Re: tiff updates
On 2018-03-22 09:19:31, Hugo Lefeuvre wrote:
> * Start working on tiff and tiff3:
> - Investigate, debug/prepare and test patch for CVE-2018-7456 (git master
> version). This issue was very long to debug because it required me
> to have a good understanding of the TIFF standard which I had to
> read carefully, and also of the TIFF codebase, which I had to study
> extensively. I have submitted my patch to upstream, not sure it's
> ready yet but I feel like I understand the problem well enough
> to finish it and backport the patch to Wheezy and Jessie.
> You can find most of my work on the debian-lts mailing list and
> upstream bug report.
> During my investigations I bumped across another, older issue which
> I still have to investigate in master (it never got a CVE assigned and
> I'm not even sure that upstream heard about it, it got probably
> fixed 'by chance').
I see you have the `tiff` package claimed in dla-needed.txt, but not
`tiff3`. I suspect both are fairly similar issues and that you intended
to work on both, so I figured it might be better to claim both next
But I haven't seen new activity on the packages since then, do you need
a review of the patches you submitted in March? Or for someone to carry
this work forward?
They say that time changes things, but you actually have to change
them yourself. - Andy Warhol