Re: Missing tiff3 patch in security repo

To: debian-security@lists.debian.org
Subject: Re: Missing tiff3 patch in security repo
From: "Thijs Kinkhorst" <thijs@debian.org>
Date: Wed, 18 Feb 2015 15:53:06 +0100
Message-id: <[🔎] 7a19bfb5a8cc624f647891c11ef22b3e.squirrel@aphrodite.kinkhorst.nl>
In-reply-to: <[🔎] 54E498FF.7000104@complete.org>
References: <[🔎] 54E498FF.7000104@complete.org>

Hi John,

On Wed, February 18, 2015 14:51, John Goerzen wrote:
> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...
>   <http://security-tracker.debian.org/tracker/CVE-2013-1961>
>   - libtiff4 (remotely exploitable, high urgency)

The reason is explained when you follow this link you quote above:

[wheezy] - tiff3 <no-dsa> (the changes that [a]ffect the library are just
hardening, converting uses of sprintf to snprintf. those can be rolled
into the next tiff3 update, but a separate dsa isn't needed)

Cheers,
Thijs

Reply to:

Follow-Ups:
- Re: Missing tiff3 patch in security repo
  - From: John Goerzen <jgoerzen@complete.org>

References:
- Missing tiff3 patch in security repo
  - From: John Goerzen <jgoerzen@complete.org>

Prev by Date: Re: Should we be alarmed at our state of security support?
Next by Date: Re: Should we be alarmed at our state of security support?
Previous by thread: Missing tiff3 patch in security repo
Next by thread: Re: Missing tiff3 patch in security repo
Index(es):
- Date
- Thread