tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318

To: team@security.debian.org, debian-lts@lists.debian.org
Subject: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318
From: Brian May <bam@debian.org>
Date: Wed, 14 Sep 2016 08:26:06 +1000
Message-id: <[🔎] 87bmzro2rl.fsf@prune.linuxpenguins.xyz>

CVE-2015-7554 / http://bugzilla.maptools.org/show_bug.cgi?id=2564

Duplicate:

CVE-2016-5318 / http://bugzilla.maptools.org/show_bug.cgi?id=2561

What would be considered an acceptable fix here? It looks like a proper
fix is not available without changing the API due to limitations in the
stdarg.h API. Plus IMHO the TIFFGetField API looks badly designed and
prone to error considering these known limitations.

As far as I am aware there doesn't appear to be any upstream fix.

There is a fix for the tiffsplit client program:

http://bugzilla.maptools.org/show_bug.cgi?id=2564#c2

Is it worth trying to fix tiffsplit (like Redhat), and maybe somehow
documenting somewhere (e.g. the DSA/DLA) that the scope of the fix is
restricted?

(I am assuming nothing has been done with this as there is no
information in the security-tracker).

Regards
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: wheezy update for libav
Next by Date: Re: Questions regarding MySQL update
Previous by thread: Solicitud de Información
Next by thread: Re: tiff / tiff3 / CVE-2015-7554 / CVE-2016-5318
Index(es):
- Date
- Thread