CVE-2015-7554 / http://bugzilla.maptools.org/show_bug.cgi?id=2564
Duplicate: CVE-2016-5318 / http://bugzilla.maptools.org/show_bug.cgi?id=2561 What would be considered an acceptable fix here? It looks like a proper fix is not available without changing the API due to limitations in the stdarg.h API. Plus IMHO the TIFFGetField API looks badly designed and prone to error considering these known limitations. As far as I am aware there doesn't appear to be any upstream fix. There is a fix for the tiffsplit client program: http://bugzilla.maptools.org/show_bug.cgi?id=2564#c2 Is it worth trying to fix tiffsplit (like Redhat), and maybe somehow documenting somewhere (e.g. the DSA/DLA) that the scope of the fix is restricted? (I am assuming nothing has been done with this as there is no information in the security-tracker). Regards -- Brian May <b...@debian.org>
