[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Missing tiff3 patch in security repo

On Wed, February 18, 2015 18:50, John Goerzen wrote:
> On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote:
>> Hi John,
>> On Wed, February 18, 2015 14:51, John Goerzen wrote:
>>> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...
>>>   <http://security-tracker.debian.org/tracker/CVE-2013-1961>
>>>   - libtiff4 (remotely exploitable, high urgency)
>> The reason is explained when you follow this link you quote above:
>> [wheezy] - tiff3 <no-dsa> (the changes that [a]ffect the library are
>> just
>> hardening, converting uses of sprintf to snprintf. those can be rolled
>> into the next tiff3 update, but a separate dsa isn't needed)
> I saw that too, though the bug report says something different, the DSA
> note is probably correct.  But then why is wheezy listed as vulnerable?
> Do they think that sprintf is safe?

It's listed as open because IF we were to create a DSA in the future
anyway, it would be a useful thing to include it while we're at it
(hardening), but it isn't a priority to create a DSA especially for this.
We could also mark the CVE as done and then we'd never do anything with it
anymore for wheezy. Both are defensible approaches.


Reply to: