Michael Gilbert <mgilb...@debian.org> wrote: > package: src:tiff3 > severity: grave > version: 3.9.6-11 > tag: security > > The tiff package has had multiple security issues recently. tiff3, > being an old version, is also affected by a subset of them, of which I > haven't fully checked yet: > https://security-tracker.debian.org/tracker/source-package/tiff > > It is however clear that tiff3 is affected by at least CVE-2013-1960 > and CVE-2013-1961, but probably a whole lot more: > http://bugs.debian.org/706674 > http://bugs.debian.org/706675 > > Please review and help make the situation in unstable better. We will > also need to issue a dsa for wheezy. > > Best wishes, > Mike
According to the security tracker, we have the following right now: * The version of tiff in sid is not affected by any known issues. I have acknowledged the NMU and uploaded a new version with urgency=low. I'm really sorry I dropped the ball on that. This is the first NMU in the unstable version of tiff since the one I did in 2004. While I am certainly appreciative of the NMU by the security team, I quick ping asking me to take care of it would have yielded results and saved you the trouble. * http://bugs.debian.org/706674, CVE-2013-1960 is only related to tiff2pdf, which is not present in any version of the tiff3 package, so all versions of tiff3 can be marked as not affected by this issue. * The fix for http://bugs.debian.org/706675, CVE-2013-1961 for the tiff package in squeeze should be able to be easily ported to the tiff3 package for wheezy and sid. I will take care of that. * CVE-2010-2596 might affect tiff in squeeze, but it's also apparently related to tiff2ps, which is not present in tiff3. Apparently this is no current fix. Red Hat rated this as having low security impact. I'm not inclined to spend time on it at this time. * CVE-2010-2631 looks like it has already been fixed upstream in all the versions we have, but I haven't positively confirmed that. None of the versions in Ubuntu are believed to be vulnerable, so I think we should be fine here. So basically, as far as I can tell, the only remaining actions to get us caught up are to apply CVE-2013-1961 to tiff in squeeze. I can prepare a security upload for that. -- Jay Berkenbilt <q...@debian.org> -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
