On Wed, February 18, 2015 18:50, John Goerzen wrote: > On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote: >> Hi John, >> >> On Wed, February 18, 2015 14:51, John Goerzen wrote: >>> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... >>> <http://security-tracker.debian.org/tracker/CVE-2013-1961> >>> - libtiff4 (remotely exploitable, high urgency) >> The reason is explained when you follow this link you quote above: >> >> [wheezy] - tiff3 <no-dsa> (the changes that [a]ffect the library are >> just >> hardening, converting uses of sprintf to snprintf. those can be rolled >> into the next tiff3 update, but a separate dsa isn't needed) >> >> > I saw that too, though the bug report says something different, the DSA > note is probably correct. But then why is wheezy listed as vulnerable? > > Do they think that sprintf is safe?
It's listed as open because IF we were to create a DSA in the future anyway, it would be a useful thing to include it while we're at it (hardening), but it isn't a priority to create a DSA especially for this. We could also mark the CVE as done and then we'd never do anything with it anymore for wheezy. Both are defensible approaches. Cheers, Thijs -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
