Missing tiff3 patch in security repo

To: debian-security@lists.debian.org
Subject: Missing tiff3 patch in security repo
From: John Goerzen <jgoerzen@complete.org>
Date: Wed, 18 Feb 2015 07:51:59 -0600
Message-id: <[🔎] 54E498FF.7000104@complete.org>

Hi folks,

I've been going through the output of debsecan on my systems (more on
that later).  For the moment, I have discovered something odd regarding
a tiff advisory.

Debsecan noted this on my wheezy machine:

CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...
  <http://security-tracker.debian.org/tracker/CVE-2013-1961>
  - libtiff4 (remotely exploitable, high urgency)


According to https://www.debian.org/security/2014/dsa-2965 there was a
patch in wheezy to tiff 4.0.2-6+deb7u3.  But tiff3 remains unpatched. 
There is a grave bug report at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712840 which mentions
that the fix for this CVE could be easily ported to the tiff3 package
for wheezy.  However, it was never uploaded to wheezy.

Any ideas how to fix this?

John

Reply to:

Follow-Ups:
- Re: Missing tiff3 patch in security repo
  - From: "Thijs Kinkhorst" <thijs@debian.org>

Prev by Date: Re: ***MUELL*** Duplicata
Next by Date: Should we be alarmed at our state of security support?
Previous by thread: Re: ***MUELL*** Duplicata
Next by thread: Re: Missing tiff3 patch in security repo
Index(es):
- Date
- Thread