Hi, Am 27.01.2017 um 11:28 schrieb Raphael Hertzog: > On Thu, 26 Jan 2017, Raphael Hertzog wrote: >> This code thus assumes that the list ok known tags only contains a single >> tag per unique fip->field_bit and this is no no longer the case with >> the patches we added: >> - CVE-2014-8128-5-fixed.patch >> - CVE-2016-5318_CVE-2015-7554.patch >> >> I guess we have no other choice than to drop all CODEC-specific tags >> from the global list of tags... and thus reopen the above CVE, at >> least in part. > > In fact, I opted to add logic that filters out the non-relevant tags. > > Matthias, can you try > https://people.debian.org/~hertzog/packages/libtiff4_3.9.6-11+deb7u3_amd64.deb > and report back if it works for you ? Please check that there are no other > regressions as well. > > The full upload is available: > $ dget > https://people.debian.org/~hertzog/packages/tiff3_3.9.6-11+deb7u3_amd64.changes
I took your patched libtiff4 and tested several images and compression schemes using ImageMagick and GraphicsMagick in a wheezy chroot without any problems. I have not encountered any unexpected error messages or any corrupted images. > The debdiff is attached for review by other contributors. > > If we are satisfied by this fix, then we should do something similar on > source package tiff 4.x (which provides libtiff5 4.x). Cheers Matthias
