Subject: Re: Tiff package
To: Takahiro Kambe <email@example.com>
From: Jeremy C. Reed <firstname.lastname@example.org>
Date: 01/26/2005 08:20:16
On Wed, 26 Jan 2005, Takahiro Kambe wrote:
> In message <Pine.LNX.email@example.com>
> on Mon, 17 Jan 2005 10:49:42 -0800 (PST),
> "Jeremy C. Reed" <firstname.lastname@example.org> wrote:
> > The tiff in pkgsrc-2004Q4 was updated. I applied patches to the 3.6.1
> > version and it was pulled up to pkgsrc-2004Q4 (in ticket 174).
> With pkgsrc-2004Q4 branch, tiff package still seems to marked as
> ===> Checking for vulnerabilities in tiff-3.6.1nb6
> *** WARNING - remote-code-execution vulnerability in tiff-3.6.1nb6 - see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1308 for more information ***
> or define ALLOW_VULNERABLE_PACKAGES if this package is absolutely essential
> *** Error code 255
I didn't know this second one was there in pkg-vulnerabilities.
I carbon-copied wiz on this email.
date: 2005/01/11 10:10:19; author: wiz; state: Exp; lines: +2 -1
Add another (fixed) tiff vulnerability.
date: 2004/12/22 04:10:53; author: reed; state: Exp; lines: +2 -1
libtiff STRIPOFFSETS Integer Overflow Vulnerability
says the patch is
- if (elem_size && bytes / elem_size == nmemb)
+ if (nmemb && elem_size && bytes / elem_size == nmemb)
This is in patch-ag in stable pkgsrc.
But now I see the other file is missed.
And the cvsweb is missing pkgsrc/graphics/tiff/patches/Attic/patch-ao
Please see pullup 174. It should have pulled up the patch for
tif_dirread.c. I think it is:
cvs rdiff -r1.1 -r1.2 pkgsrc/graphics/tiff/patches/patch-ao
I carbon copied snj to see if he can double check this pullup (and fix if
Once it is done, we will also have to bump the pkgrevision for stable
pkgsrc and then also increase it in pkg-vulnerabilities.
Jeremy C. Reed
BSD News, BSD tutorials, BSD links