reassign 694693 libtiff4 3.9.6-9
thanks

Moritz Muehlenhoff <j...@inutil.org> wrote:

> On Thu, Nov 29, 2012 at 09:46:41AM -0500, Jay Berkenbilt wrote:
>> Moritz Muehlenhoff <j...@inutil.org> wrote:
>> 
>> >
>> > Hi Jay,
>> > another security issue was discovered by Red Hat's Huzaifa S. Sidhpurwala:
>> > The Red Hat bug contains the necessary details:
>> > https://bugzilla.redhat.com/show_bug.cgi?id=867235
>> 
>> Looking at the bugzilla issue, it's not completely clear to me whether
>> this was fixed in 4.0.2 or 4.0.3, and the patch will be pretty different
>> for the 3.x versions and the 4.x versions.  I'll see what I can do about
>> finding time very soon to address this.  I'm a little concerned about
>> Tom Lane's comment about a behavioral change:
>> 
>> https://bugzilla.redhat.com/show_bug.cgi?id=867235#c6
>> 
>> I'll look at it a little before blindly taking the diff.
>
> I'm attaching the Ubuntu patch for 12.04 (based on 3.9.5-2)

Sorry for the delay on this.  The upstream fix for this problem was in
CVS revision 1.111 of tif_dir.c, and the release 4.0.2 tag is on
revision 1.113.  I also verified looking at the source that 4.0.2
already incorporates this fix, so CVE-2012-5581 does not affect the tiff
package in sid/wheezy.  However, it does affect the tiff3 package and
the tiff package in squeeze.  I am reassigning the bug to libtiff4 and
will upload tiff3 momentarily with the patch that the Red Hat security
team backported.  I will request and unblock.  I will also prepare a
patch for squeeze and follow the usual procedure.

One of the nice things about tiff is that, if you wait long enough,
someone else will do most of the work. :-/

-- 
Jay Berkenbilt <q...@debian.org>


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to