Hi, On Fri, 02 Jun 2017, Guido Günther wrote: > > but it's not worth arguing and providing that in jessie might be useful for > > building building custom tools still. > > But then again the fix for this should be in Wheezy already as far as I > can tell. Raphael (since you provided the upstream patches for ths), can > you confirm?
I looked quickly at the upstream patch that got added. While it's based on some of my code, the approach retained by upstream is really different to what I did. The real fix of most CVE for me was to add CODEC-specific tags to the global table so that they are known and treated correctly (0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch). The _TIFFCheckFieldIsValidForCodec() function that I added was used to filter out tags during write that were invalid in the context of the CODEC in use (this was done to fix a regression introduced by my former fix). Now upstream reused my _TIFFCheckFieldIsValidForCodec() but he uses it during "read" of pictures and not during write and he did not add the CODEC-specific tags to the global list of known tags. So while I believe that we are covered in terms of already report CVE, I also believe that it would be sane to replace our own fixes by upstream's fix and confirm that the already fixed CVE are still properly fixed. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: https://www.freexian.com/services/debian-lts.html Learn to master Debian: https://debian-handbook.info/get/
