2010.12.06 16:32 "[Tiff] Security vulnerability CVE-2010-3847", by imipak

2010.12.06 20:09 "Re: [Tiff] Security vulnerability CVE-2010-3847", by Tom Lane

I've just now committed the in-line patch found on...

http://bugzilla.maptools.org/show_bug.cgi?id=2228

I find the patch given in #2228 pretty unsatisfactory, as it's throwing away image quality to produce what seems no better than a cargo-cult solution to the problem. Turning off fancy upsampling doesn't affect the number of output pixels libjpeg produces. It would cause it to not *read* adjacent rows for averaging purposes, but if that causes a segfault then your problem is elsewhere. It is certainly not fixing the problem explained in #2140, which is that the required output buffer size is underestimated.

I'm not sure if that small change resolves CVE-2010-3087. The various distros are using Tom Lane's patch on...

http://bugzilla.maptools.org/show_bug.cgi?id=2140

... as a resolution to CVE-2010-3087.

You can see on the bug report that Frank seemed to object to Tom's proposal on Bug 2140, so I think for the moment we're stuck there needing some further response from Frank on this. (Frank?)

For the record, *I* don't much like that patch either :-). I think it's OK for the limited purpose of stopping core dumps, but it's far from resolving all the issues complained of in #2140.

regards, tom lane