Bug#600188: tiff: CVE-2010-3087
Disregard my previous response. Red Hat and SUSE have both taken the patch from the bugzilla issue that upstream rejected, so I will do so as well. Uploading momentarily. Jay Berkenbilt q...@debian.org wrote: Moritz Muehlenhoff muehlenh...@univention.de wrote: Package: tiff Severity: grave Tags: security Justification: user security hole Please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3087 This patch should fix it: http://bugzilla.maptools.org/show_bug.cgi?id=2140 Upstream rejected the patch in their bug 2140, and the patch's author said it was only a partial fix. The CVE references a bug in Novell's bugzilla, but even after creating an account, I don't have access to read the bug. So I'm really not sure what to do here. I could just blindly accept the patch, but then I'm permanently deviating from upstream. Should I discuss with upstream? I could grab Red Hat's latest SRPM and see how long they've been using this patch, or I could dig through upstream's CVS repository and see what the status is there. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600188: tiff: CVE-2010-3087
Moritz Muehlenhoff muehlenh...@univention.de wrote: Package: tiff Severity: grave Tags: security Justification: user security hole Please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3087 This patch should fix it: http://bugzilla.maptools.org/show_bug.cgi?id=2140 Upstream rejected the patch in their bug 2140, and the patch's author said it was only a partial fix. The CVE references a bug in Novell's bugzilla, but even after creating an account, I don't have access to read the bug. So I'm really not sure what to do here. I could just blindly accept the patch, but then I'm permanently deviating from upstream. Should I discuss with upstream? I could grab Red Hat's latest SRPM and see how long they've been using this patch, or I could dig through upstream's CVS repository and see what the status is there. -- Jay Berkenbilt q...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#600188: tiff: CVE-2010-3087
Package: tiff Severity: grave Tags: security Justification: user security hole Please see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3087 This patch should fix it: http://bugzilla.maptools.org/show_bug.cgi?id=2140 (Lenny is not affected) Cheers, Moritz -- System Information: Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org