From: Leo Famulari <leo@famulari.name>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 1/1] gnu: libtiff: Fix CVE-2016-{10092, 10093, 10094} and others.
Date: Tue, 10 Jan 2017 17:33:16 -0500 [thread overview]
Message-ID: <20170110223316.GB8431@jasmine> (raw)
In-Reply-To: <8737gqzj3t.fsf@gnu.org>
On Tue, Jan 10, 2017 at 10:43:34PM +0100, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
>
> > * gnu/packages/patches/libtiff-CVE-2016-10092.patch,
> > gnu/packages/patches/libtiff-CVE-2016-10093.patch,
> > gnu/packages/patches/libtiff-CVE-2016-10094.patch,
> > gnu/packages/patches/libtiff-assertion-failure.patch,
> > gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch,
> > gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch,
> > gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch,
> > gnu/packages/patches/libtiff-divide-by-zero.patch,
> > gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch,
> > gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch,
> > gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch,
> > gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch,
> > gnu/packages/patches/libtiff-invalid-read.patch,
> > gnu/packages/patches/libtiff-null-dereference.patch,
> > gnu/packages/patches/libtiff-tiffcp-underflow.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> > * gnu/packages/image.scm (libtiff)[replacement]: New field.
> > (libtiff/fixed): New variable.
>
> Impressive list (most from oss-sec on Jan. 1st, right?).
Right, starting here:
http://seclists.org/oss-sec/2017/q1/1
> I skimmed over the patches; some are obvious, others much less, but I
> didn’t notice anything suspicious. I’d say go for it.
I took some guidance from the Debian package versions 4.0.7-2 and
4.0.7-4:
http://metadata.ftp-master.debian.org/changelogs/main/t/tiff/tiff_4.0.7-4_changelog
I can't find a web link to the Debian packaging tree, but you can get
their patch series in the latest Debian tarball:
http://http.debian.net/debian/pool/main/t/tiff/tiff_4.0.7-4.debian.tar.xz
I generated the patches from CVS myself. The patch commentary should
help anyone who wants to reproduce the patches.
I found it difficult to name all the patches that haven't been assigned
CVE IDs yet, as you might have noticed ;)
prev parent reply other threads:[~2017-01-10 22:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-10 18:14 [PATCH 1/1] gnu: libtiff: Fix CVE-2016-{10092, 10093, 10094} and others Leo Famulari
2017-01-10 21:43 ` Ludovic Courtès
2017-01-10 22:33 ` Leo Famulari [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170110223316.GB8431@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.