Re: tiff and CVE-2016-10095
Hi,
On Fri, 02 Jun 2017, Guido Günther wrote:
> > but it's not worth arguing and providing that in jessie might be useful for
> > building building custom tools still.
>
> But then again the fix for this should be in Wheezy already as far as I
> can tell. Raphael (since you provided the upstream patches for ths), can
> you confirm?
I looked quickly at the upstream patch that got added. While it's based
on some of my code, the approach retained by upstream is really different
to what I did.
The real fix of most CVE for me was to add CODEC-specific tags to the
global table so that they are known and treated correctly
(0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch). The
_TIFFCheckFieldIsValidForCodec() function that I added was used to filter
out tags during write that were invalid in the context of the
CODEC in use (this was done to fix a regression introduced by my former
fix).
Now upstream reused my _TIFFCheckFieldIsValidForCodec() but he uses
it during "read" of pictures and not during write and he did not add the
CODEC-specific tags to the global list of known tags.
So while I believe that we are covered in terms of already report CVE,
I also believe that it would be sane to replace our own fixes by
upstream's fix and confirm that the already fixed CVE are still
properly fixed.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Reply to: