tiff (4.2.0-1+deb11u7) bullseye-security; urgency=medium

  * Non-maintainer upload by the LTS Team.
  * CVE-2024-13978: Affected by this vulnerability is the function
    t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps.
    The manipulation leads to null pointer dereference. The attack needs to be
    approached locally. The complexity of an attack is rather high. The
    exploitation appears to be difficult.
  * CVE-2025-9900: This vulnerability is a "write-what-where" condition, triggered
    when the library processes a specially crafted TIFF image file. By providing
    an abnormally large image height value in the file's metadata, an attacker
    can trick the library into writing attacker-controlled color data to an
    arbitrary memory location. This memory corruption can be exploited to cause a
    denial of service (application crash) or to achieve arbitrary code execution
    with the permissions of the user.

 -- Jochen Sprickerhof <jspricke@debian.org>  Mon, 29 Sep 2025 15:19:31 +0200

tiff (4.2.0-1+deb11u6) bullseye-security; urgency=medium

  * Non-maintainer upload by the LTS Team.
  * CVE-2023-2908: NULL pointer dereference in tif_dir.c
  * CVE-2023-3316: NULL pointer dereference in TIFFClose
  * CVE-2023-3618: Buffer overflow in tiffcrop
  * CVE-2023-25433: Buffer overflow in tiffcrop
  * CVE-2023-26965: Use after free in tiffcrop
  * CVE-2023-26966: Buffer overflow in uv_encode()
  * CVE-2023-52356: segfault in TIFFReadRGBAStrip/TIFFReadRGBATile
  * CVE-2024-7006: NULL pointer dereference in
    TIFFReadDirectory/TIFFReadCustomDirectory
  * debian/libtiff5.symbols: Add a symbol added in 4.2.0-1+deb11u2

 -- Adrian Bunk <bunk@debian.org>  Sun, 19 Jan 2025 13:37:43 +0200

tiff (4.2.0-1+deb11u5) bullseye-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix a memory leak in tiffcrop (CVE-2023-3576)
  * Fix buffer overflows in tiffcp and raw2tiff
    (CVE-2023-40745, CVE-2023-41175)

 -- Aron Xu <aron@debian.org>  Thu, 23 Nov 2023 15:39:53 +0800

tiff (4.2.0-1+deb11u4) bullseye-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Security fix for multiple flaws in tiffcrop, a specially crafted tiff file
    can lead to an out-of-bounds write or read resulting in a denial of
    service.

 -- Aron Xu <aron@debian.org>  Thu, 23 Feb 2023 17:15:05 +0800

tiff (4.2.0-1+deb11u3) bullseye-security; urgency=high

  * Non-maintainer upload by the Security Team.
  * Backport security fix for CVE-2022-48281, heap-based buffer overflow in
    processCropSelections().

 -- Aron Xu <aron@debian.org>  Sun, 29 Jan 2023 14:56:06 +0800

tiff (4.2.0-1+deb11u2) bullseye-security; urgency=high

  [ Laszlo Boszormenyi (GCS) ]
  * Backport security fix for CVE-2022-1354, heap buffer overflow in
    TIFFReadRawDataStriped() .
  * Backport security fix for CVE-2022-1355, tiffcp stack buffer overflow in
    "mode" string.
  * Backport security fix for CVE-2022-1622 and CVE-2022-1623, out of bounds
    read in LZWDecode() .
  * Backport security fix for CVE-2022-34526, stack overflow in 
    _TIFFVGetField() .

  [ Aron Xu ]
  * Non-maintainer upload by the Security Team.
  * Backport security fix for CVE-2022-2056, CVE-2022-2057 and CVE-2022-2058,
    divide by zero in computeInputPixelOffsets().
  * Backport security fix for CVE-2022-2867, CVE-2022-2868 and CVE-2022-2869,
    out of bounds read/write caused by uint32_t underflow.
  * Backport security fix for CVE-2022-3570 and CVE=2022-3598, buffer overflow
    in tiffcrop subroutines.
  * Backport security fix for CVE-2022-2519, CVE-2022-2520, CVE-2022-2521,
    CVE-2022-2953, CVE-2022-3597, CVE-2022-3636 and CVE-2022-3627, disable
    the combination of incompatible options to avoid out-of-bounds writes.
  * Backport security fix for CVE-2022-3599, out-of-bounds read in
    writeSingleSection().

 -- Aron Xu <aron@debian.org>  Tue, 17 Jan 2023 16:17:33 +0800

tiff (4.2.0-1+deb11u1) bullseye-security; urgency=high

  [ Thorsten Alteholz <debian@alteholz.de> ]
  * CVE-2022-22844
    out-of-bounds read in _TIFFmemcpy in certain situations involving a
    custom tag and 0x0200 as the second word of the DE field.
  * CVE-2022-0562
    Null source pointer passed as an argument to memcpy() function within
    TIFFReadDirectory(). This could result in a Denial of Service via
    crafted TIFF files.
  * CVE-2022-0561
    Null source pointer passed as an argument to memcpy() function within
    TIFFFetchStripThing(). This could result in a Denial of Service via
    crafted TIFF files.

  [ Laszlo Boszormenyi (GCS) <gcs@debian.org> ]
  * Backport security fix for CVE-2022-0865, crash when reading a file with
    multiple IFD in memory-mapped mode and when bit reversal is needed.
  * Backport security fix for CVE-2022-0908, null source pointer passed as an
    argument to memcpy() function within TIFFFetchNormalTag().
  * Backport security fix for CVE-2022-0907, unchecked return value to null
    pointer dereference in tiffcrop.
  * Backport security fix for CVE-2022-0909, divide by zero error in
    tiffcrop.
  * Backport security fix for CVE-2022-0891, heap buffer overflow in
    ExtractImageSection function in tiffcrop.
  * Backport security fix for CVE-2022-0924, heap buffer overflow in tiffcp.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 13 Mar 2022 15:57:56 +0100

tiff (4.2.0-1) unstable; urgency=medium

  * New upstream release.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 21 Dec 2020 15:06:46 +0100

tiff (4.1.0+git201212-1) unstable; urgency=high

  * Git snapshot, fixing the following security issues:
    - TIFFSetupStrips: enforce 2GB limitation of
      Strip/Tile Offsets/ByteCounts arrays,
    - tiff2ps: fix heap buffer read overflow in PSDataColorContig() ,
    - tiff2pdf: palette bound check in t2p_sample_realize_palette() ,
    - tiffcrop: fix asan runtime error caused by integer promotion, 
    - raw2tiff: avoid divide by zero,
    - tif_fax3.c: check buffer overflow in Fax4Decode() ,
    - tif_fax3: better fix for CVE-2011-0192,
    - TIFFReadCustomDirectory(): fix potential heap buffer overflow when
      reading a custom directory, after a regular directory where a codec was
      active,
    - tif_fax3.h: check for buffer overflow in EXPAND2D before "calling"
      CLEANUP_RUNS() ,
    - contrib/win_dib/tiff2dib: fix uninitialized variable: lpBits,
    - Fax3SetupState(): check consistency of rowbytes and rowpixels,
      potential heap overflow in tiff2pdf,
    - tiff2pdf: avoid divide by zero, use-after-free in t2p_writeproc()
      function,
    - tiffcp/tiff2pdf/tiff2ps: enforce maximum malloc size,
    - tif_fax3: more buffer overflow checks in Fax3Decode2D() ,
    - tiffset: check memory allocation, use of allocated memory without null
      pointer check,
    - tiffdump: avoid unaligned memory access,
    - tiff2pdf: normalizePoint() macro to normalize the white point, avoid
      divide by zero,
    - tif_fax3: quit Fax3Decode2D() when a buffer overflow occurs,
    - tiffcrop: enforce memory allocation limit,
    - tiffinfo: fix dump of Tiled images, heap out of bounds read in
      TIFFReadRawData() ,
    - Fax3PreDecode(): reset curruns and refruns state variables,
      heap-buffer-overflow in Fax3Decode2D() ,
    - tif_fax3.h: extra buffer overflow checks, heap-buffer-overflow in
      Fax3Decode2D() ,
    - TIFFStartStrip(): avoid potential crash in WebP codec when using
      scanline access on corrupted files,
    - gtTileContig(): check Tile width for overflow,
    - avoid buffer overflow while writing jpeg end of file marker,
    - tiff2ps.c: fix buffer overread, heap-buffer-overflow in PSDataBW() ,
    - fix potential overflow in gtStripContig() ,
    - more overflow fixes for large width,
    - enforce (configurable) memory limit in tiff2rgba,
    - tiff2pdf: enforce memory limit for tiled pictures,
    - tiffcrop: fix buffer overrun in extractContigSamples24bits() .
  * Build with libdeflate support.
  * Update libtiff5 symbols.
  * Update debhelper level to 13 .
  * Update Standards-Version to 4.5.1 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 13 Dec 2020 07:52:33 +0100

tiff (4.1.0+git191117-2) unstable; urgency=medium

  * Backport upstream fix for rowsperstrip parse regression in
    OJPEGReadHeaderInfo() (closes: #945402).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 08 Jan 2020 15:47:02 +0000

tiff (4.1.0+git191117-1) unstable; urgency=medium

  * Git snapshot, fixing the following issues:
    - missing TIFFClose in rgb2ycbcr tool,
    - missing checks on TIFFGetField in tiffcrop tool,
    - broken sanity check in OJPEG,
    - missing generated .sh files for tests.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 18 Nov 2019 18:02:46 +0000

tiff (4.1.0-1) unstable; urgency=medium

  * New upstream release.
  * Update Standards-Version to 4.4.1 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 05 Nov 2019 16:26:48 +0000

tiff (4.0.10+git191003-1) unstable; urgency=high

  * Git snapshot, fixing the following security issue:
    - TIFFReadAndRealloc(): avoid too large memory allocation attempts.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 03 Oct 2019 22:00:39 +0000

tiff (4.0.10+git190903-1) unstable; urgency=high

  * Git snapshot, fixing the following security issues:
    - setByteArray(): avoid potential signed integer overflow,
    - EstimateStripByteCounts(): avoid several unsigned integer overflows,
    - tif_ojpeg: avoid two unsigned integer overflows,
    - OJPEGWriteHeaderInfo(): avoid unsigned integer overflow on strile
      dimensions close to UINT32_MAX,
    - _TIFFPartialReadStripArray(): avoid unsigned integer overflow,
    - JPEG: avoid use of uninitialized memory on corrupted files,
    - TIFFFetchDirectory(): fix invalid cast from uint64 to tmsize_t,
    - allocChoppedUpStripArrays(): avoid unsigned integer overflow,
    - tif_ojpeg: avoid use of uninitialized memory on edge/broken file,
    - ByteCountLooksBad and EstimateStripByteCounts: avoid unsigned integer
      overflows.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 17 Sep 2019 22:07:35 +0000

tiff (4.0.10+git190818-1) unstable; urgency=high

  * Git snapshot, fixing the following security issues:
    - RGBA interface: fix integer overflow potentially causing write heap
      buffer overflow,
    - setByteArray(): avoid potential signed integer overflow.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 18 Aug 2019 11:25:27 +0000

tiff (4.0.10+git190814-1) unstable; urgency=high

  * Git snapshot, fixing the following security issues:
    - TryChopUpUncompressedBigTiff(): avoid potential division by zero,
    - fix vulnerability introduced by defer strile loading,
    - fix vulnerability in 'D' (DeferStrileLoad) mode,
    - return infinite distance when denominator is zero,
    - OJPEG: avoid use of uninitialized memory on corrupted files,
    - OJPEG: fix integer division by zero on corrupted subsampling factors,
    - OJPEGReadBufferFill(): avoid very long processing time on corrupted
      files,
    - TIFFClientOpen(): fix memory leak if one of the required callbacks is
      not provided,
    - CVE-2019-14973, fix integer overflow in _TIFFCheckMalloc() and other
      implementation-defined behaviour (closes: #934780).
  * Update libtiff5 symbols.
  * Update Standards-Version to 4.4.0 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 14 Aug 2019 19:24:22 +0000

tiff (4.0.10-4) unstable; urgency=high

  * Backport security fixes:
    - CVE-2018-12900: heap-based buffer overflow in
      cpSeparateBufToContigBuf() cause remote DoS (closes: #902718),
    - CVE-2018-17000: NULL pointer dereference in _TIFFmemcmp() cause DoS
      (closes: #908778),
    - CVE-2018-19210: NULL pointer dereference in TIFFWriteDirectorySec()
      cause DoS (closes: #913675),
    - CVE-2019-6128: TIFFFdOpen() memory leak (closes: #921157).
  * Update watch file.
  * Update Standards-Version to 4.3.0 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 02 Feb 2019 18:34:29 +0000

tiff (4.0.10-3) unstable; urgency=medium

  * Backport fix for lossless WebP compression config.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 22 Nov 2018 17:01:04 +0000

tiff (4.0.10-2) unstable; urgency=medium

  * Add libegl1-mesa-dev as build dependency until mesa-common-dev is fixed.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 20 Nov 2018 00:24:26 +0000

tiff (4.0.10-1) unstable; urgency=high

  * New upstream release.
  * Fix CVE-2018-18661: NULL pointer dereference in LZWDecode()
    (closes: #912012).
  * Move libtiff5-dev contents to libtiff-dev .
  * Mark libtiff-dev as Multi-Arch same (closes: #884978).
  * Mark libtiff-{tools,opengl} as Multi-Arch foreign (closes: #904165).
  * Mark libtiff-doc as Multi-Arch foreign (closes: #907794).
  * Fix TIFFReadRawStrip man page typo (closes: #672858).
  * Update Standards-Version to 4.2.1 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 19 Nov 2018 17:16:05 +0000

tiff (4.0.9+git181026-1) unstable; urgency=high

  * Git snapshot, fixing the following security issues:
    - CVE-2018-17100, int32 overflow in multiply_ms() which can cause a DoS
      or possibly have unspecified other impact via a crafted image file
      (closes: #909038),
    - CVE-2018-17101, two out-of-bounds writes in cpTags() which can cause a
      DoS or possibly have unspecified other impact via a crafted image file
      (closes: #909037),
    - CVE-2018-18557, out-of-bounds write in JBIGDecode() (closes: #911635).
  * Remove previously backported security patches.
  * Build with Zstandard, a fast lossless compression algorithm.
  * Build with WebP, the modern VP8 compression format.
  * Update libtiff5 symbols.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 28 Oct 2018 11:04:14 +0000

tiff (4.0.9-6) unstable; urgency=high

  * Fix CVE-2018-8905: eap-based buffer overflow in LZWDecodeCompat()
    (closes: #893806).
  * Fix CVE-2018-10963: remote denial of service (closes: #898348).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 01 Jul 2018 19:46:23 +0000

tiff (4.0.9-5) unstable; urgency=high

  * Fix CVE-2017-11613: avoid memory exhaustion in
    ChopUpSingleUncompressedStrip() (closes: #869823).
  * Fix CVE-2018-7456: NULL pointer dereference in TIFFPrintDirectory()
    (closes: #891288).
  * Fix CVE-2017-17095: heap-based buffer overflow in pal2rgb tool
    (closes: #883320).
  * Don't specify parallel to debhelper.
  * Update Standards-Version to 4.1.4 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 15 Apr 2018 18:13:42 +0000

tiff (4.0.9-4) unstable; urgency=high

  * Fix CVE-2018-5784: uncontrolled resource consumption in TIFFSetDirectory()
    (closes: #890441).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 14 Feb 2018 20:07:21 +0000

tiff (4.0.9-3) unstable; urgency=high

  * Fix CVE-2017-18013: NULL pointer dereference in TIFFPrintDirectory()
    (closes: #885985).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 01 Jan 2018 16:26:47 +0000

tiff (4.0.9-2) unstable; urgency=high

  * Fix CVE-2017-9935: heap-based buffer overflow in the t2p_write_pdf()
    function  (closes: #866109).
  * Update debhelper level to 11 .
  * Update Standards-Version to 4.1.2 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Fri, 15 Dec 2017 17:45:42 +0000

tiff (4.0.9-1) unstable; urgency=medium

  * New upstream release.
  * Remove previously backported security patches.
  * Update libtiff5 symbols.
  * Make -dev recommend pkg-config (closes: #814417).
  * Update debhelper level to 10:
    - don't need to specify 'with autotools-dev' anymore,
    - remove autotools-dev build dependency,
    - remove dh-autoreconf build dependency.

  [ Helmut Grohne <helmut@subdivi.de> ]
  * Turn libtiff-dev into a real package (closes: #780807).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 02 Dec 2017 09:24:59 +0000

tiff (4.0.8-6) unstable; urgency=high

  * Backport security fixes:
    - prevent OOM in gtTileContig() ,
    - prevent OOM in TIFFFetchStripThing() ,
    - CVE-2017-12944, OOM prevention in TIFFReadDirEntryArray()
      (closes: #872607),
    - avoid floating point division by zero in initCIELabConversion() .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 29 Oct 2017 13:29:44 +0000

tiff (4.0.8-5) unstable; urgency=high

  * Backport security fixes:
    - CVE-2017-13726, reachable assertion abort in TIFFWriteDirectorySec()
      (closes: #873880),
    - CVE-2017-13727, reachable assertion abort in
      TIFFWriteDirectoryTagSubifd() (closes: #873879).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 31 Aug 2017 21:09:59 +0000

tiff (4.0.8-4) unstable; urgency=high

  * Fix regression in the decoding of old-style LZW compressed files.
  * Fix CVE-2017-11335: heap based buffer write overflow in tiff2pdf
    (closes: #868513).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 16 Jul 2017 11:07:56 +0000

tiff (4.0.8-3) unstable; urgency=high

  * Backport security fixes:
    - CVE-2017-9936, memory leak in error code path of JBIGDecode()
      (closes: #866113),
    - prevent out of memory in gtTileContig() on corrupted files,
    - CVE-2017-10688, assertion failure in TIFFWriteDirectoryTagCheckedXXXX()
      (closes: #866611).
  * Add required _TIFFReadEncodedStripAndAllocBuffer@LIBTIFF_4.0 symbol to the
    libtiff5 package.
  * Update Standards-Version to 4.0.0 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 01 Jul 2017 18:13:15 +0000

tiff (4.0.8-2) unstable; urgency=high

  * Backport security fixes:
    - TIFFYCbCrToRGBInit(): stricter clamping to avoid int32 overflow in
      TIFFYCbCrtoRGB(),
    - initYCbCrConversion(): stricter validation for refBlackWhite
      coefficients values - to avoid invalid float->int32 conversion,
    - CVE-2016-10095 and CVE-2017-9147: add _TIFFCheckFieldIsValidForCodec()
      and use it in TIFFReadDirectory() (closes: #850316, #863185).
  * Add required _TIFFCheckFieldIsValidForCodec@LIBTIFF_4.0 symbol to the
    libtiff5 package.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 01 Jun 2017 17:56:08 +0000

tiff (4.0.8-1) unstable; urgency=high

  * New upstream release of merged security fixes.
  * Add required TIFFReadRGBAStripExt@LIBTIFF_4.0 and
    TIFFReadRGBATileExt@LIBTIFF_4.0 symbols to the libtiff5 package.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Wed, 24 May 2017 19:49:04 +0000

tiff (4.0.7-7) unstable; urgency=high

  * Backport security fix for CVE-2016-10371 (closes: #862929).
  * Backport security fix for CVE-2015-7554 (closes: #809066, #842043).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 20 May 2017 16:35:43 +0000

tiff (4.0.7-6) unstable; urgency=high

  * Backport security fixes:
    - CVE-2017-7595, divide-by-zero in JPEGSetupEncode (closes: #860003),
    - CVE-2017-7596, CVE-2017-7597, CVE-2017-7598,CVE-2017-7599 CVE-2017-7600,
      CVE-2017-7601 and CVE-2017-7602, multiple UBSAN crashes,
    - CVE-2017-7592, left-shift undefined behavior issue in putagreytile
      (closes: #859998),
    - CVE-2017-7593, unitialized-memory access from tif_rawdata
      (closes: #860000),
    - CVE-2017-7594, leak in OJPEGReadHeaderInfoSecTablesAcTable
      (closes: #860001).
  * Add required _TIFFcalloc@LIBTIFF_4.0 symbol to the libtiff5 package.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Fri, 14 Apr 2017 07:21:47 +0000

tiff (4.0.7-5) unstable; urgency=high

  * Fix CVE-2017-5225: heap buffer overflow via a crafted BitsPerSample value
    (closes: #851297).

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 15 Jan 2017 16:49:05 +0000

tiff (4.0.7-4) unstable; urgency=high

  * Fix CVE-2016-10094: heap-based overflow in t2p_readwrite_pdf_image_tile().

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 01 Jan 2017 19:03:49 +0000

tiff (4.0.7-3) unstable; urgency=medium

  * Backport upstream fix of TIFFFaxTabEnt structure.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Tue, 13 Dec 2016 19:02:25 +0000

tiff (4.0.7-2) unstable; urgency=high

  * Backport security fixes:
    - fix uint32 overflow in TIFFReadEncodedStrip() that caused an integer
      division by zero,
    - avoid uint32 underflow in cpDecodedStrips that can cause various
      issues, such as buffer overflows in the library,
    - fix heap-based buffer overflow on generation of PixarLog / LUV
      compressed files, with ColorMap, TransferFunction attached and nasty
      plays with bitspersample,
    - fix ChopUpSingleUncompressedStrip() in reading outside of the
      StripByCounts/StripOffsets arrays when using TIFFReadScanline()
      (closes: #846837),
    - make OJPEGDecode() early exit in case of failure in OJPEGPreDecode() to
      avoid a divide by zero, and potential other issues,
    - fix readContigStripsIntoBuffer() in -i (ignore) mode so that the
      output buffer is correctly incremented to avoid write outside bounds,
    - add 3 extra bytes at end of strip buffer in
      readSeparateStripsIntoBuffer() to avoid read outside of heap allocated
      buffer,
    - fix integer division by zero when BitsPerSample is missing
      (closes: #846838),
    - fix null pointer dereference in -r mode when the image has no
      StripByteCount tag,
    - avoid potential division by zero if BitsPerSamples tag is missing,
    - limit the return number of inks to SamplesPerPixel in
      TIFFGetField(, TIFFTAG_NUMBEROFINKS, ) , so that code that parses ink
      names doesn't go past the end of the buffer,
    - avoid another potential division by zero if BitsPerSamples tag is
      missing,
    - fix uint32 underflow/overflow that can cause heap-based buffer overflow,
    - replace assert( (bps % 8) == 0 ) by a non assert check.
  * Remove thumbnail and rgb2ycbcr documentations, these tools no longer
    present.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sun, 04 Dec 2016 12:24:44 +0000

tiff (4.0.7-1) unstable; urgency=high

  * New upstream release.
  * Fixes the following vulnerabilities:
    - CVE-2015-7313, OOM when parsing crafted tiff files (closes: #800124),
    - CVE-2016-3622, denial of service (divide-by-zero error) via
      the fpAcc function in tif_predict.c (closes: #820365),
    - CVE-2016-3945, multiple integer overflows in the tiff2rgba tool,
    - CVE-2016-3990, write buffer overflow in PixarLogEncode,
    - CVE-2016-3991 and CVE-2016-5322, heap-based buffer overflow in the
      loadImage function,
    - CVE-2016-9273, heap-buffer-overflow in cpStrips (closes: #844013),
    - CVE-2016-9297, segfault in _TIFFPrintField() (closes: #844226),
    - CVE-2016-9448, in TIFFFetchNormalTag(), do not dereference NULL pointer
      (regression of CVE-2016-9297),
    - heap buffer overflow via writeBufferToSeparateStrips() in tiffcrop.
  * Remove backported vulnerability fixes, this release contains those.
  * Update libtiff5 symbols.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 19 Nov 2016 18:05:24 +0000

tiff (4.0.6-3) unstable; urgency=high

  * Fix architecture independent only build (closes: #806118).
  * Fix CVE-2015-8668 , CVE-2016-3619 , CVE-2016-3620 (closes: #820363),
    CVE-2016-3621 (closes: #820364) and CVE-2016-5319 with removing bmp2tiff
    (closes: #820364).
  * Fix CVE-2016-3186 and CVE-2016-5102 with removing gif2tiff.
  * Fix CVE-2016-3631 (closes: #820366), CVE-2016-3632 , CVE-2016-3633 ,
    CVE-2016-3634 and CVE-2016-8331 with removing thumbnail.
  * Backport upstream fix for CVE-2016-3623 and CVE-2016-3624 .
  * Backport upstream fix for CVE-2016-5652 (closes: #842361).
  * Backport upstream fix for CVE-2016-3658 .
  * Removed vulnerable, unsupported tools (closes: #827484, #842046).
  * Comment out Vcs fields for now.

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Mon, 31 Oct 2016 15:56:56 +0000

tiff (4.0.6-2) unstable; urgency=high

  * Backport fix for the following vulnerabilities:
    - CVE-2016-5314, PixarLogDecode() heap-based buffer overflow
      (closes: #830700),
    - CVE-2016-5316, PixarLogCleanup() Segmentation fault,
    - CVE-2016-5320, rgb2ycbcr: command excution,
    - CVE-2016-5875, heap-based buffer overflow when using the PixarLog
      compression format,
    - CVE-2016-6223, information leak in libtiff/tif_read.c ,
    - CVE-2016-5321, DumpModeDecode(): Ddos,
    - CVE-2016-5323, tiffcrop _TIFFFax3fillruns(): NULL pointer dereference.
  * Be primary maintainer and keep Ondřej as uploader.
  * Update Standards-Version to 3.9.8 .

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Sat, 16 Jul 2016 11:45:21 +0000

tiff (4.0.6-1) unstable; urgency=high

  * New upstream release.
  * Backport upstream fixes for:
    - CVE-2015-8665 an out-of-bound read in TIFFRGBAImage interface,
    - CVE-2015-8683 an out-of-bounds read in CIE Lab image format.
  * Backport fix for potential out-of-bound writes in decode.
  * Backport fix for potential out-of-bound write in NeXTDecode().

 -- Laszlo Boszormenyi (GCS) <gcs@debian.org>  Thu, 31 Dec 2015 16:22:24 +0100

tiff (4.0.5-1) unstable; urgency=medium

  * Update László Böszörményi to Laszlo Boszormenyi (GCS)
  * Add Vcs URLs to debian/control
  * Imported Upstream version 4.0.5
  * Remove all patches - they have been merged upstream
  * Convert the package to pure debhelper and remove some legacy stuff

 -- Ondřej Surý <ondrej@debian.org>  Tue, 01 Sep 2015 13:10:55 +0200

tiff (4.0.3-13) unstable; urgency=medium

  * Thanks Jay for maintaining tiff for so long
  * Add me as a new maintainer, and add László Böszörményi to Uploaders
  * Cleanup debian a bit:
   - Run wrap-and-sortize -a)
   - Update d/copyright to Copyright Format 1.0
   - Remove files related to libtiff4->libtiff5 transition
  * Add C++ symbols file for libtiffxx5

 -- Ondřej Surý <ondrej@debian.org>  Tue, 05 May 2015 08:37:59 +0200

tiff (4.0.3-12.3) unstable; urgency=medium

  * Add another (final) patch for CVE-2014-8128 (Bug #2499). Thanks to
    Petr Gajdos

 -- Moritz Muehlenhoff <jmm@debian.org>  Mon, 23 Mar 2015 18:26:40 +0100

tiff (4.0.3-12.2) unstable; urgency=medium

  * Add another patch for CVE-2014-8128 (Bug #2501)

 -- Moritz Muehlenhoff <jmm@debian.org>  Fri, 13 Mar 2015 23:54:02 +0100

tiff (4.0.3-12.1) unstable; urgency=medium

  * NMU as discussed with Ondrej, the future adopter of tiff
  * Fix multiple security issues, exact details will be recorded in the
    Debian security tracker

 -- Moritz Muehlenhoff <jmm@debian.org>  Sat, 21 Feb 2015 13:06:08 +0100

tiff (4.0.3-12) unstable; urgency=high

  * Fix integer overflow in bmp2tiff. CVE-2014-9330. (Closes: #773987)

 -- Jay Berkenbilt <qjb@debian.org>  Tue, 30 Dec 2014 11:32:04 -0500

tiff (4.0.3-11) unstable; urgency=medium

  * Don't crash on JPEG => non-JPEG conversion (Closes: #741451)
  * Thanks Tomasz Buchert <tomasz.buchert@inria.fr> for preparing the fix!

 -- Jay Berkenbilt <qjb@debian.org>  Tue, 23 Dec 2014 15:51:40 -0500

tiff (4.0.3-10) unstable; urgency=medium

  * Remove libtiff4-dev, completing the tiff transition. Packages that
    still declare build dependencies on libtiff4-dev must now build depend
    on libtiff-dev instead, or if a versioned dependency is required,
    libtiff5-dev with a specific version.

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 29 Jun 2014 17:32:18 -0400

tiff (4.0.3-9) unstable; urgency=medium

  * Fix for CVE-2013-4243 (validation for gif2tiff) from Red Hat. (Closes:
    #742917)

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 21 Jun 2014 18:12:40 -0400

tiff (4.0.3-8) unstable; urgency=medium

  * Remove libtiff5-alt-dev transitional package now that no one is
    build-depending on it anymore.

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 01 Mar 2014 09:36:51 -0500

tiff (4.0.3-7) unstable; urgency=medium

  * Use dh-autoreconf to support new architectures in Ubuntu.

 -- Jay Berkenbilt <qjb@debian.org>  Mon, 23 Dec 2013 09:58:47 -0500

tiff (4.0.3-6) unstable; urgency=low

  * Update standards to 3.9.5.  No changes required.
  * libtiff4 -> libtiff5 transition.  libtiff5-dev now provides
    libtiff-dev.  libtiff5-alt-dev and libtiff4-dev are transitional
    packages that depend on libtiff5-dev.  They will both be removed
    before jessie.

 -- Jay Berkenbilt <qjb@debian.org>  Wed, 04 Dec 2013 14:36:36 -0500

tiff (4.0.3-5) unstable; urgency=low

  * Replace shlibs file with symbols file
  * Update standards to 3.9.4

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 15 Sep 2013 08:31:41 -0400

tiff (4.0.3-4) unstable; urgency=low

  * Complete Multi-Arch conversion for dev packages.  (Closes: #689085)

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 24 Aug 2013 11:50:20 -0400

tiff (4.0.3-3) unstable; urgency=high

  * Incorporated fixes to security issues CVE-2013-4244.

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 24 Aug 2013 11:20:00 -0400

tiff (4.0.3-2) unstable; urgency=high

  * Incorporated fixes to security issues CVE-2013-4231, CVE-2013-4232.
    (Closes: #719303)

 -- Jay Berkenbilt <qjb@debian.org>  Thu, 22 Aug 2013 11:52:58 -0400

tiff (4.0.3-1) unstable; urgency=low

  * Acknowledge/incorporate NMU.  Thanks!
  * New upstream version.  Patches incorporated:
     CVE-2012-3401.patch
     CVE-2012-4447.patch
  * Add build dependency on autotools-dev to help porters.

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 23 Jun 2013 10:39:04 -0400

tiff (4.0.2-6+nmu1) unstable; urgency=high

  * Non-maintainer upload by the Security Team.
  * Fix cve-2013-1960: heap-based buffer overlow in tiff2pdf
    (closes: #706675).
  * Fix cve-2013-1961: stack-based buffer overflow in tiff2pdf
    (closes: #706674).

 -- Michael Gilbert <mgilbert@debian.org>  Mon, 17 Jun 2013 01:27:17 +0000

tiff (4.0.2-6) unstable; urgency=high

  * Fix /usr/share/doc symlink to directory transition.  When upgrading
    from very old versions (pre 3.8.2-8), /usr/share/doc may contain
    symbolic links that should be removed.  (Closes: #687645)

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 26 Jan 2013 12:28:19 -0500

tiff (4.0.2-5) unstable; urgency=high

  * Add fix for CVE-2012-4564, a heap-buffer overflow.  Thanks Adrian La
    Duca for doing all the work to prepare this upload.  (Closes: #692345)

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 17 Nov 2012 12:40:25 -0500

tiff (4.0.2-4) unstable; urgency=high

  * Previous change was uploaded with the wrong CVE number.  I updated the
    last changelog entry.  The correct CVE number is CVE-2012-4447.

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 05 Oct 2012 17:33:44 -0400

tiff (4.0.2-3) unstable; urgency=high

  * Add fix for CVE-2012-4447, a buffer overrun.  (Closes: #688944)

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 05 Oct 2012 17:04:38 -0400

tiff (4.0.2-2) unstable; urgency=high

  * SECURITY UPDATE: possible arbitrary code execution via heap overflow
    in tiff2pdf.  (Closes: #682115)
    - debian/patches/CVE-2012-3401.patch: properly set t2p->t2p_error in
      tools/tiff2pdf.c.
    - CVE-2012-3401
    Changes prepared by Marc Deslauriers for Ubuntu.  Thanks!

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 21 Jul 2012 21:27:34 -0400

tiff (4.0.2-1) unstable; urgency=low

  * New upstream release

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 24 Jun 2012 13:45:42 -0400

tiff (4.0.1-8) unstable; urgency=low

  * Call glFlush() in tiffgt to fix display problems.  From
    https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/797166.

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 16 Jun 2012 21:20:04 -0400

tiff (4.0.1-7) unstable; urgency=low

  * Add new temporary package libtiff5-alt-dev, which provides libtiff5
    development files in a location that doesn't conflict with
    libtiff4-dev.  See README.Debian for details.

 -- Jay Berkenbilt <qjb@debian.org>  Thu, 24 May 2012 15:24:36 -0400

tiff (4.0.1-6) unstable; urgency=low

  * Include pkg-config files

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 13 May 2012 12:53:38 -0400

tiff (4.0.1-5) unstable; urgency=low

  * Fix shlibs again.

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 22 Apr 2012 11:41:44 -0400

tiff (4.0.1-4) unstable; urgency=low

  * Use >= instead of > in shlibs file.

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 22 Apr 2012 10:57:02 -0400

tiff (4.0.1-3) unstable; urgency=low

  * Support JBIG now that patents have expired. (Closes: #667835)
  * Support LZMA.

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 14 Apr 2012 19:03:04 -0400

tiff (4.0.1-2) unstable; urgency=high

  * Incorporated fix to CVE-2012-1173, a problem in the parsing of the
    TileSize entry, which could result in the execution of arbitrary code
    if a malformed image is opened.
  * Updated standards to 3.9.3

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 06 Apr 2012 10:10:48 -0400

tiff (4.0.1-1) unstable; urgency=low

  * New upstream release
  * Point watch file to new download location

 -- Jay Berkenbilt <qjb@debian.org>  Mon, 20 Feb 2012 09:43:54 -0500

tiff (4.0.0-2) experimental; urgency=low

  * Rename libtiff-dev -> libtiff5-dev to avoid premature transition for
    packages that explicitly depend on libtiff-dev.  At some future time,
    libtiff5-dev will provide or be renamed back to libtiff-dev.

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 04 Feb 2012 09:41:19 -0500

tiff (4.0.0-1) experimental; urgency=low

  * New upstream release
  * Enable versioned symbols

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 28 Jan 2012 10:56:23 -0500

tiff (4.0.0~beta7-2) experimental; urgency=low

  * Incorporated changes from 3.9.5-2: security hardening and multiarch

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 17 Sep 2011 10:28:53 -0400

tiff (4.0.0~beta7-1) experimental; urgency=low

  * New upstream release including many security fixes and other
    improvements
  * Updated changelog with changes from 3.x series.
  * Updated standards version to 3.9.2.  No changes required.

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 16 Apr 2011 13:45:33 -0400

tiff (4.0.0~beta6-3) experimental; urgency=low

  * Incorporated fix to CVE-2010-2483, "fix crash on OOB reads in
    putcontig8bitYCbCr11tile", from 3.9.4-4.

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 02 Oct 2010 13:31:41 -0400

tiff (4.0.0~beta6-2) experimental; urgency=low

  * Incorporate changes from 3.9.4-{2,3} including updating standards
    version to 3.9.1 along with associated fixes.  (CVE-2010-2233 was
    already fixed in this version.)

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 14 Aug 2010 16:36:44 -0400

tiff (4.0.0~beta6-1) experimental; urgency=low

  * New upstream release

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 18 Jun 2010 21:42:57 -0400

tiff (4.0.0~beta5-2) experimental; urgency=low

  * Depend on libjpeg-dev instead of libjpeg62-dev.
  * Change source format to '3.0 (quilt)'
  * Update standards version to 3.8.4.  No changes required.

 -- Jay Berkenbilt <qjb@debian.org>  Wed, 10 Feb 2010 19:36:43 -0500

tiff (4.0.0~beta5-1) experimental; urgency=low

  * New upstream release

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 06 Nov 2009 22:58:07 -0500

tiff (4.0.0~beta4-1) experimental; urgency=low

  * New upstream release.  All debian patches incorporated among many
    other fixes and enhancements.

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 28 Aug 2009 11:30:09 -0400

tiff (4.0.0~beta3-2) experimental; urgency=low

  * Fixed previously incorrect patch to lzw problem.

 -- Jay Berkenbilt <qjb@debian.org>  Mon, 24 Aug 2009 14:45:10 -0400

tiff (4.0.0~beta3-1) experimental; urgency=low

  * New upstream release.  This version is not binary compatible with the
    3.x series, nor is it entirely source compatible, but most
    applications should port easily.

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 21 Aug 2009 13:39:37 -0400

tiff (3.9.5-2) unstable; urgency=low

  * Implemented mulitarch and and PIE build for security hardening by
    integrating the changes from the Ubuntu tiff packages.  Thanks to Marc
    Deslauriers and anyone else who did the actual work.

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 17 Sep 2011 10:15:39 -0400

tiff (3.9.5-1) unstable; urgency=low

  * New upstream release.  All security patches are fully incorporated
    into this version, as are many other bug fixes.
  * Updated standards version to 3.9.2.  No changes needed.

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 16 Apr 2011 13:15:51 -0400

tiff (3.9.4-9) unstable; urgency=high

  * CVE-2011-1167: correct potential buffer overflow with thunder encoded
    files with wrong bitspersample set.  (Closes: #619614)

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 02 Apr 2011 10:59:38 -0400

tiff (3.9.4-8) unstable; urgency=low

  * Enable PIE (position independent executable) build for security
    hardening.  Patch from Ubuntu.  (Closes: #613759)

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 19 Mar 2011 10:22:32 -0400

tiff (3.9.4-7) unstable; urgency=high

  * Incorporate revised fix to CVE-2011-0192.

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 13 Mar 2011 14:33:38 -0400

tiff (3.9.4-6) unstable; urgency=high

  * Incorporated fix to CVE-2011-0192, "Buffer overflow in Fax4Decode".

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 26 Feb 2011 18:44:23 -0500

tiff (3.9.4-5) unstable; urgency=high

  * Incorporated fix to CVE-2010-3087, a potential denial of service
    exploitable with a specially crafted TIFF file.  (Closes: #600188)

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 17 Oct 2010 16:44:08 -0400

tiff (3.9.4-4) unstable; urgency=high

  * Incorporated fix to CVE-2010-2483, "fix crash on OOB reads in
    putcontig8bitYCbCr11tile".  (Closes: #595064)

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 02 Oct 2010 13:17:12 -0400

tiff (3.9.4-3) unstable; urgency=low

  * Updated control file to remove obsolete Conflicts/Replaces for ancient
    packages.
  * Empty dependency_libs in all .la files as part of the .la file.  This
    also resolves the problem of having hard-coded paths in the .la file.
    (Closes: #509016)
  * Updated standards version to 3.9.1.

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 14 Aug 2010 16:28:49 -0400

tiff (3.9.4-2) unstable; urgency=high

  * Incorporated patch to fix CVE-2010-2233, which fixes a specific
    failure of tif_getimage on 64-bit platforms.

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 13 Aug 2010 20:16:29 -0400

tiff (3.9.4-1) unstable; urgency=low

  * New upstream release

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 18 Jun 2010 21:28:11 -0400

tiff (3.9.2-3) unstable; urgency=low

  * Depend on libjpeg-dev instead of libjpeg62-dev.  (Closes: #569242)
  * Change source format to '3.0 (quilt)'
  * Update standards version to 3.8.4.  No changes required.

 -- Jay Berkenbilt <qjb@debian.org>  Wed, 10 Feb 2010 19:20:20 -0500

tiff (3.9.2-2) unstable; urgency=low

  * Include patch from upstream to fix problems with TIFFReadScanline()
    and ycbcr-encoded JPEG images.  (Closes: #510792)
  * Fix some manual page spelling errors found by lintian.

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 10 Jan 2010 10:56:32 -0500

tiff (3.9.2-1) unstable; urgency=low

  * New upstream release

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 06 Nov 2009 22:52:06 -0500

tiff (3.9.1-1) unstable; urgency=low

  * New upstream release

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 28 Aug 2009 15:44:23 -0400

tiff (3.9.0-2) unstable; urgency=low

  * Fix critical bug that could cause corrupt files to be written in some
    cases.  (Closes: #543079)

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 28 Aug 2009 13:38:03 -0400

tiff (3.9.0-1) unstable; urgency=low

  * New upstream release.  All previous security patches have been
    integrated.

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 21 Aug 2009 11:40:49 -0400

tiff (3.9.0beta+deb1-1) experimental; urgency=low

  * New upstream release (binary compatible with 3.8.2) -- release based
    on 3.9 branch from upstream CVS; see README.Debian for details.
    (Closes: #537118)
  * Updated standards to 3.8.3; no changes required.
  * Stopped using tarball in tarball packaging.  (Closes: #538565)

 -- Jay Berkenbilt <qjb@debian.org>  Wed, 19 Aug 2009 20:33:10 -0400

tiff (3.8.2-13) unstable; urgency=high

  * Apply patches to fix CVE-2009-2347, which covers two integer overflow
    conditions.
  * LZW patch from last update addressed CVE-2009-2285.  Renamed the patch
    to make this clearer.

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 12 Jul 2009 18:03:33 -0400

tiff (3.8.2-12) unstable; urgency=low

  * Apply patch to fix crash in lzw decoder that can be caused by certain
    invalid image files.  (Closes: #534137)
  * No longer ignore errors in preinst
  * Fixed new lintian warnings; updated standards version to 3.8.2.

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 28 Jun 2009 13:17:44 -0400

tiff (3.8.2-11) unstable; urgency=high

  * Apply security patches (CVE-2008-2327)
  * Convert patch system to quilt
  * Create README.source
  * Set standards version to 3.8.0

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 17 Aug 2008 13:16:37 -0400

tiff (3.8.2-10+lenny1) testing-security; urgency=high

  * Apply patches from Drew Yao of Apple Product Security to fix
    CVE-2008-2327, a potential buffer underflow in the LZW decoder
    (tif_lzw.c).

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 17 Aug 2008 11:56:01 -0400

tiff (3.8.2-10) unstable; urgency=low

  * Fix segmentation fault on subsequent parts of a file with an invalid
    directory tag.  (Closes: #475489)

 -- Jay Berkenbilt <qjb@debian.org>  Mon, 09 Jun 2008 11:02:53 -0400

tiff (3.8.2-9) unstable; urgency=low

  * Backported tiff2pdf from 4.0.0 beta 2.  This fixes many tiff2pdf bugs,
    though unfortunately none of the ones opened in the debian bug
    database!
  * Added upstream homepage to debian control file.

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 07 Jun 2008 22:52:27 -0400

tiff (3.8.2-8) unstable; urgency=low

  * Accepted tmpfile patch tiff2pdf to fix bug that has been fixed
    upstream since upstream release appears stalled.  Thanks Jesse Long.
    (Closes: #419773)
  * Update standards version to 3.7.3; no changes required.
  * ${Source-Version} -> ${binary:Version} in control
  * Split documentation into separate libtiff-doc package.  (Closes:
    #472189)

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 22 Mar 2008 12:30:38 -0400

tiff (3.8.2-7+etch1) stable-security; urgency=high

  * Apply patches from Drew Yao of Apple Product Security to fix
    CVE-2008-2327, a potential buffer underflow in the LZW decoder
    (tif_lzw.c).

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 17 Aug 2008 11:56:01 -0400

tiff (3.8.2-7) unstable; urgency=high

  * Replace empty directories in /usr/share/doc with links during package
    upgrade.  (Closes: #404631)

 -- Jay Berkenbilt <qjb@debian.org>  Tue,  2 Jan 2007 15:50:50 -0500

tiff (3.8.2-6) unstable; urgency=high

  * Add watch file
  * Tavis Ormandy of the Google Security Team discovered several problems
    in the TIFF library.  The Common Vulnerabilities and Exposures project
    identifies the following issues:
     - CVE-2006-3459: a stack buffer overflow via TIFFFetchShortPair() in
       tif_dirread.c
     - CVE-2006-3460: A heap overflow vulnerability was discovered in the
       jpeg decoder
     - CVE-2006-3461: A heap overflow exists in the PixarLog decoder
     - CVE-2006-3462: The NeXT RLE decoder was also vulnerable to a heap
       overflow
     - CVE-2006-3463: An infinite loop was discovered in
       EstimateStripByteCounts()
     - CVE-2006-3464: Multiple unchecked arithmetic operations were
       uncovered, including a number of the range checking operations
       deisgned to ensure the offsets specified in tiff directories are
       legitimate.
     - A number of codepaths were uncovered where assertions did not hold
       true, resulting in the client application calling abort()
     - CVE-2006-3465: A flaw was also uncovered in libtiffs custom tag
       support

 -- Jay Berkenbilt <qjb@debian.org>  Mon, 31 Jul 2006 18:14:59 -0400

tiff (3.8.2-5) unstable; urgency=low

  * Fix logic error that caused -q flag to be ignored when doing jpeg
    compression with tiff2pdf.  (Closes: #373102)

 -- Jay Berkenbilt <qjb@debian.org>  Mon, 19 Jun 2006 18:55:38 -0400

tiff (3.8.2-4) unstable; urgency=high

  * SECURITY UPDATE: Arbitrary command execution with crafted TIF files.
    Thanks to Martin Pitt.  (Closes: #371064)
  * Add debian/patches/tiff2pdf-octal-printf.patch:
    - tools/tiff2pdf.c: Fix buffer overflow due to wrong printf for octal
      signed char (it printed a signed integer, which overflew the buffer and
      was wrong anyway).
    - CVE-2006-2193

 -- Jay Berkenbilt <qjb@debian.org>  Wed,  7 Jun 2006 17:52:12 -0400

tiff (3.8.2-3) unstable; urgency=high

  * SECURITY UPDATE: Arbitrary command execution with crafted long file
    names.  Thanks to Martin Pitt for forwarding this.
    Add debian/patches/tiffsplit-fname-overflow.patch:
    - tools/tiffsplit.c: Use snprintf instead of strcpy for copying the
      user-specified file name into a statically sized buffer.
    CVE-2006-2656.  (Closes: #369819)
  * Update standards version to 3.7.2.  No changes required.
  * Moved doc-base information to libtiff4 instead of libtiff4-dev.

 -- Jay Berkenbilt <qjb@debian.org>  Thu,  1 Jun 2006 21:24:21 -0400

tiff (3.8.2-2) unstable; urgency=low

  * Fix build dependencies to get OpenGL utility libraries after new Xorg
    packaging.  (Closes: #365722)
  * Updated standards version to 3.7.0; no changes required to package.

 -- Jay Berkenbilt <qjb@debian.org>  Tue,  2 May 2006 10:10:45 -0400

tiff (3.8.2-1) unstable; urgency=low

  * New upstream release

 -- Jay Berkenbilt <qjb@debian.org>  Tue, 28 Mar 2006 21:42:33 -0500

tiff (3.8.0-3) unstable; urgency=low

  * Switched build dependency from xlibmesa-gl-dev to libgl1-mesa-dev
    (incorporating Ubunutu patch)
  * Incorporated patch from upstream to fix handling of RGBA tiffs in
    tiff2pdf.  (Closes: #352849)

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 26 Feb 2006 13:21:17 -0500

tiff (3.8.0-2) unstable; urgency=low

  * Applied fixes from upstream to address a memory access violation
    [CVE-2006-0405].  (Closes: #350715, #351223)

 -- Jay Berkenbilt <qjb@debian.org>  Fri,  3 Feb 2006 21:48:39 -0500

tiff (3.8.0-1) unstable; urgency=low

  * New upstream release.  (Closes: #349921)
  * NOTE: The debian version of 3.8.0 includes a patch to correct a binary
    incompatibility in the original 3.8.0 release.  This libtiff package
    is binary compatible with 3.7.4 and will be binary compatible with the
    upcoming 3.8.1 release.

 -- Jay Berkenbilt <qjb@debian.org>  Fri, 27 Jan 2006 21:38:58 -0500

tiff (3.7.4-1) unstable; urgency=low

  * New upstream release
  * Fix typos in manual page (Closes: #327921, #327922, #327923, #327924)

 -- Jay Berkenbilt <qjb@debian.org>  Fri,  7 Oct 2005 10:25:49 -0400

tiff (3.7.3-1) unstable; urgency=low

  * New upstream release
  * g++ 4.0 transition: libtiffxx0 is now libtiffxx0c2.

 -- Jay Berkenbilt <qjb@debian.org>  Sat,  9 Jul 2005 12:00:44 -0400

tiff (3.7.2-3) unstable; urgency=high

  * Fix for exploitable segmentation fault on files with bad BitsPerSample
    values.  (Closes: #309739)
    [libtiff/tif_dirread.c, CAN-2005-1544]
    Thanks to Martin Pitt for the report.

 -- Jay Berkenbilt <qjb@debian.org>  Thu, 19 May 2005 05:41:28 -0400

tiff (3.7.2-2) unstable; urgency=high

  * Fix zero pagesize bug with tiff2ps -a2 and tiff2ps -a3.  Thanks to
    Patrice Fournier for the patch.  (Closes: #303583)
  * Note: uploading with urgency=high since this very small fix impacts
    tools only (not the library), and we don't want to block tiff's many
    reverse dependencies from transitioning to sarge.

 -- Jay Berkenbilt <qjb@debian.org>  Sun, 10 Apr 2005 10:12:37 -0400

tiff (3.7.2-1) unstable; urgency=low

  * New upstream release

 -- Jay Berkenbilt <qjb@debian.org>  Sat, 19 Mar 2005 14:51:06 -0500

tiff (3.7.1-4) unstable; urgency=low

  * Fix from upstream: include a better workaround for tiff files with
    invalid strip byte counts.  (Closes: #183268)

 -- Jay Berkenbilt <qjb@debian.org>  Tue, 22 Feb 2005 19:20:14 -0500

tiff (3.7.1-3) unstable; urgency=low

  * Disable C++ new experimental interfaces for now; will reappear in a
    future version in the separate libtiffxx0 package.

 -- Jay Berkenbilt <ejb@ql.org>  Sat, 29 Jan 2005 13:32:37 -0500

tiff (3.7.1+pre3.7.2-1) experimental; urgency=low

  * New upstream release
  * Separate experimental C++ interface into separate libtiffxx library.

 -- Jay Berkenbilt <ejb@ql.org>  Sat, 29 Jan 2005 13:03:19 -0500

tiff (3.7.1-2) unstable; urgency=low

  * Make -dev package depend upon other -dev packages referenced in the
    .la file created by libtool.  (Closes: #291136)
  * tiff2ps: Allow one of -w and -h without the other.  (Closes: #244247)

 -- Jay Berkenbilt <ejb@ql.org>  Wed, 19 Jan 2005 10:45:00 -0500

tiff (3.7.1-1) unstable; urgency=low

  * New upstream release
  * Correct error in doc-base file (Closes: #285652)

 -- Jay Berkenbilt <ejb@ql.org>  Wed,  5 Jan 2005 16:54:12 -0500

tiff (3.7.0-2) experimental; urgency=low

  * Replace hard-coded libc6-dev dependency with something friendlier to
    porters (libc6-dev | libc-dev).  (Closes: #179727)
  * Fixed upstream: proper netbsdelf*-gnu support in configure.  Actually
    fixed in 3.7.0-1 but left out of changelog.  (Closes: #179728)
  * Include opengl support; adds new libtiff-opengl package. (Closes: #219456)
  * Fixed upstream: fax2ps now allows access to first page. (Closes: #244251)

 -- Jay Berkenbilt <ejb@ql.org>  Sat, 11 Dec 2004 09:51:52 -0500

tiff (3.7.0-1) experimental; urgency=low

  * New upstream release (Closes: #276996)
  * New maintainer (Thanks Joy!)
  * Repackage using cdbs and simple-patchsys to fix some errors and
    simplify patch management
  * Fixed upstream: tiff2pdf ignores -z and -j (Closes: #280682)
  * Fixed upstream: Memory leak in TIFFClientOpen (Closes: #256657)

 -- Jay Berkenbilt <ejb@ql.org>  Fri, 26 Nov 2004 13:50:13 -0500

tiff (3.6.1-5) unstable; urgency=high

  * New maintainer (thanks Joy!)
  * Applied patch by Dmitry V. Levin to fix a segmentation fault
    [tools/tiffdump.c, CAN-2004-1183]
    Thanks to Martin Schulze for forwarding the patch.
  * Fixed section of -dev package (devel -> libdevel)

 -- Jay Berkenbilt <ejb@ql.org>  Wed,  5 Jan 2005 16:27:26 -0500

tiff (3.6.1-4) unstable; urgency=high

  * Fix heap overflow security bug [CAN-2004-1308].  (Closes: #286815)

 -- Jay Berkenbilt <ejb@ql.org>  Wed, 22 Dec 2004 10:20:52 -0500

tiff (3.6.1-3) unstable; urgency=medium

  * Patches from upstream to fix zero-size tile and integer overflow
    problems created by previous security patches, closes: #276783.
  * Added Jay Berkenbilt as co-maintainer. Jay thanks Joy for letting him
    help and eventually take over maintenance of these packages!

 -- Josip Rodin <joy-packages@debian.org>  Mon, 01 Nov 2004 12:28:27 +0100

tiff (3.6.1-2) unstable; urgency=low

  * Included security fixes for:
    + CAN-2004-0803
      - libtiff/tif_luv.c
      - libtiff/tif_next.c
      - libtiff/tif_thunder.c
    + CAN-2004-0804 (but this one is already applied upstream, it seems)
      - libtiff/tif_dirread.c
    + CAN-2004-0886
      - libtiff/tif_aux.c
      - libtiff/tif_compress.c
      - libtiff/tif_dir.c
      - libtiff/tif_dirinfo.c
      - libtiff/tif_dirread.c
      - libtiff/tif_dirwrite.c
      - libtiff/tif_extension.c
      - libtiff/tif_fax3.c
      - libtiff/tiffiop.h
      - libtiff/tif_getimage.c
      - libtiff/tif_luv.c
      - libtiff/tif_pixarlog.c
      - libtiff/tif_strip.c
      - libtiff/tif_tile.c
      - libtiff/tif_write.c
    Thanks to Martin Schulze for forwarding the patches.

 -- Josip Rodin <joy-packages@debian.org>  Thu, 14 Oct 2004 16:13:11 +0200

tiff (3.6.1-1.1) unstable; urgency=medium

  * Non-maintainer upload; thanks to Jay Berkenbilt <ejb@ql.org> for
    preparing the patches
  * Rename shared library and development packages to resolve accidental
    upstream ABI change.  Closes: #236247
  * Include patch from upstream to fix multistrip g3 fax bug.
    Closes: #243405
  * Include LZW support.  Closes: #260242, #248490
  * Fix URL in copyright file.  Closes: #261357
  * Install missing documentation files.  Closes: #261356

 -- Steve Langasek <vorlon@debian.org>  Sun, 25 Jul 2004 10:28:06 -0400

tiff (3.6.1-1) unstable; urgency=low

  * New upstream version, closes: #231977.
  * Slightly fixed up the static lib build rules so that the build process
    does the normal stuff for the dynamic lib and then does the static with
    the same tiffvers.h.

 -- Josip Rodin <joy-packages@debian.org>  Mon, 23 Feb 2004 18:23:34 +0100

tiff (3.5.7-2) unstable; urgency=high

  * Added back the patch that used -src static/libtiff.a in the install
    rule. Wonder how that disappeared... closes: #170914.
  * Fake it's a GNU system in order for the configure script to use our
    toolchain stuff on the NetBSD port, thanks to Joel Baker, closes: #130636.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Tue, 10 Dec 2002 17:18:28 +0100

tiff (3.5.7-1) unstable; urgency=low

  * New upstream version, closes: #144940.
  * A whole new set of patches for the breakage in the build system :)

 -- Josip Rodin <jrodin@jagor.srce.hr>  Sun,  6 Oct 2002 22:54:08 +0200

tiff (3.5.5-6) unstable; urgency=low

  * It appears that the general 64-bit detection code, isn't.
    We have to include all of those three conditions, feh.
    This really closes: #106706.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Wed,  8 Aug 2001 23:09:55 +0200

tiff (3.5.5-5) unstable; urgency=low

  * Changed two Alpha/Mips-isms into general 64-bit detection code,
    patch from John Daily <jdaily@progeny.com>, closes: #106706.
  * Patched man/Makefile.in to generate a manual page file for
    TIFFClientOpen(3t), as a .so link to TIFFOpen(3t), closes: #99577.
  * Used /usr/share/doc in the doc-base file, closes: #74122.
  * Changed libtiff3g-dev's section back to devel, since graphics was,
    according to elmo, "hysterical raisins". :))

 -- Josip Rodin <jrodin@jagor.srce.hr>  Fri, 27 Jul 2001 01:43:04 +0200

tiff (3.5.5-4) unstable; urgency=low

  * Updated config.* files, closes: #94696.
  * Fixed libtiff3g-dev's section, closes: #85533.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Wed, 20 Jun 2001 18:29:24 +0200

tiff (3.5.5-3) unstable; urgency=low

  * Build shared library on Hurd, too, closes: #72482.
  * Upped Standards-Version to 3.5.0.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Sat, 30 Sep 2000 17:42:13 +0200

tiff (3.5.5-2) unstable; urgency=low

  * Make `dynamic shared object' on Linux unconditionally, fixes the problem
    with libc.so.6.1 on alpha, thanks Chris C. Chimelis.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Wed, 13 Sep 2000 21:44:00 +0200

tiff (3.5.5-1) unstable; urgency=low

  * New upstream version.
  * The upstream build system sucks. There, I said it. Back to work now. :)
  * Added a build dependencies on make (>= 3.77) (closes: #67747) and
    debhelper.
  * Standards-Version: 3.2.1:
    + added DEB_BUILD_OPTIONS checks in debian/rules

 -- Josip Rodin <jrodin@jagor.srce.hr>  Tue, 29 Aug 2000 14:06:02 +0200

tiff (3.5.4-5) frozen unstable; urgency=low

  * Fixed 16-bit/32-bit values bug in fax2ps from libtiff-tools, that
    also breaks printing from hylafax, using provided oneliner patch
    from Bernd Herd (accepted upstream), closes: #49232 and probably #62235.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Mon, 27 Mar 2000 17:12:10 +0200

tiff (3.5.4-4) frozen unstable; urgency=low

  * Weird dpkg-shlibdeps from dpkg 1.6.8-pre has done it again, this time
    with libz.so, making the packages depend on zlib1 (instead of zlib1g).
    Closes: #56134, #56137, #56140, #56155.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Tue, 25 Jan 2000 18:05:28 +0100

tiff (3.5.4-3) frozen unstable; urgency=low

  * Included libtiff.so file in libtiff3g-dev, dammit :( My eye hurts,
    a lot, but this was easy to fix, thank goodness :) (closes: #55814).
    This bugfix deserves to get into frozen because the bug cripples
    libtiff3g-dev, a lot.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Fri, 21 Jan 2000 19:02:22 +0100

tiff (3.5.4-2) unstable; urgency=low

  * Fixed upstream build system to use ${DESTDIR}, and with that working,
    created install: rule in debian/rules and used it.
  * Fixed the way rules file gets the version from upstream sources,
    and fixed dist/tiff.alpha, it didn't work.
  * Removed README file from libtiff3g binary package, useless.
  * Fixed configure script not to emit the wrong warning about
    zlib/jpeg dirs not specified (they're in /usr/include, stupid :).

 -- Josip Rodin <jrodin@jagor.srce.hr>  Thu, 30 Dec 1999 01:17:32 +0100

tiff (3.5.4-1) unstable; urgency=low

  * New upstream version, closes: #50338.
  * Disabled libc5 build, it wouldn't compile. :(

 -- Josip Rodin <jrodin@jagor.srce.hr>  Fri,  3 Dec 1999 20:49:25 +0100

tiff (3.5.2-4) unstable; urgency=low

  * Castrated the rules file, to make it actually work on !(i386 m68k).
    Closes: #49316.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Sat,  6 Nov 1999 13:22:54 +0100

tiff (3.5.2-3) unstable; urgency=low

  * Removed sparc from the libtiff3 arches list, as BenC advised.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Fri, 29 Oct 1999 23:29:23 +0200

tiff (3.5.2-2) unstable; urgency=low

  * Changed Architecture: line for libtiff3 from "any" to "i386 m68k sparc"
    as it is actually only built on those. Changed description a little bit.
  * Minor fixes to the rules file.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Thu, 28 Oct 1999 14:00:02 +0200

tiff (3.5.2-1) unstable; urgency=low

  * New upstream version.
  * Renamed source package to just "tiff", like upstream tarball name.
  * New maintainer (thanks Guy!). Renewed packaging, with debhelper,
    using Joey's nifty multi2 example, with several adjustments.
  * Ditched libtiff3-altdev, nobody's using that and nobody should be
    using that. Packaging for it still exists, it's just commented out.
  * Uses doc-base for -dev docs now. Uncompressed HTML docs, 100kb space
    saved is pointless when you can't use any links between documents.

 -- Josip Rodin <jrodin@jagor.srce.hr>  Tue, 26 Oct 1999 16:20:46 +0200

libtiff3 (3.4beta037-8) unstable; urgency=low

  * Argh, same bug in the prerm, closes: #36990, #36850, #36855,
    #36866, #36988.

 -- Guy Maor <maor@debian.org>  Sat,  1 May 1999 10:12:23 -0700

libtiff3 (3.4beta037-7) unstable; urgency=low

  * Don't error when dhelp is not installed, closes: #36879, #36922.

 -- Guy Maor <maor@debian.org>  Thu, 29 Apr 1999 19:17:55 -0700

libtiff3 (3.4beta037-6) unstable; urgency=low

  * Only build libc5 packages on appropriate archs, closes: #27083, #32007.
  * Apply NMU patch, closes: #26413, #26887.
  * Add dhelp support, closes: #35154.
  * Recompile removes invalid dependency, closes: #30961.

 -- Guy Maor <maor@debian.org>  Sat, 24 Apr 1999 15:17:51 -0700

libtiff3 (3.4beta037-5.1) frozen unstable; urgency=low

  * NMU to not use install -s to strip static .a libraries. Fixes: #26413
  * Build with recent libjpeg. Fixes: #26887
  * Add Section: and Priority: headers to debian/control.

 -- Ben Gertzfield <che@debian.org>  Mon, 26 Oct 1998 22:44:33 -0800

libtiff3 (3.4beta037-5) unstable; urgency=low

  * Explicit link with -lm (and don't need -lc now), fixes: #19167, #22180.

 -- Guy Maor <maor@ece.utexas.edu>  Tue, 11 Aug 1998 22:27:56 -0700

libtiff3 (3.4beta037-4) unstable; urgency=low

  * libtiff3-tools conflicts & replaces with libtiff3-gif (13521,15107).

 -- Guy Maor <maor@ece.utexas.edu>  Sun, 11 Jan 1998 13:09:28 -0800

libtiff3 (3.4beta037-3) unstable; urgency=low

  * New libjpegg contains shlibs file, so don't need shlibs.local.
  * Compile with -D_REENTRANT.
  * Add shlibs for libtiff3g (13423).

 -- Guy Maor <maor@ece.utexas.edu>  Sat, 27 Sep 1997 13:17:45 -0500

libtiff3 (3.4beta037-2) unstable; urgency=low

  * Add libjpegg6a to shlibs.local to correct for broken dependency.

 -- Guy Maor <maor@ece.utexas.edu>  Fri, 26 Sep 1997 11:23:55 -0500

libtiff3 (3.4beta037-1) unstable; urgency=low

  * New upstream version, libc6 compile, policy 2.3.0.0 (5136, 7470, 7627, 8166
    8312, 9479, 9492, 9531, 11700, 11702).
  * Fix check for shared lib support (10805).

 -- Guy Maor <maor@ece.utexas.edu>  Tue, 23 Sep 1997 16:55:56 -0500
