[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Missing tiff3 patch in security repo

Hi folks,

I've been going through the output of debsecan on my systems (more on
that later).  For the moment, I have discovered something odd regarding
a tiff advisory.

Debsecan noted this on my wheezy machine:

CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...
  - libtiff4 (remotely exploitable, high urgency)

According to https://www.debian.org/security/2014/dsa-2965 there was a
patch in wheezy to tiff 4.0.2-6+deb7u3.  But tiff3 remains unpatched. 
There is a grave bug report at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712840 which mentions
that the fix for this CVE could be easily ported to the tiff3 package
for wheezy.  However, it was never uploaded to wheezy.

Any ideas how to fix this?


Reply to: