Hi Raphael, On Tue, Jun 06, 2017 at 12:05:14PM +0200, Raphael Hertzog wrote: > Hi, > > On Fri, 02 Jun 2017, Guido Günther wrote: > > > but it's not worth arguing and providing that in jessie might be useful > > > for > > > building building custom tools still. > > > > But then again the fix for this should be in Wheezy already as far as I > > can tell. Raphael (since you provided the upstream patches for ths), can > > you confirm? > > I looked quickly at the upstream patch that got added. While it's based > on some of my code, the approach retained by upstream is really different > to what I did. > > The real fix of most CVE for me was to add CODEC-specific tags to the > global table so that they are known and treated correctly > (0042-Make-more-tag-fields-known-to-TIFFReadDirectoryFindF.patch). The > _TIFFCheckFieldIsValidForCodec() function that I added was used to filter > out tags during write that were invalid in the context of the > CODEC in use (this was done to fix a regression introduced by my former > fix). > > Now upstream reused my _TIFFCheckFieldIsValidForCodec() but he uses > it during "read" of pictures and not during write and he did not add the > CODEC-specific tags to the global list of known tags. > > So while I believe that we are covered in terms of already report CVE, > I also believe that it would be sane to replace our own fixes by > upstream's fix and confirm that the already fixed CVE are still > properly fixed.
Thanks for having a look. So the current status is fine, we treat wheezy as affected but wait until more urgent issues pile up. Cheers, -- Guido
