[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tiff and CVE-2016-10095

On Fri, Jun 02, 2017 at 11:02:06AM +0200, Moritz Muehlenhoff wrote:
> On Fri, Jun 02, 2017 at 10:25:29AM +0200, Guido Günther wrote:
> > Hi Moritz,
> > I'm trying to figure out the reasoning for @51764. This marks tiff as
> > affected by CVE-2016-10095. However from the upstream bug and the
> > changes we made in wheezy it looks like the changes we made already are
> > sufficient to fix the issue. Do you have a hint why you think this is
> > not the case?
> 
> CVE-2016-10095 is the generic fix for the API. I'm not sure why that received 
> a CVE ID, since it's not a vulnerability per se (which are in the call sites),
> but it's not worth arguing and providing that in jessie might be useful for
> building building custom tools still.

But then again the fix for this should be in Wheezy already as far as I
can tell. Raphael (since you provided the upstream patches for ths), can
you confirm?
Cheers,
  -- Guido
Reply to: