Steve Langasek <[EMAIL PROTECTED]> wrote: > On Sat, Feb 18, 2006 at 07:17:43PM -0500, Jay Berkenbilt wrote: > >> This bug, reporting that tiff2pdf segfaults on a particular image, was >> listed as grave but is not grave. It does not render the software >> unusable to a majority of users, and it has an easy workaround (use >> some other program, like convert from imagemagick, to convert the >> file). > > Is there any way that this bug could constitute a security hole?
It's conceivable, and this is something I will look into when I investigate the problem. Certainly a reliable way to cause a segfault could be used as the basis for a DoS attack. Since the segfault was reported against the sarge version and is not reproducible in sid, I don't think the severity of the bug should be RC, but if you disagree, please re-upgrade and I'll leave it alone. It's possible that the bug is actually tiff2pdf (as reported) and not in libtiff as well. (Actually, I just tested this in sarge, and I am not able to reproduce the problem in the sarge version either.) If the problem does turn out to be a security problem (which it may be for the reasons above), I will attempt to prepare a fix for the sarge version and notify the security team. I won't close the bug until I can come to a reasonable resolution on that. If you think I should leave the bug RC pending a reliable way to reproduce the problem in sid, please upgrade. Note also that the current sid version contains a security fix that is not in etch, but as far as I know, the etch version does not contain the bug. --Jay -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
