Re: CVE-2017-9935 / tiff

To: debian-lts@lists.debian.org
Subject: Re: CVE-2017-9935 / tiff
From: Brian May <bam@debian.org>
Date: Tue, 12 Dec 2017 08:14:42 +1100
Message-id: <[🔎] 87inddj7b1.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 87o9n5k9b9.fsf@prune.linuxpenguins.xyz>
References: <87375hkh65.fsf@prune.linuxpenguins.xyz> <20171114035243.v5kx2la3nkd2uz4x@connexer.com> <87zi7pic5c.fsf@prune.linuxpenguins.xyz> <87inechxo8.fsf@prune.linuxpenguins.xyz> <871skyhrd0.fsf@prune.linuxpenguins.xyz> <87y3n5h5zu.fsf@prune.linuxpenguins.xyz> <87vai9h5t8.fsf@prune.linuxpenguins.xyz> <20171117122537.oseept5nyz72ahy7@connexer.com> <[🔎] 87o9n5k9b9.fsf@prune.linuxpenguins.xyz>

Brian May <bam@debian.org> writes:

> Now to see if the patch will apply to the older tiff3, also in wheezy.

Done.

I note that the previous version of tiff3 is a security update for
tiff2pdf.

However I also note that - for the tiff3 package - we don't build a
binary for tiff2pdf. The newer tiff package is used instead.

Hence I am wondering if it is worthwhile creating a fixed version of
tiff3 when the only changes will be the source?

There is the small change to the library function, however I very much
doubt this is going to have any impact without the client.

Regards
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: CVE-2017-9935 / tiff
  - From: Brian May <bam@debian.org>

References:
- Re: CVE-2017-9935 / tiff
  - From: Brian May <bam@debian.org>

Prev by Date: Re: CVE-2017-9935 / tiff
Next by Date: Re: reportbug: please inform security and lts teams about security update regressions
Previous by thread: Re: CVE-2017-9935 / tiff
Next by thread: Re: CVE-2017-9935 / tiff
Index(es):
- Date
- Thread