Re: [PATCH 1/1] gnu: libtiff: Fix CVE-2016-{10092, 10093, 10094} and oth

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/1] gnu: libtiff: Fix CVE-2016-{10092, 10093, 10094} and oth

From:	Leo Famulari
Subject:	Re: [PATCH 1/1] gnu: libtiff: Fix CVE-2016-{10092, 10093, 10094} and others.
Date:	Tue, 10 Jan 2017 17:33:16 -0500
User-agent:	Mutt/1.7.2 (2016-11-26)

On Tue, Jan 10, 2017 at 10:43:34PM +0100, Ludovic Courtès wrote:
> Leo Famulari <address@hidden> skribis:
> 
> > * gnu/packages/patches/libtiff-CVE-2016-10092.patch,
> > gnu/packages/patches/libtiff-CVE-2016-10093.patch,
> > gnu/packages/patches/libtiff-CVE-2016-10094.patch,
> > gnu/packages/patches/libtiff-assertion-failure.patch,
> > gnu/packages/patches/libtiff-divide-by-zero-ojpeg.patch,
> > gnu/packages/patches/libtiff-divide-by-zero-tiffcp.patch,
> > gnu/packages/patches/libtiff-divide-by-zero-tiffcrop.patch,
> > gnu/packages/patches/libtiff-divide-by-zero.patch,
> > gnu/packages/patches/libtiff-heap-overflow-pixarlog-luv.patch,
> > gnu/packages/patches/libtiff-heap-overflow-tif-dirread.patch,
> > gnu/packages/patches/libtiff-heap-overflow-tiffcp.patch,
> > gnu/packages/patches/libtiff-heap-overflow-tiffcrop.patch,
> > gnu/packages/patches/libtiff-invalid-read.patch,
> > gnu/packages/patches/libtiff-null-dereference.patch,
> > gnu/packages/patches/libtiff-tiffcp-underflow.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> > * gnu/packages/image.scm (libtiff)[replacement]: New field.
> > (libtiff/fixed): New variable.
> 
> Impressive list (most from oss-sec on Jan. 1st, right?).

Right, starting here:

http://seclists.org/oss-sec/2017/q1/1

> I skimmed over the patches; some are obvious, others much less, but I
> didn’t notice anything suspicious.  I’d say go for it.

I took some guidance from the Debian package versions 4.0.7-2 and
4.0.7-4:

http://metadata.ftp-master.debian.org/changelogs/main/t/tiff/tiff_4.0.7-4_changelog

I can't find a web link to the Debian packaging tree, but you can get
their patch series in the latest Debian tarball:

http://http.debian.net/debian/pool/main/t/tiff/tiff_4.0.7-4.debian.tar.xz

I generated the patches from CVS myself. The patch commentary should
help anyone who wants to reproduce the patches.

I found it difficult to name all the patches that haven't been assigned
CVE IDs yet, as you might have noticed ;)

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 1/1] gnu: libtiff: Fix CVE-2016-{10092, 10093, 10094} and others., Leo Famulari, 2017/01/10
- Re: [PATCH 1/1] gnu: libtiff: Fix CVE-2016-{10092, 10093, 10094} and others., Ludovic Courtès, 2017/01/10
  - Re: [PATCH 1/1] gnu: libtiff: Fix CVE-2016-{10092, 10093, 10094} and others., Leo Famulari <=

Prev by Date: Re: [PATCH] gnu: Add kakoune
Next by Date: Re: [PATCH] gnu: gnutls: Replace with 3.5.8 [fixes GNUTLS-SA-2017-{1,2}].
Previous by thread: Re: [PATCH 1/1] gnu: libtiff: Fix CVE-2016-{10092, 10093, 10094} and others.
Next by thread: OpenSSL / LibreSSL CVE-2016-7056
Index(es):
- Date
- Thread