AWare Systems, , Home TIFF and LibTiff Mailing List Archive

LibTiff Mailing List

TIFF and LibTiff Mailing List Archive
August 2009

Previous Thread
Next Thread

Previous by Thread
Next by Thread

Previous by Date
Next by Date


The TIFF Mailing List Homepage
Archive maintained by AWare Systems

New Datamatrix section

Valid HTML 4.01!


2009.08.21 16:19 "Re: libtiff 4.0.0beta3", by Jay Berkenbilt
2009.08.21 16:37 "Re: libtiff 4.0.0beta3", by Frank Warmerdam
2009.08.21 17:10 "Re: libtiff 4.0.0beta3", by Bob Friesenhahn
2009.08.23 16:20 "Re: libtiff 4.0.0beta3", by Jay Berkenbilt
2009.08.24 17:25 "Re: libtiff 4.0.0beta3", by Bob Friesenhahn
2009.08.24 18:46 "Re: libtiff 4.0.0beta3", by Jay Berkenbilt
2009.08.24 19:33 "Re: libtiff 4.0.0beta3", by Bob Friesenhahn

2009.08.23 16:20 "Re: libtiff 4.0.0beta3", by Jay Berkenbilt

Bob Friesenhahn <> wrote:

> Also, it is necessary to assure that various submitted security
> patches have been applied.  I don't receive notifications from
> Bugzilla when new bugs are submitted (and don't know how to enable
> that) so I am not sure how many such patches have been submitted.

It would be helpful if bug reports in bugzilla as well as CVS commit
comments contained CVE numbers for security-related patches.  It would
make it much easier to verify that security fixes have been committed or
at least acknowledged.  But I did a careful analysis of this just a few
days ago while preparing debian packages for 3.9.0 and 4.0.0 beta 3.

Executive summary: bugs 1895, 2024, and 2079 have not been applied to
the trunk.  They are all relatively simple.

Based on my analysis, the only CVE security patch not in the trunk is
CVE-2009-2347.patch (bug 2079).  In addition, there are two potentially
security-related patches (because of potential denial of service) that
have been applied to 3.9.0 but do not yet appear in the trunk: bugs 1895
and 2024.  In my notes for the debian package, I have a warning to
myself that the logic for bug 1895 is subtle and to check the code
carefully to make sure all cases are handled.  This is in the bug
report.  You will be familiar with 2024 and 2079 as you just recently
applied them to the 3.9 branch.  After these are applied, if my analysis
is correct, all security-related bugs ever reported against tiff in
debian will be in the trunk.

My analysis method was to take all the security-related patches in the
debian tiff package and to manually check them against the trunk.  Then
I also checked the latest Fedora package in rawhide to see whether there
are any security patches applied there that were not in the debian
package.  (There aren't.)

There is no guarantee that I haven't missed something, but I do track
all security-related patches carefully to all my packages, and I've been
maintaining TIFF for debian since 2004.  I'd say there's a high
likelihood that my analysis is complete.  If a security patch to an
earlier version may have been improperly or incompletely applied to the
trunk, I may not have noticed that as when verifying that the patches
appeared in the trunk, I was more focused on making sure the changes in
the patch were there even if in a different place.  In some cases, a
patch was only partially applied because the code had changed in a way
to make the original problem irrelevant, so a partial application is not
necessarily an indication of a problem.  (I know you know this.  I'm
just stating it for completeness.)

Jay Berkenbilt <>