Re: Missing tiff3 patch in security repo

To: Thijs Kinkhorst <thijs@debian.org>, debian-security@lists.debian.org
Subject: Re: Missing tiff3 patch in security repo
From: John Goerzen <jgoerzen@complete.org>
Date: Wed, 18 Feb 2015 11:50:37 -0600
Message-id: <[🔎] 54E4D0ED.90407@complete.org>
In-reply-to: <[🔎] 7a19bfb5a8cc624f647891c11ef22b3e.squirrel@aphrodite.kinkhorst.nl>
References: <[🔎] 54E498FF.7000104@complete.org> <[🔎] 7a19bfb5a8cc624f647891c11ef22b3e.squirrel@aphrodite.kinkhorst.nl>

On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote:
> Hi John,
>
> On Wed, February 18, 2015 14:51, John Goerzen wrote:
>> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...
>>   <http://security-tracker.debian.org/tracker/CVE-2013-1961>
>>   - libtiff4 (remotely exploitable, high urgency)
> The reason is explained when you follow this link you quote above:
>
> [wheezy] - tiff3 <no-dsa> (the changes that [a]ffect the library are just
> hardening, converting uses of sprintf to snprintf. those can be rolled
> into the next tiff3 update, but a separate dsa isn't needed)
>
>
I saw that too, though the bug report says something different, the DSA
note is probably correct.  But then why is wheezy listed as vulnerable?

Do they think that sprintf is safe?

John

Reply to:

Follow-Ups:
- Re: Missing tiff3 patch in security repo
  - From: Michael Gilbert <mgilbert@debian.org>
- Re: Missing tiff3 patch in security repo
  - From: "Thijs Kinkhorst" <thijs@debian.org>

References:
- Missing tiff3 patch in security repo
  - From: John Goerzen <jgoerzen@complete.org>
- Re: Missing tiff3 patch in security repo
  - From: "Thijs Kinkhorst" <thijs@debian.org>

Prev by Date: Re: Should we be alarmed at our state of security support?
Next by Date: Re: Should we be alarmed at our state of security support?
Previous by thread: Re: Missing tiff3 patch in security repo
Next by thread: Re: Missing tiff3 patch in security repo
Index(es):
- Date
- Thread