[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: possible regressing in tiff4/libtiff3 update (deb7u1)


Am 27.01.2017 um 11:28 schrieb Raphael Hertzog:
> On Thu, 26 Jan 2017, Raphael Hertzog wrote:
>> This code thus assumes that the list ok known tags only contains a single
>> tag per unique fip->field_bit and this is no no longer the case with
>> the patches we added:
>> - CVE-2014-8128-5-fixed.patch
>> - CVE-2016-5318_CVE-2015-7554.patch
>> I guess we have no other choice than to drop all CODEC-specific tags
>> from the global list of tags... and thus reopen the above CVE, at
>> least in part.
> In fact, I opted to add logic that filters out the non-relevant tags.
> Matthias, can you try
> https://people.debian.org/~hertzog/packages/libtiff4_3.9.6-11+deb7u3_amd64.deb
> and report back if it works for you ? Please check that there are no other
> regressions as well.
> The full upload is available:
> $ dget https://people.debian.org/~hertzog/packages/tiff3_3.9.6-11+deb7u3_amd64.changes

I took your patched libtiff4 and tested several images and compression
schemes using ImageMagick and GraphicsMagick in a wheezy chroot without
any problems. I have not encountered any unexpected error messages or
any corrupted images.

> The debdiff is attached for review by other contributors.
> If we are satisfied by this fix, then we should do something similar on
> source package tiff 4.x (which provides libtiff5 4.x).


Reply to: