[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Missing tiff3 patch in security repo

On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote:
> Hi John,
> On Wed, February 18, 2015 14:51, John Goerzen wrote:
>> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...
>>   <http://security-tracker.debian.org/tracker/CVE-2013-1961>
>>   - libtiff4 (remotely exploitable, high urgency)
> The reason is explained when you follow this link you quote above:
> [wheezy] - tiff3 <no-dsa> (the changes that [a]ffect the library are just
> hardening, converting uses of sprintf to snprintf. those can be rolled
> into the next tiff3 update, but a separate dsa isn't needed)
I saw that too, though the bug report says something different, the DSA
note is probably correct.  But then why is wheezy listed as vulnerable?

Do they think that sprintf is safe?


Reply to: