[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318

CVE-2015-7554 / http://bugzilla.maptools.org/show_bug.cgi?id=2564


CVE-2016-5318 / http://bugzilla.maptools.org/show_bug.cgi?id=2561

What would be considered an acceptable fix here? It looks like a proper
fix is not available without changing the API due to limitations in the
stdarg.h API. Plus IMHO the TIFFGetField API looks badly designed and
prone to error considering these known limitations.

As far as I am aware there doesn't appear to be any upstream fix.

There is a fix for the tiffsplit client program:


Is it worth trying to fix tiffsplit (like Redhat), and maybe somehow
documenting somewhere (e.g. the DSA/DLA) that the scope of the fix is

(I am assuming nothing has been done with this as there is no
information in the security-tracker).

Brian May <bam@debian.org>

Reply to: