Re: CVE-2017-9935 / tiff

2017-11-13 Thread Brian May
"Roberto C. Sánchez" writes: > That sounds like a flawed assumption. The spec (I provide a working > link below) describes the format of a TIFF as being made up of an 8 byte > header and one or more images (IFDs, or image file directories). > > The descriptions do not explicitly say that each pa

Re: CVE-2017-9935 / tiff

2017-11-13 Thread Brian May
"Roberto C. Sánchez" writes: > That sounds like a flawed assumption. The spec (I provide a working > link below) describes the format of a TIFF as being made up of an 8 byte > header and one or more images (IFDs, or image file directories). Yes, that was my guess too, although I couldn't find a

Re: CVE-2017-9935 / tiff

2017-11-13 Thread Roberto C . Sánchez
Hi Brian, I tried looking at this when I prepared the last tiff and tiff3 updates a couple of months ago. However, you went much deeper than I did. On Tue, Nov 14, 2017 at 08:22:26AM +1100, Brian May wrote: > Looks like this vulnerability - at least for the first test case - is > because we assu

CVE-2017-9935 / tiff

2017-11-13 Thread Brian May
Looks like this vulnerability - at least for the first test case - is because we assume that a tiff will only have one transfer function that is the same for all pages. However, we read the transfer function for every page. Depending on the transfer function, we allocate either 2 or 4 bytes to the

Re: Wheezy update of cacti?

2017-11-13 Thread Paul Gevers
Hi Ola, On 11/13/17 20:15, Ola Lundqvist wrote: > You are right two of the issues are not an issue in wheezy. I have > marked them accordingly. However one remains. I did not find time to > look through the last ome. I have already looked at that, it is present. But please see my comments in bug

Re: About the security issues affecting asterisk in Wheezy

2017-11-13 Thread Ola Lundqvist
Hi Salvatore has updated this for you. No need to make an action on your part. // Ola On 12 November 2017 at 10:14, Tzafrir Cohen wrote: > Thanks for the note, > > On Sat, Nov 11, 2017 at 07:17:04PM +0100, Ola Lundqvist wrote: >> Dear maintainers, >> >> The Debian LTS team recently reviewed the

Re: Wheezy update of cacti?

2017-11-13 Thread Ola Lundqvist
Hi Paul You are right two of the issues are not an issue in wheezy. I have marked them accordingly. However one remains. I did not find time to look through the last ome. // Ola On 9 November 2017 at 18:51, Paul Gevers wrote: > Hi Ola > > On 08-11-17 21:21, Ola Lundqvist wrote: >> The Debian LT

Re: rtpproxy / CVE-2017-14114

2017-11-13 Thread Raphael Hertzog
On Mon, 06 Nov 2017, Brian May wrote: > Why keep rtpproxy in data/dla-needed.txt if a fix is not possible? Well, I wanted someone else to have a look at it. And also leave some time to see if we could make an announce about possible ways to mitigate the issue for LTS users. Cheers, -- Raphaël He