reassign 694693 libtiff4 3.9.6-9 thanks Moritz Muehlenhoff <j...@inutil.org> wrote:
> On Thu, Nov 29, 2012 at 09:46:41AM -0500, Jay Berkenbilt wrote: >> Moritz Muehlenhoff <j...@inutil.org> wrote: >> >> > >> > Hi Jay, >> > another security issue was discovered by Red Hat's Huzaifa S. Sidhpurwala: >> > The Red Hat bug contains the necessary details: >> > https://bugzilla.redhat.com/show_bug.cgi?id=867235 >> >> Looking at the bugzilla issue, it's not completely clear to me whether >> this was fixed in 4.0.2 or 4.0.3, and the patch will be pretty different >> for the 3.x versions and the 4.x versions. I'll see what I can do about >> finding time very soon to address this. I'm a little concerned about >> Tom Lane's comment about a behavioral change: >> >> https://bugzilla.redhat.com/show_bug.cgi?id=867235#c6 >> >> I'll look at it a little before blindly taking the diff. > > I'm attaching the Ubuntu patch for 12.04 (based on 3.9.5-2) Sorry for the delay on this. The upstream fix for this problem was in CVS revision 1.111 of tif_dir.c, and the release 4.0.2 tag is on revision 1.113. I also verified looking at the source that 4.0.2 already incorporates this fix, so CVE-2012-5581 does not affect the tiff package in sid/wheezy. However, it does affect the tiff3 package and the tiff package in squeeze. I am reassigning the bug to libtiff4 and will upload tiff3 momentarily with the patch that the Red Hat security team backported. I will request and unblock. I will also prepare a patch for squeeze and follow the usual procedure. One of the nice things about tiff is that, if you wait long enough, someone else will do most of the work. :-/ -- Jay Berkenbilt <q...@debian.org> -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org