On Fri, Jun 02, 2017 at 10:25:29AM +0200, Guido Günther wrote:
> Hi Moritz,
> I'm trying to figure out the reasoning for @51764. This marks tiff as
> affected by CVE-2016-10095. However from the upstream bug and the
> changes we made in wheezy it looks like the changes we made already are
> sufficient to fix the issue. Do you have a hint why you think this is
> not the case?
CVE-2016-10095 is the generic fix for the API. I'm not sure why that received
a CVE ID, since it's not a vulnerability per se (which are in the call sites),
but it's not worth arguing and providing that in jessie might be useful for
building building custom tools still.
Cheers,
Moritz
