Re: Missing tiff3 patch in security repo

To: debian-security <debian-security@lists.debian.org>, jgoerzen@complete.org
Subject: Re: Missing tiff3 patch in security repo
From: Michael Gilbert <mgilbert@debian.org>
Date: Wed, 18 Feb 2015 19:50:07 -0500
Message-id: <[🔎] CANTw=MM_jw+nr6HPC6mY-xEnLej7dn7t8B_x6v86=mdpAcVY4w@mail.gmail.com>
In-reply-to: <[🔎] 54E4D0ED.90407@complete.org>
References: <[🔎] 54E498FF.7000104@complete.org> <[🔎] 7a19bfb5a8cc624f647891c11ef22b3e.squirrel@aphrodite.kinkhorst.nl> <[🔎] 54E4D0ED.90407@complete.org>

On Wed, Feb 18, 2015 at 12:50 PM, John Goerzen wrote:
>> [wheezy] - tiff3 <no-dsa> (the changes that [a]ffect the library are just
>> hardening, converting uses of sprintf to snprintf. those can be rolled
>> into the next tiff3 update, but a separate dsa isn't needed)
>>
>>
> I saw that too, though the bug report says something different, the DSA
> note is probably correct.  But then why is wheezy listed as vulnerable?
>
> Do they think that sprintf is safe?

The patch for CVE-2013-1961 is right there attached to my nmu message
in #706674.  Please feel free to wheezy-pu tiff3 if the lack of
snprintf hardening there really bothers you.

Best wishes,
Mike

Reply to:

References:
- Missing tiff3 patch in security repo
  - From: John Goerzen <jgoerzen@complete.org>
- Re: Missing tiff3 patch in security repo
  - From: "Thijs Kinkhorst" <thijs@debian.org>
- Re: Missing tiff3 patch in security repo
  - From: John Goerzen <jgoerzen@complete.org>

Prev by Date: Re: Should we be alarmed at our state of security support?
Next by Date: Re: Should we be alarmed at our state of security support?
Previous by thread: Re: Missing tiff3 patch in security repo
Next by thread: Re: Missing tiff3 patch in security repo
Index(es):
- Date
- Thread