[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Missing tiff3 patch in security repo

On Wed, Feb 18, 2015 at 12:50 PM, John Goerzen wrote:
>> [wheezy] - tiff3 <no-dsa> (the changes that [a]ffect the library are just
>> hardening, converting uses of sprintf to snprintf. those can be rolled
>> into the next tiff3 update, but a separate dsa isn't needed)
> I saw that too, though the bug report says something different, the DSA
> note is probably correct.  But then why is wheezy listed as vulnerable?
> Do they think that sprintf is safe?

The patch for CVE-2013-1961 is right there attached to my nmu message
in #706674.  Please feel free to wheezy-pu tiff3 if the lack of
snprintf hardening there really bothers you.

Best wishes,

Reply to: