fb0840b 100644
--- a/debian/patches/0041-tools-tiffcrop.c-Fix-out-of-bounds-write-in-loadImag.patch
+++ b/debian/patches/0041-tools-tiffcrop.c-Fix-out-of-bounds-write-in-loadImag.patch
@@ -1,17 +1,15 @@
-From a2104e65edfc9964dbcec7ecf730a850be77f102 Mon Sep 17 00:00:00 2001
 From: erouault <erouault>
 Date: Mon, 15 Aug 2016 21:05:40 +0000
-Subject: [PATCH] * tools/tiffcrop.c: Fix out-of-bounds write in loadImage().
- From patch libtiff-CVE-2016-3991.patch from libtiff-4.0.3-25.el7_2.src.rpm by
+Subject: * tools/tiffcrop.c: Fix out-of-bounds write in loadImage(). From
+ patch libtiff-CVE-2016-3991.patch from libtiff-4.0.3-25.el7_2.src.rpm by
  Nikola Forro (bugzilla #2543)
 
 ---
- ChangeLog        |  6 ++++++
- tools/tiffcrop.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
- 2 files changed, 63 insertions(+), 4 deletions(-)
+ tools/tiffcrop.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 56 insertions(+), 3 deletions(-)
 
 diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c
-index 1b24271..9e833b7 100644
+index cfc7d9d..6244385 100644
 --- a/tools/tiffcrop.c
 +++ b/tools/tiffcrop.c
 @@ -798,6 +798,11 @@ static int readContigTilesIntoBuffer (TIFF* in, uint8* buf,
@@ -65,7 +63,7 @@ index 1b24271..9e833b7 100644
      }
  
    tilebuf = _TIFFmalloc(tile_buffsize);
-@@ -5945,12 +5966,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+@@ -5936,12 +5957,27 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
      TIFFGetField(in, TIFFTAG_TILELENGTH, &tl);
  
      tile_rowsize  = TIFFTileRowSize(in);      
@@ -94,7 +92,7 @@ index 1b24271..9e833b7 100644
  #ifdef DEBUG2
        TIFFError("loadImage",
  	        "Tilesize %u is too small, using ntiles * tilelength * tilerowsize %lu",
-@@ -5969,8 +6005,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
+@@ -5960,8 +5996,25 @@ loadImage(TIFF* in, struct image_data *image, struct dump_opts *dump, unsigned c
      TIFFGetFieldDefaulted(in, TIFFTAG_ROWSPERSTRIP, &rowsperstrip);
      stsize = TIFFStripSize(in);
      nstrips = TIFFNumberOfStrips(in);
@@ -121,6 +119,3 @@ index 1b24271..9e833b7 100644
      if (buffsize < (uint32) (((length * width * spp * bps) + 7) / 8))
        {
        buffsize =  ((length * width * spp * bps) + 7) / 8;
--- 
-2.9.3
-
diff --git a/debian/patches/0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch b/debian/patches/0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch
new file mode 100644
index 0000000..a92cfec
--- /dev/null
+++ b/debian/patches/0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch
@@ -0,0 +1,128 @@
+From: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org>
+Date: Thu, 27 Oct 2016 15:36:10 +0200
+Subject: Make more tag fields known to TIFFReadDirectoryFindFieldInfo
+
+This avoids problems when some tags are treated as anonymous fields
+whose passcount field defaults to true when the associated code (in tiff
+tools) really expects false.
+
+I believe this covers the following 3 CVE:
+CVE-2014-8128: http://bugzilla.maptools.org/show_bug.cgi?id=2499
+CVE-2015-7554: http://bugzilla.maptools.org/show_bug.cgi?id=2564
+CVE-2016-5318: http://bugzilla.maptools.org/show_bug.cgi?id=2561
+
+In the tiff tools, we still have TIFFGetField calls for
+TIFFTAG_JPEGPOINTTRANSFORM and TIFFTAG_JPEGLOSSLESSPREDICTORS that are
+not properly defined. I'm not sure whether it can have any security
+impact.
+
+Bug-Debian: https://bugs.debian.org/842043
+Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2580
+---
+ libtiff/tif_dirinfo.c | 35 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/libtiff/tif_dirinfo.c b/libtiff/tif_dirinfo.c
+index cf1f496..cf1adc3 100644
+--- a/libtiff/tif_dirinfo.c
++++ b/libtiff/tif_dirinfo.c
+@@ -79,6 +79,8 @@ tiffFields[] = {
+ 	{ TIFFTAG_FREEBYTECOUNTS, -1, -1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_IGNORE, 0, 0, "FreeByteCounts", NULL },
+ 	{ TIFFTAG_GRAYRESPONSEUNIT, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_IGNORE, 1, 0, "GrayResponseUnit", NULL },
+ 	{ TIFFTAG_GRAYRESPONSECURVE, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_IGNORE, 1, 0, "GrayResponseCurve", NULL },
++	{ TIFFTAG_GROUP3OPTIONS, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+7, 0, 0, "Group3Options", NULL },
++	{ TIFFTAG_GROUP4OPTIONS, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+7, 0, 0, "Group4Options", NULL },
+ 	{ TIFFTAG_RESOLUTIONUNIT, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_RESOLUTIONUNIT, 1, 0, "ResolutionUnit", NULL },
+ 	{ TIFFTAG_PAGENUMBER, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_PAGENUMBER, 1, 0, "PageNumber", NULL },
+ 	{ TIFFTAG_COLORRESPONSEUNIT, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_IGNORE, 1, 0, "ColorResponseUnit", NULL },
+@@ -87,6 +89,7 @@ tiffFields[] = {
+ 	{ TIFFTAG_DATETIME, 20, 20, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "DateTime", NULL },
+ 	{ TIFFTAG_ARTIST, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "Artist", NULL },
+ 	{ TIFFTAG_HOSTCOMPUTER, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "HostComputer", NULL },
++	{ TIFFTAG_PREDICTOR, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CODEC+0, FALSE, FALSE, "Predictor", NULL },
+ 	{ TIFFTAG_WHITEPOINT, 2, 2, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "WhitePoint", NULL },
+ 	{ TIFFTAG_PRIMARYCHROMATICITIES, 6, 6, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "PrimaryChromaticities", NULL },
+ 	{ TIFFTAG_COLORMAP, -1, -1, TIFF_SHORT, 0, TIFF_SETGET_OTHER, TIFF_SETGET_UNDEFINED, FIELD_COLORMAP, 1, 0, "ColorMap", NULL },
+@@ -95,6 +98,9 @@ tiffFields[] = {
+ 	{ TIFFTAG_TILELENGTH, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UNDEFINED, FIELD_TILEDIMENSIONS, 0, 0, "TileLength", NULL },
+ 	{ TIFFTAG_TILEOFFSETS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPOFFSETS, 0, 0, "TileOffsets", NULL },
+ 	{ TIFFTAG_TILEBYTECOUNTS, -1, 1, TIFF_LONG8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_STRIPBYTECOUNTS, 0, 0, "TileByteCounts", NULL },
++	{ TIFFTAG_BADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+0, TRUE, FALSE, "BadFaxLines", NULL },
++	{ TIFFTAG_CLEANFAXDATA, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UINT16, FIELD_CODEC+1, TRUE, FALSE, "CleanFaxData", NULL },
++	{ TIFFTAG_CONSECUTIVEBADFAXLINES, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CODEC+2, TRUE, FALSE, "ConsecutiveBadFaxLines", NULL },
+ 	{ TIFFTAG_SUBIFD, -1, -1, TIFF_IFD8, 0, TIFF_SETGET_C16_IFD8, TIFF_SETGET_UNDEFINED, FIELD_SUBIFD, 1, 1, "SubIFD", &tiffFieldArray },
+ 	{ TIFFTAG_INKSET, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InkSet", NULL },
+ 	{ TIFFTAG_INKNAMES, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_C16_ASCII, TIFF_SETGET_UNDEFINED, FIELD_INKNAMES, 1, 1, "InkNames", NULL },
+@@ -109,11 +115,30 @@ tiffFields[] = {
+ 	{ TIFFTAG_XCLIPPATHUNITS, 1, 1, TIFF_SLONG, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "XClipPathUnits", NULL },
+ 	{ TIFFTAG_XCLIPPATHUNITS, 1, 1, TIFF_SBYTE, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "XClipPathUnits", NULL },
+ 	{ TIFFTAG_YCLIPPATHUNITS, 1, 1, TIFF_SLONG, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "YClipPathUnits", NULL },
++	{ TIFFTAG_INDEXED, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "Indexed", NULL },
++	{ TIFFTAG_JPEGTABLES, -3, -3, TIFF_UNDEFINED, 0, TIFF_SETGET_C32_UINT8, TIFF_SETGET_C32_UINT8, FIELD_CODEC+0, 0, 1, "JPEGTables", NULL },
++	/* MISSING: TIFFTAG_OPIPROXY */
++	{ TIFFTAG_JPEGPROC, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CODEC+5, 0, 0, "JpegProc", NULL },
++	{ TIFFTAG_JPEGIFOFFSET, 1, 1, TIFF_LONG8, 0, TIFF_SETGET_UINT64, TIFF_SETGET_UNDEFINED, FIELD_CODEC+0, 1, 0, "JpegInterchangeFormat", NULL },
++	{ TIFFTAG_JPEGIFBYTECOUNT, 1, 1, TIFF_LONG8, 0, TIFF_SETGET_UINT64, TIFF_SETGET_UNDEFINED, FIELD_CODEC+1, 1, 0, "JpegInterchangeFormatLength", NULL },
++	{ TIFFTAG_JPEGRESTARTINTERVAL, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED,FIELD_CODEC+6, 0, 0, "JpegRestartInterval", NULL },
++	/* MISSING: TIFFTAG_JPEGLOSSLESSPREDICTORS */
++	/* MISSING: TIFFTAG_JPEGPOINTTRANSFORM */
++	{ TIFFTAG_JPEGQTABLES, TIFF_VARIABLE2, TIFF_VARIABLE2, TIFF_LONG8, 0, TIFF_SETGET_C32_UINT64, TIFF_SETGET_UNDEFINED, FIELD_CODEC+2, 0, 1, "JpegQTables", NULL },
++	{ TIFFTAG_JPEGDCTABLES, TIFF_VARIABLE2, TIFF_VARIABLE2, TIFF_LONG8, 0, TIFF_SETGET_C32_UINT64, TIFF_SETGET_UNDEFINED, FIELD_CODEC+3, 0, 1, "JpegDcTables", NULL },
++	{ TIFFTAG_JPEGACTABLES, TIFF_VARIABLE2, TIFF_VARIABLE2, TIFF_LONG8, 0, TIFF_SETGET_C32_UINT64, TIFF_SETGET_UNDEFINED, FIELD_CODEC+4, 0, 1, "JpegAcTables", NULL },
+ 	{ TIFFTAG_YCBCRCOEFFICIENTS, 3, 3, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "YCbCrCoefficients", NULL },
+ 	{ TIFFTAG_YCBCRSUBSAMPLING, 2, 2, TIFF_SHORT, 0, TIFF_SETGET_UINT16_PAIR, TIFF_SETGET_UNDEFINED, FIELD_YCBCRSUBSAMPLING, 0, 0, "YCbCrSubsampling", NULL },
+ 	{ TIFFTAG_YCBCRPOSITIONING, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_YCBCRPOSITIONING, 0, 0, "YCbCrPositioning", NULL },
+ 	{ TIFFTAG_REFERENCEBLACKWHITE, 6, 6, TIFF_RATIONAL, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_REFBLACKWHITE, 1, 0, "ReferenceBlackWhite", NULL },
+ 	{ TIFFTAG_XMLPACKET, -3, -3, TIFF_BYTE, 0, TIFF_SETGET_C32_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "XMLPacket", NULL },
++	/* MISSING: TIFFTAG_OPIIMAGEID */
++	/* begin Island Graphics tags */
++	/* MISSING: TIFFTAG_REFPTS */
++	/* MISSING: TIFFTAG_REGIONTACKPOINT */
++	/* MISSING: TIFFTAG_REGIONWARPCORNERS */
++	/* MISSING: TIFFTAG_REGIONAFFINE */
++	/* end Island Graphics tags */
+ 	/* begin SGI tags */
+ 	{ TIFFTAG_MATTEING, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_EXTRASAMPLES, 0, 0, "Matteing", NULL },
+ 	{ TIFFTAG_DATATYPE, -2, -1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_SAMPLEFORMAT, 0, 0, "DataType", NULL },
+@@ -128,18 +153,23 @@ tiffFields[] = {
+ 	{ TIFFTAG_PIXAR_FOVCOT, 1, 1, TIFF_FLOAT, 0, TIFF_SETGET_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "FieldOfViewCotangent", NULL },
+ 	{ TIFFTAG_PIXAR_MATRIX_WORLDTOSCREEN, 16, 16, TIFF_FLOAT, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "MatrixWorldToScreen", NULL },
+ 	{ TIFFTAG_PIXAR_MATRIX_WORLDTOCAMERA, 16, 16, TIFF_FLOAT, 0, TIFF_SETGET_C0_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "MatrixWorldToCamera", NULL },
+-	{ TIFFTAG_COPYRIGHT, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "Copyright", NULL },
+ 	/* end Pixar tags */
++	/* MISSING: TIFFTAG_WRITERSERIALNUMBER */
++	{ TIFFTAG_COPYRIGHT, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 0, "Copyright", NULL },
+ 	{ TIFFTAG_RICHTIFFIPTC, -3, -3, TIFF_LONG, 0, TIFF_SETGET_C32_UINT32, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "RichTIFFIPTC", NULL },
++	/* MISSING: TIFFTAG_IT8* */
++	/* MISSING: TIFFTAG_FRAMECOUNT */
+ 	{ TIFFTAG_PHOTOSHOP, -3, -3, TIFF_BYTE, 0, TIFF_SETGET_C32_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "Photoshop", NULL },
+ 	{ TIFFTAG_EXIFIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_IFD8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "EXIFIFDOffset", &exifFieldArray },
+ 	{ TIFFTAG_ICCPROFILE, -3, -3, TIFF_UNDEFINED, 0, TIFF_SETGET_C32_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "ICC Profile", NULL },
++	/* MISSING: TIFFTAG_JBIGOPTIONS */
+ 	{ TIFFTAG_GPSIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_IFD8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "GPSIFDOffset", NULL },
+ 	{ TIFFTAG_FAXRECVPARAMS, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "FaxRecvParams", NULL },
+ 	{ TIFFTAG_FAXSUBADDRESS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxSubAddress", NULL },
+ 	{ TIFFTAG_FAXRECVTIME, 1, 1, TIFF_LONG, 0, TIFF_SETGET_UINT32, TIFF_SETGET_UINT32, FIELD_CUSTOM, TRUE, FALSE, "FaxRecvTime", NULL },
+ 	{ TIFFTAG_FAXDCS, -1, -1, TIFF_ASCII, 0, TIFF_SETGET_ASCII, TIFF_SETGET_ASCII, FIELD_CUSTOM, TRUE, FALSE, "FaxDcs", NULL },
+ 	{ TIFFTAG_STONITS, 1, 1, TIFF_DOUBLE, 0, TIFF_SETGET_DOUBLE, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "StoNits", NULL },
++	/* MISSING: TIFFTAG_FEDEX_EDR */
+ 	{ TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_IFD8, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "InteroperabilityIFDOffset", NULL },
+ 	/* begin DNG tags */
+ 	{ TIFFTAG_DNGVERSION, 4, 4, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "DNGVersion", NULL },
+@@ -181,6 +211,8 @@ tiffFields[] = {
+ 	{ TIFFTAG_MAKERNOTESAFETY, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "MakerNoteSafety", NULL },
+ 	{ TIFFTAG_CALIBRATIONILLUMINANT1, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "CalibrationIlluminant1", NULL },
+ 	{ TIFFTAG_CALIBRATIONILLUMINANT2, 1, 1, TIFF_SHORT, 0, TIFF_SETGET_UINT16, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "CalibrationIlluminant2", NULL },
++	/* XXX: TIFFTAG_BESTQUALITYSCALE (tag 50780) should be here but is higher up
++	 * in the list. */
+ 	{ TIFFTAG_RAWDATAUNIQUEID, 16, 16, TIFF_BYTE, 0, TIFF_SETGET_C0_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 0, "RawDataUniqueID", NULL },
+ 	{ TIFFTAG_ORIGINALRAWFILENAME, -1, -1, TIFF_BYTE, 0, TIFF_SETGET_C16_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 1, 1, "OriginalRawFileName", NULL },
+ 	{ TIFFTAG_ORIGINALRAWFILEDATA, -1, -1, TIFF_UNDEFINED, 0, TIFF_SETGET_C16_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "OriginalRawFileData", NULL },
+@@ -191,6 +223,7 @@ tiffFields[] = {
+ 	{ TIFFTAG_CURRENTICCPROFILE, -1, -1, TIFF_UNDEFINED, 0, TIFF_SETGET_C16_UINT8, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "CurrentICCProfile", NULL },
+ 	{ TIFFTAG_CURRENTPREPROFILEMATRIX, -1, -1, TIFF_SRATIONAL, 0, TIFF_SETGET_C16_FLOAT, TIFF_SETGET_UNDEFINED, FIELD_CUSTOM, 0, 1, "CurrentPreProfileMatrix", NULL },
+ 	/* end DNG tags */
++	/* MISSING: TIFFTAG_DCSHUESHIFTVALUES */
+ 	/* begin pseudo tags */
+ 	{ TIFFTAG_PERSAMPLE, 0, 0, TIFF_SHORT, 0, TIFF_SETGET_UNDEFINED, TIFF_SETGET_UNDEFINED, FIELD_PSEUDO, TRUE, FALSE, "PerSample", NULL},
+ };
diff --git a/debian/patches/0043-CVE-2016-6223.patch b/debian/patches/0043-CVE-2016-6223.patch
new file mode 100644
index 0000000..bf5ba8d
--- /dev/null
+++ b/debian/patches/0043-CVE-2016-6223.patch
@@ -0,0 +1,46 @@
+From: erouault <erouault>
+Date: Sun, 10 Jul 2016 18:00:20 +0000
+Subject: Fix CVE-2016-6223: information leak in libtiff/tif_read.c
+
+* libtiff/tif_read.c: Fix out-of-bounds read on memory-mapped files in
+TIFFReadRawStrip1() and TIFFReadRawTile1() when stripoffset is beyond
+tmsize_t max value (reported by Mathias Svensson)
+
+Origin: upstream, https://github.com/vadz/libtiff/commit/0ba5d8814a17a64bdb8d9035f4c533f3f3f4b496
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842270
+---
+ libtiff/tif_read.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libtiff/tif_read.c b/libtiff/tif_read.c
+index 913eac8..c1beb4e 100644
+--- a/libtiff/tif_read.c
++++ b/libtiff/tif_read.c
+@@ -31,6 +31,9 @@
+ #include "tiffiop.h"
+ #include <stdio.h>
+ 
++#define TIFF_SIZE_T_MAX ((size_t) ~ ((size_t)0))
++#define TIFF_TMSIZE_T_MAX (tmsize_t)(TIFF_SIZE_T_MAX >> 1)
++
+ int TIFFFillStrip(TIFF* tif, uint32 strip);
+ int TIFFFillTile(TIFF* tif, uint32 tile);
+ static int TIFFStartStrip(TIFF* tif, uint32 strip);
+@@ -401,7 +404,7 @@ TIFFReadRawStrip1(TIFF* tif, uint32 strip, void* buf, tmsize_t size,
+ 		tmsize_t n;
+ 		ma=(tmsize_t)td->td_stripoffset[strip];
+ 		mb=ma+size;
+-		if (((uint64)ma!=td->td_stripoffset[strip])||(ma>tif->tif_size))
++		if ((td->td_stripoffset[strip] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+ 			n=0;
+ 		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+ 			n=tif->tif_size-ma;
+@@ -717,7 +720,7 @@ TIFFReadRawTile1(TIFF* tif, uint32 tile, void* buf, tmsize_t size, const char* m
+ 		tmsize_t n;
+ 		ma=(tmsize_t)td->td_stripoffset[tile];
+ 		mb=ma+size;
+-		if (((uint64)ma!=td->td_stripoffset[tile])||(ma>tif->tif_size))
++		if ((td->td_stripoffset[tile] > (uint64)TIFF_TMSIZE_T_MAX)||(ma>tif->tif_size))
+ 			n=0;
+ 		else if ((mb<ma)||(mb<size)||(mb>tif->tif_size))
+ 			n=tif->tif_size-ma;
diff --git a/debian/patches/0044-CVE-2016-5652.patch b/debian/patches/0044-CVE-2016-5652.patch
new file mode 100644
index 0000000..bc03fdc
--- /dev/null
+++ b/debian/patches/0044-CVE-2016-5652.patch
@@ -0,0 +1,52 @@
+From: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org>
+Date: Fri, 28 Oct 2016 14:20:32 +0200
+Subject: Fix CVE-2016-5652: write buffer overflow of 2 bytes on JPEG
+ compressed images
+
+Reported by Tyler Bohan of Cisco Talos as TALOS-CAN-0187 /
+CVE-2016-5652. Also prevents writing 2 extra uninitialized bytes to the
+file stream.
+
+http://www.talosintelligence.com/reports/TALOS-2016-0187/
+
+Origin: backport, https://github.com/vadz/libtiff/commit/b5d6803f0898e931cf772d3d0755704ab8488e63
+---
+ tools/tiff2pdf.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/tools/tiff2pdf.c b/tools/tiff2pdf.c
+index 52da6db..7ffb536 100644
+--- a/tools/tiff2pdf.c
++++ b/tools/tiff2pdf.c
+@@ -2852,21 +2852,24 @@ tsize_t t2p_readwrite_pdf_image_tile(T2P* t2p, TIFF* input, TIFF* output, ttile_
+ 				return(0);
+ 			}
+ 			if(TIFFGetField(input, TIFFTAG_JPEGTABLES, &count, &jpt) != 0) {
+-				if (count > 0) {
+-					_TIFFmemcpy(buffer, jpt, count);
++				if (count > 4) {
++					/* Ignore EOI marker of JpegTables */
++					_TIFFmemcpy(buffer, jpt, count - 2);
+ 					bufferoffset += count - 2;
++					/* Store last 2 bytes of the JpegTables */
+ 					table_end[0] = buffer[bufferoffset-2];
+ 					table_end[1] = buffer[bufferoffset-1];
+-				}
+-				if (count > 0) {
+ 					xuint32 = bufferoffset;
++					bufferoffset -= 2;
+ 					bufferoffset += TIFFReadRawTile(
+ 						input, 
+ 						tile, 
+-						(tdata_t) &(((unsigned char*)buffer)[bufferoffset-2]), 
++						(tdata_t) &(((unsigned char*)buffer)[bufferoffset]),
+ 						-1);
+-						buffer[xuint32-2]=table_end[0];
+-						buffer[xuint32-1]=table_end[1];
++					/* Overwrite SOI marker of image scan with previously */
++					/* saved end of JpegTables */
++					buffer[xuint32-2]=table_end[0];
++					buffer[xuint32-1]=table_end[1];
+ 				} else {
+ 					bufferoffset += TIFFReadRawTile(
+ 						input, 
diff --git a/debian/patches/series b/debian/patches/series
index 74027c1..e3af08f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -39,3 +39,6 @@
 0039-tools-tiffcrop.c-Avoid-access-outside-of-stack-alloc.patch
 0040-CVE-2016-5321-CVE-2016-5323-bugzilla-2558-2559.patch
 0041-tools-tiffcrop.c-Fix-out-of-bounds-write-in-loadImag.patch
+0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch
+0043-CVE-2016-6223.patch
+0044-CVE-2016-5652.patch
diff --git a/debian/rules b/debian/rules
index 40ea186..dd755f9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -27,6 +27,11 @@ clean::
 binary-post-install/libtiff-tools::
 	$(RM) debian/libtiff-tools/usr/bin/tiffgt
 	$(RM) debian/libtiff-tools/usr/share/man/man1/tiffgt.1*
+	# Remove tools unsupported by upstream
+	for tool in bmp2tiff gif2tiff ras2tiff sgi2tiff sgisv ycbcr rgb2ycbcr thumbnail; do \
+	    $(RM) debian/libtiff-tools/usr/bin/$$tool; \
+	    $(RM) debian/libtiff-tools/usr/share/man/man1/$${tool}.*; \
+	done
 
 # Empty dependency_libs from all .la files
 binary-post-install/libtiff5-dev::

diff -Nru tiff3-3.9.6/debian/changelog tiff3-3.9.6/debian/changelog
--- tiff3-3.9.6/debian/changelog	2016-09-04 23:10:55.000000000 +0200
+++ tiff3-3.9.6/debian/changelog	2016-10-28 15:01:09.000000000 +0200
@@ -1,3 +1,11 @@
+tiff3 (3.9.6-11+deb7u2) UNRELEASED; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * Fix CVE-2016-5318 and CVE-2015-7554 by letting libtiff know about
+    all the "tags" currently in use.
+
+ -- Raphaël Hertzog <hertzog@debian.org>  Fri, 28 Oct 2016 14:42:06 +0200
+
 tiff3 (3.9.6-11+deb7u1) wheezy-security; urgency=high
 
   * Non-maintainer upload by the LTS team.
diff -Nru tiff3-3.9.6/debian/patches/CVE-2016-5318_CVE-2015-7554.patch tiff3-3.9.6/debian/patches/CVE-2016-5318_CVE-2015-7554.patch
--- tiff3-3.9.6/debian/patches/CVE-2016-5318_CVE-2015-7554.patch	1970-01-01 01:00:00.000000000 +0100
+++ tiff3-3.9.6/debian/patches/CVE-2016-5318_CVE-2015-7554.patch	2016-10-28 16:04:46.000000000 +0200
@@ -0,0 +1,124 @@
+From: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <hertzog@debian.org>
+Date: Thu, 27 Oct 2016 15:36:10 +0200
+Subject: Make more tag fields known to TIFFReadDirectoryFindFieldInfo
+
+This avoids problems when some tags are treated as anonymous fields
+whose passcount field defaults to true when the associated code (in tiff
+tools) really expects false.
+
+I believe this covers the following 3 CVE:
+CVE-2014-8128: http://bugzilla.maptools.org/show_bug.cgi?id=2499
+CVE-2015-7554: http://bugzilla.maptools.org/show_bug.cgi?id=2564
+CVE-2016-5318: http://bugzilla.maptools.org/show_bug.cgi?id=2561
+
+This backport does not add the data for some tags that are using a LONG8
+type which is not supported by version 3.x of libtiff.
+
+Bug: http://bugzilla.maptools.org/show_bug.cgi?id=2580
+---
+ libtiff/tif_dirinfo.c | 35 ++++++++++++++++++++++++++++++++++-
+ 1 file changed, 34 insertions(+), 1 deletion(-)
+
+--- a/libtiff/tif_dirinfo.c
++++ b/libtiff/tif_dirinfo.c
+@@ -132,6 +132,10 @@ tiffFieldInfo[] = {
+       1,	0,	"GrayResponseUnit" },
+     { TIFFTAG_GRAYRESPONSECURVE,-1,-1,	TIFF_SHORT,	FIELD_IGNORE,
+       1,	0,	"GrayResponseCurve" },
++    { TIFFTAG_GROUP3OPTIONS,     1, 1,  TIFF_LONG,      FIELD_CODEC+7,
++      0,        0,      "Group3Options" },
++    { TIFFTAG_GROUP4OPTIONS,     1, 1,  TIFF_LONG,      FIELD_CODEC+7,
++      0,        0,      "Group4Options" },
+     { TIFFTAG_RESOLUTIONUNIT,	 1, 1,	TIFF_SHORT,	FIELD_RESOLUTIONUNIT,
+       1,	0,	"ResolutionUnit" },
+     { TIFFTAG_PAGENUMBER,	 2, 2,	TIFF_SHORT,	FIELD_PAGENUMBER,
+@@ -172,6 +176,10 @@ tiffFieldInfo[] = {
+       0,	0,	"TileByteCounts" },
+     { TIFFTAG_TILEBYTECOUNTS,	-1, 1,	TIFF_SHORT,	FIELD_STRIPBYTECOUNTS,
+       0,	0,	"TileByteCounts" },
++    { TIFFTAG_BADFAXLINES,       1, 1,  TIFF_LONG,      FIELD_CODEC+0,
++      1,        0,      "BadFaxLines" },
++    { TIFFTAG_CLEANFAXDATA,      1, 1,  TIFF_SHORT,     FIELD_CODEC+1,
++      1,        0,      "CleanFaxData" },
+     { TIFFTAG_CONSECUTIVEBADFAXLINES,	1, 1,	TIFF_LONG,	FIELD_CODEC+2,
+       1,	0,	"ConsecutiveBadFaxLines" },
+     { TIFFTAG_SUBIFD,		-1,-1,	TIFF_IFD,	FIELD_SUBIFD,
+@@ -215,6 +223,21 @@ tiffFieldInfo[] = {
+       0,	0,	"YClipPathUnits" },
+     { TIFFTAG_YCLIPPATHUNITS,	 1, 1,	TIFF_SBYTE,	FIELD_CUSTOM,
+       0,	0,	"YClipPathUnits" },
++    { TIFFTAG_INDEXED,           1, 1,  TIFF_SHORT,     FIELD_CUSTOM,
++      0,        0,      "Indexed"},
++    { TIFFTAG_JPEGTABLES,       -3,-3,  TIFF_UNDEFINED, FIELD_CODEC+0,
++      0,        1,      "JPEGTables" },
++    /* MISSING: TIFFTAG_OPIPROXY */
++    { TIFFTAG_JPEGPROC,          1, 1,  TIFF_SHORT,     FIELD_CODEC+5,
++      0,        0,      "JpegProc" },
++    /* MISSING: TIFFTAG_JPEGIFOFFSET and TIFFTAG_JPEGIFBYTECOUNT,
++     * no TIFF_LONG8 supported in this version */
++    { TIFFTAG_JPEGRESTARTINTERVAL,1,1,  TIFF_SHORT,     FIELD_CODEC+6,
++      0,        0,      "JpegRestartInterval" },
++    /* MISSING: TIFFTAG_JPEGLOSSLESSPREDICTORS */
++    /* MISSING: TIFFTAG_JPEGPOINTTRANSFORM */
++    /* MISSING: TIFFTAG_JPEGQTABLES, TIFFTAG_JPEGDCTABLES,
++     * TIFFTAG_JPEGACTABLES, no TIFF_LONG8 supported in this version */
+     { TIFFTAG_YCBCRCOEFFICIENTS, 3, 3,	TIFF_RATIONAL,	FIELD_CUSTOM,
+       0,	0,	"YCbCrCoefficients" },
+     { TIFFTAG_YCBCRSUBSAMPLING,	 2, 2,	TIFF_SHORT,	FIELD_YCBCRSUBSAMPLING,
+@@ -228,6 +251,13 @@ tiffFieldInfo[] = {
+       1,	0,	"ReferenceBlackWhite" },
+     { TIFFTAG_XMLPACKET,	-3,-3,	TIFF_BYTE,	FIELD_CUSTOM,
+       0,	1,	"XMLPacket" },
++    /* MISSING: TIFFTAG_OPIIMAGEID */
++/* begin Island Graphics tags */
++    /* MISSING: TIFFTAG_REFPTS */
++    /* MISSING: TIFFTAG_REGIONTACKPOINT */
++    /* MISSING: TIFFTAG_REGIONWARPCORNERS */
++    /* MISSING: TIFFTAG_REGIONAFFINE */
++/* end Island Graphics tags */
+ /* begin SGI tags */
+     { TIFFTAG_MATTEING,		 1, 1,	TIFF_SHORT,	FIELD_EXTRASAMPLES,
+       0,	0,	"Matteing" },
+@@ -257,21 +287,34 @@ tiffFieldInfo[] = {
+       FIELD_CUSTOM,	1,	0,	"MatrixWorldToScreen" },
+     { TIFFTAG_PIXAR_MATRIX_WORLDTOCAMERA,	16,16,	TIFF_FLOAT,
+        FIELD_CUSTOM,	1,	0,	"MatrixWorldToCamera" },
++    /* MISSING: TIFFTAG_WRITERSERIALNUMBER */
+     { TIFFTAG_COPYRIGHT,	-1, -1,	TIFF_ASCII,	FIELD_CUSTOM,
+       1,	0,	"Copyright" },
+ /* end Pixar tags */
+     { TIFFTAG_RICHTIFFIPTC, -3, -3,	TIFF_LONG,	FIELD_CUSTOM, 
+       0,    1,   "RichTIFFIPTC" },
++    /* MISSING: TIFFTAG_IT8* */
++    /* MISSING: TIFFTAG_FRAMECOUNT */
+     { TIFFTAG_PHOTOSHOP,    -3, -3,	TIFF_BYTE,	FIELD_CUSTOM, 
+       0,    1,   "Photoshop" },
+     { TIFFTAG_EXIFIFD,		1, 1,	TIFF_LONG,	FIELD_CUSTOM,
+       0,	0,	"EXIFIFDOffset" },
+     { TIFFTAG_ICCPROFILE,	-3, -3,	TIFF_UNDEFINED,	FIELD_CUSTOM,
+       0,	1,	"ICC Profile" },
++    /* MISSING: TIFFTAG_JBIGOPTIONS */
+     { TIFFTAG_GPSIFD,		1, 1,	TIFF_LONG,	FIELD_CUSTOM,
+       0,	0,	"GPSIFDOffset" },
++    { TIFFTAG_FAXRECVPARAMS,    1, 1,   TIFF_LONG,      FIELD_CUSTOM,
++      1,        0,      "FaxRecvParams" },
++    { TIFFTAG_FAXSUBADDRESS,   -1,-1,   TIFF_ASCII,     FIELD_CUSTOM,
++      1,        0,      "FaxSubAddress" },
++    { TIFFTAG_FAXRECVTIME,      1, 1,   TIFF_LONG,      FIELD_CUSTOM,
++      1,        0,      "FaxRecvTime" },
++    { TIFFTAG_FAXDCS,          -1,-1,   TIFF_ASCII,     FIELD_CUSTOM,
++      1,        0,      "FaxDcs" },
+     { TIFFTAG_STONITS,		 1, 1,	TIFF_DOUBLE,	FIELD_CUSTOM,
+       0,	0,	"StoNits" },
++    /* MISSING: TIFFTAG_FEDEX_EDR */
+     { TIFFTAG_INTEROPERABILITYIFD, 1, 1, TIFF_LONG,	FIELD_CUSTOM,
+       0,	0,	"InteroperabilityIFDOffset" },
+ /* begin DNG tags */
+@@ -394,6 +437,7 @@ tiffFieldInfo[] = {
+     { TIFFTAG_CURRENTPREPROFILEMATRIX,	-1, -1,	TIFF_SRATIONAL,	FIELD_CUSTOM, 
+       0,	1,	"CurrentPreProfileMatrix" },
+ /* end DNG tags */
++    /* MISSING: TIFFTAG_DCSHUESHIFTVALUES */
+ };
+ 
+ static const TIFFFieldInfo
diff -Nru tiff3-3.9.6/debian/patches/series tiff3-3.9.6/debian/patches/series
--- tiff3-3.9.6/debian/patches/series	2016-09-04 23:10:55.000000000 +0200
+++ tiff3-3.9.6/debian/patches/series	2016-10-28 15:02:15.000000000 +0200
@@ -25,3 +25,4 @@
 CVE-2016-3186.patch
 CVE-2013-1961.patch
 CVE-2010-2596.patch
+CVE-2016-5318_CVE-2015-7554.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Please test wheezy updates of tiff and tiff3 packages
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: ImageMagick - marking issue as not affecting wheezy?
Next by Date: Wheezy update of tar?
Previous by thread: Re: ImageMagick - marking issue as not affecting wheezy?
Next by thread: Re: Please test wheezy updates of tiff and tiff3 packages
Index(es):
- Date
- Thread