On 2018-03-22 09:19:31, Hugo Lefeuvre wrote: > * Start working on tiff and tiff3: > > - Investigate, debug/prepare and test patch for CVE-2018-7456 (git master > version). This issue was very long to debug because it required me > to have a good understanding of the TIFF standard which I had to > read carefully, and also of the TIFF codebase, which I had to study > extensively. I have submitted my patch to upstream, not sure it's > ready yet but I feel like I understand the problem well enough > to finish it and backport the patch to Wheezy and Jessie. > > You can find most of my work on the debian-lts mailing list and > upstream bug report. > > During my investigations I bumped across another, older issue which > I still have to investigate in master (it never got a CVE assigned and > I'm not even sure that upstream heard about it, it got probably > fixed 'by chance').
Hello Hugo! I see you have the `tiff` package claimed in dla-needed.txt, but not `tiff3`. I suspect both are fairly similar issues and that you intended to work on both, so I figured it might be better to claim both next time. But I haven't seen new activity on the packages since then, do you need a review of the patches you submitted in March? Or for someone to carry this work forward? Thanks! -- They say that time changes things, but you actually have to change them yourself. - Andy Warhol
