[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
libtiff security update (multiple CVEs)
From: |
Leo Famulari |
Subject: |
libtiff security update (multiple CVEs) |
Date: |
Tue, 23 Aug 2016 15:44:34 -0400 |
User-agent: |
Mutt/1.7.0 (2016-08-17) |
I took these patches from the libtiff CVS repo using the information
contained in the respective bug reports:
http://bugzilla.maptools.org/buglist.cgi?product=libtiff
This is my first time using CVS, so please review carefully.
I removed the hunks that looked like this, since most of them did not
apply:
@@ -1,4 +1,4 @@
-/* $Id: tiffcrop.c,v 1.36 2016-07-11 21:26:03 erouault Exp $ */
+/* $Id: tiffcrop.c,v 1.37 2016-07-11 21:38:31 erouault Exp $ */
/* tiffcrop.c -- a port of tiffcp.c extended to include manipulations of
* the image data through additional options listed below
I also had to add a directory level, so ...
diff -u -r1.36 -r1.37
--- tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36
+++ tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37
... became ...
diff -u -r1.36 -r1.37
--- libtiff/tools/tiffcrop.c 11 Jul 2016 21:26:03 -0000 1.36
+++ libtiff/tools/tiffcrop.c 11 Jul 2016 21:38:31 -0000 1.37
There are several CVEs in that cluster that libtiff did not provide a
patch for. Instead, they decided to remove the affected component
entirely in the upcoming release. For example
http://bugzilla.maptools.org/show_bug.cgi?id=2567#c1
We could try copying other distros' patches for these, although in some
cases the libtiff maintainer claims that the distro's patch is
incorrect:
http://bugzilla.maptools.org/show_bug.cgi?id=2563#c4
0001-gnu-libtiff-Fix-CVE-2016-3623-3945-3990-3991-5321-53.patch
Description: Text document
- libtiff security update (multiple CVEs),
Leo Famulari <=