AWARE [SYSTEMS]
AWare Systems, , Home TIFF and LibTiff Mailing List Archive

LibTiff Mailing List

TIFF and LibTiff Mailing List Archive
December 2010

Previous Thread
Next Thread

Previous by Thread
Next by Thread

Previous by Date
Next by Date

Contact

The TIFF Mailing List Homepage
Archive maintained by AWare Systems



New Datamatrix section



Valid HTML 4.01!



Thread

2010.12.06 16:32 "Security vulnerability CVE-2010-3847", by <imipak@gmail.com>
2010.12.06 18:44 "Re: Security vulnerability CVE-2010-3847", by Lee Howard
2010.12.06 20:09 "Re: Security vulnerability CVE-2010-3847", by Tom Lane
2010.12.08 01:19 "Re: Security vulnerability CVE-2010-3847", by Lee Howard
2010.12.07 16:07 "Re: Security vulnerability CVE-2010-3847", by <imipak@gmail.com>

2010.12.06 18:44 "Re: Security vulnerability CVE-2010-3847", by Lee Howard

imipak wrote:
> I notice that Mandriva and SuSE have released updates for their
> libtiff packages to fix for CVE-2010-3087, but there doesn't seem to
> be any sign of it in the changelog for 3.9.4 (or, indeed, earlier
> releases.)
>
> CVE:
>    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3087
>
> Mandriva:
>    http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:190
>
> SuSE:
>    http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
>
>
> Is there any ETA for a fix on the main source tree?

I've just now committed the in-line patch found on...

http://bugzilla.maptools.org/show_bug.cgi?id=2228

... I'm not sure if that small change resolves CVE-2010-3087.  The 
various distros are using Tom Lane's patch on...

http://bugzilla.maptools.org/show_bug.cgi?id=2140

... as a resolution to CVE-2010-3087.

You can see on the bug report that Frank seemed to object to Tom's 
proposal on Bug 2140, so I think for the moment we're stuck there 
needing some further response from Frank on this.  (Frank?)

Thanks,

Lee.