Re: tiff and CVE-2016-10095

To: Guido Günther <agx@sigxcpu.org>, jmm@debian.org, debian-lts@lists.debian.org
Subject: Re: tiff and CVE-2016-10095
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 2 Jun 2017 11:02:06 +0200
Message-id: <[🔎] 20170602090206.GA2583@inutil.org>
In-reply-to: <[🔎] 20170602082529.phzpszptjyvuyuqx@bogon.m.sigxcpu.org>
References: <[🔎] 20170602082529.phzpszptjyvuyuqx@bogon.m.sigxcpu.org>

On Fri, Jun 02, 2017 at 10:25:29AM +0200, Guido Günther wrote:
> Hi Moritz,
> I'm trying to figure out the reasoning for @51764. This marks tiff as
> affected by CVE-2016-10095. However from the upstream bug and the
> changes we made in wheezy it looks like the changes we made already are
> sufficient to fix the issue. Do you have a hint why you think this is
> not the case?

CVE-2016-10095 is the generic fix for the API. I'm not sure why that received 
a CVE ID, since it's not a vulnerability per se (which are in the call sites),
but it's not worth arguing and providing that in jessie might be useful for
building building custom tools still.

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: tiff and CVE-2016-10095
  - From: Guido Günther <agx@sigxcpu.org>

References:
- tiff and CVE-2016-10095
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: Marking autotrace as unsuppported ?
Next by Date: Re: Wheezy update for Eglibc and libxml
Previous by thread: tiff and CVE-2016-10095
Next by thread: Re: tiff and CVE-2016-10095
Index(es):
- Date
- Thread