Re: tiff and CVE-2016-10095
Hi Raphael,
On Tue, Jun 06, 2017 at 12:05:14PM +0200, Raphael Hertzog wrote:
> Hi,
>
> On Fri, 02 Jun 2017, Guido Günther wrote:
> > > but it's not worth arguing and providing that in jessie might be useful for
> > > building building custom tools still.
> >
> > But then again the fix for this should be in Wheezy already as far as I
> > can tell. Raphael (since you provided the upstream patches for ths), can
> > you confirm?
>
> I looked quickly at the upstream patch that got added. While it's based
> on some of my code, the approach retained by upstream is really different
> to what I did.
>
> The real fix of most CVE for me was to add CODEC-specific tags to the
> global table so that they are known and treated correctly
> (0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch). The
> _TIFFCheckFieldIsValidForCodec() function that I added was used to filter
> out tags during write that were invalid in the context of the
> CODEC in use (this was done to fix a regression introduced by my former
> fix).
>
> Now upstream reused my _TIFFCheckFieldIsValidForCodec() but he uses
> it during "read" of pictures and not during write and he did not add the
> CODEC-specific tags to the global list of known tags.
>
> So while I believe that we are covered in terms of already report CVE,
> I also believe that it would be sane to replace our own fixes by
> upstream's fix and confirm that the already fixed CVE are still
> properly fixed.
Thanks for having a look. So the current status is fine, we treat wheezy
as affected but wait until more urgent issues pile up.
Cheers,
-- Guido
Reply to: