Martin Pitt <[EMAIL PROTECTED]> wrote: > Package: libtiff-tools > Version: 3.7.4-1 > Severity: normal > Tags: security patch > > Recently, a buffer overflow in tiffsplit has been discovered: > > http://marc.theaimsgroup.com/?l=vuln-dev&m=114857412916909&w=2 > > You can execute arbitrary code with crafted long file names or > prefixes. Of course this is pretty lame usually, but it can become an > issue if tiffsplit is used with untrusted input in an automated > system. Which should be only theoretical, but since it is easy to > patch, it can as well be fixed properly. (Also, Fedora fixed it, > and we don't want to loose our reputation, do we? :) ) > > Find the patch here: > > http://patches.ubuntu.com/patches/tiff.CVE-2006-2656.diff > > Thanks, > > Martin
Thanks. I have confirmed that both the tiff in sarge and sid are vulnerable. I'll apply the patch and prepare new versions for both sarge and sid and will notify the security team when the uploads are ready. -- Jay Berkenbilt <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
