|TIFF and LibTiff Mailing List Archive|
LibTiff Mailing List
2010.12.06 18:44 "Re: Security vulnerability CVE-2010-3847", by Lee Howard
imipak wrote: > I notice that Mandriva and SuSE have released updates for their > libtiff packages to fix for CVE-2010-3087, but there doesn't seem to > be any sign of it in the changelog for 3.9.4 (or, indeed, earlier > releases.) > > CVE: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3087 > > Mandriva: > http://www.mandriva.com/en/security/advisories?name=MDVSA-2010:190 > > SuSE: > http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html > > > Is there any ETA for a fix on the main source tree? I've just now committed the in-line patch found on... http://bugzilla.maptools.org/show_bug.cgi?id=2228 ... I'm not sure if that small change resolves CVE-2010-3087. The various distros are using Tom Lane's patch on... http://bugzilla.maptools.org/show_bug.cgi?id=2140 ... as a resolution to CVE-2010-3087. You can see on the bug report that Frank seemed to object to Tom's proposal on Bug 2140, so I think for the moment we're stuck there needing some further response from Frank on this. (Frank?) Thanks, Lee.