[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Missing tiff3 patch in security repo

On Wed, February 18, 2015 18:50, John Goerzen wrote:
> On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote:
>> Hi John,
>>
>> On Wed, February 18, 2015 14:51, John Goerzen wrote:
>>> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...
>>>   <http://security-tracker.debian.org/tracker/CVE-2013-1961>
>>>   - libtiff4 (remotely exploitable, high urgency)
>> The reason is explained when you follow this link you quote above:
>>
>> [wheezy] - tiff3 <no-dsa> (the changes that [a]ffect the library are
>> just
>> hardening, converting uses of sprintf to snprintf. those can be rolled
>> into the next tiff3 update, but a separate dsa isn't needed)
>>
>>
> I saw that too, though the bug report says something different, the DSA
> note is probably correct.  But then why is wheezy listed as vulnerable?
>
> Do they think that sprintf is safe?

It's listed as open because IF we were to create a DSA in the future
anyway, it would be a useful thing to include it while we're at it
(hardening), but it isn't a priority to create a DSA especially for this.
We could also mark the CVE as done and then we'd never do anything with it
anymore for wheezy. Both are defensible approaches.


Cheers,
Thijs
Reply to: