Re: Missing tiff3 patch in security repo

2015-02-19 Thread Thijs Kinkhorst
On Wed, February 18, 2015 18:50, John Goerzen wrote: > On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote: >> Hi John, >> >> On Wed, February 18, 2015 14:51, John Goerzen wrote: >>> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... >>>

Re: Missing tiff3 patch in security repo

2015-02-18 Thread Michael Gilbert
On Wed, Feb 18, 2015 at 12:50 PM, John Goerzen wrote: >> [wheezy] - tiff3 (the changes that [a]ffect the library are just >> hardening, converting uses of sprintf to snprintf. those can be rolled >> into the next tiff3 update, but a separate dsa isn't needed) >> >> > I saw that too, though the bug

Re: Missing tiff3 patch in security repo

2015-02-18 Thread John Goerzen
On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote: > Hi John, > > On Wed, February 18, 2015 14:51, John Goerzen wrote: >> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... >> >> - libtiff4 (remotely exploitable, high ur

Re: Missing tiff3 patch in security repo

2015-02-18 Thread Thijs Kinkhorst
Hi John, On Wed, February 18, 2015 14:51, John Goerzen wrote: > CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... > > - libtiff4 (remotely exploitable, high urgency) The reason is explained when you follow this li

Missing tiff3 patch in security repo

2015-02-18 Thread John Goerzen
Hi folks, I've been going through the output of debsecan on my systems (more on that later). For the moment, I have discovered something odd regarding a tiff advisory. Debsecan noted this on my wheezy machine: CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page...