From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 06 18:32:17 2017 Received: (at submit) by debbugs.gnu.org; 6 Jul 2017 22:32:18 +0000 Received: from localhost ([127.0.0.1]:55490 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTFJk-0007nZ-1B for submit@debbugs.gnu.org; Thu, 06 Jul 2017 18:32:17 -0400 Received: from eggs.gnu.org ([208.118.235.92]:46197) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTFJf-0007nK-Vc for submit@debbugs.gnu.org; Thu, 06 Jul 2017 18:32:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dTFJZ-0006ip-A8 for submit@debbugs.gnu.org; Thu, 06 Jul 2017 18:32:02 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_05, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:45850) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dTFJZ-0006if-57 for submit@debbugs.gnu.org; Thu, 06 Jul 2017 18:32:01 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37157) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dTFJX-0002EX-Cp for guix-patches@gnu.org; Thu, 06 Jul 2017 18:32:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dTFJT-0006d3-7m for guix-patches@gnu.org; Thu, 06 Jul 2017 18:31:59 -0400 Received: from mail-pg0-x234.google.com ([2607:f8b0:400e:c05::234]:36492) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dTFJS-0006cP-TR for guix-patches@gnu.org; Thu, 06 Jul 2017 18:31:55 -0400 Received: by mail-pg0-x234.google.com with SMTP id u62so7465455pgb.3 for ; Thu, 06 Jul 2017 15:31:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:user-agent:mime-version; bh=Evd85gLB6df/C+nD45RfpNLDPhsgvA3BJ4HsEXSS1wE=; b=Q9fbNaV/biGjV7Pll2qtcOk5duWxWbWBqj3xKEBFPgNrUiKm4LYIYRPMhLUjpgPb2D 8DyFv/u00BIJhcJJ6iZR3f5IXlEjHooemoaalTeF2OPrmmeDU7N8BdQX3I7zGluKV3C9 1xui+74GshGyjqOQzE3Itq1IxELSho6fR9liit42X0dn9gOQHCvoTSOOC6Vb1+BBLdPC 3gHbG0Rq90LI2kqIkU+ck+XHWK4CTvWTSTKdNDn6m2BJ+qdpxFEX4mjQcsvZsbvzcCJh xBxGkw6N0UyxHI2rhMBPo/g1eTxFH7r9l9D+2PlakTmJSH//OgWJy+F+FhaGv+qeylg8 xV8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version; bh=Evd85gLB6df/C+nD45RfpNLDPhsgvA3BJ4HsEXSS1wE=; b=Q2GHpPFV/nXocEMVQm+LYGtYitMvtAf/MB8lbfPKT6wjz2nq6NFNUvP8RaEuSKpwvU ZgaUYdg7kb9c0zouzGGlwkcJ58hYfmqN4fz+T8Stn22to4dld2MXIr60dW2vIDL4UD7w On/sucDTLD7TwK1zpt61cpNAK7fITBnblwvgr54Rtbg4O38j2EUjgpNy2vKmGYxNwo/M /oXz9KYpOBStGadWCBbfNLCCUaova2/Ymxaba50xUGendb7NaQElcYBVx5kTmSZUGd/N 3HU1LAltBSxIrjYwy2GctxZwpZALGpOrliugrA36dA9UJ7ErAVlgMA7TfWLGhwfnLg/C Mn2A== X-Gm-Message-State: AIVw113B732i8glLw1kc8nBiWaTFcSkbXqVqcjEVi2CSHwM07zFyipfB 7DTSUrbNMA0soQ== X-Received: by 10.98.135.140 with SMTP id i134mr27813538pfe.237.1499380313981; Thu, 06 Jul 2017 15:31:53 -0700 (PDT) Received: from debian (pcd372176.netvigator.com. [203.218.162.176]) by smtp.gmail.com with ESMTPSA id 71sm1528529pge.45.2017.07.06.15.31.51 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 06 Jul 2017 15:31:52 -0700 (PDT) From: Alex Vong To: guix-patches@gnu.org Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}. Date: Fri, 07 Jul 2017 06:31:36 +0800 Message-ID: <87r2xti4dz.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -3.8 (---) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.2 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Severity: important Tags: patch security Hello, This patch fixes two latest CVEs of libtiff: [...] Content analysis details: (1.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (alexvong1995[at]gmail.com) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (alexvong1995[at]gmail.com) 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Severity: important Tags: patch security Hello, This patch fixes two latest CVEs of libtiff: --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=0001-gnu-libtiff-Fix-CVE-2017-9936-10688.patch Content-Transfer-Encoding: quoted-printable From=208dc3ff7b6b34b1d0ff7ab535883df20dbc5af2c8 Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Fri, 7 Jul 2017 06:17:37 +0800 Subject: [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}. * gnu/packages/patches/libtiff-CVE-2017-9936.patch, gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files. * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches. * gnu/local.mk (dist_patch_DATA): Add them. =2D-- gnu/local.mk | 2 + gnu/packages/image.scm | 4 +- gnu/packages/patches/libtiff-CVE-2017-10688.patch | 80 +++++++++++++++++++= ++++ gnu/packages/patches/libtiff-CVE-2017-9936.patch | 39 +++++++++++ 4 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libtiff-CVE-2017-10688.patch create mode 100644 gnu/packages/patches/libtiff-CVE-2017-9936.patch diff --git a/gnu/local.mk b/gnu/local.mk index 8dbce7c05..4ae395ef8 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -766,6 +766,8 @@ dist_patch_DATA =3D \ %D%/packages/patches/libtiff-CVE-2016-10093.patch \ %D%/packages/patches/libtiff-CVE-2016-10094.patch \ %D%/packages/patches/libtiff-CVE-2017-5225.patch \ + %D%/packages/patches/libtiff-CVE-2017-9936.patch \ + %D%/packages/patches/libtiff-CVE-2017-10688.patch \ %D%/packages/patches/libtiff-assertion-failure.patch \ %D%/packages/patches/libtiff-divide-by-zero-ojpeg.patch \ %D%/packages/patches/libtiff-divide-by-zero-tiffcp.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 8a03cbc3c..4450980bf 100644 =2D-- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -391,7 +391,9 @@ collection of tools for doing simple manipulations of T= IFF images.") (method url-fetch) (uri (string-append "ftp://download.osgeo.org/libtiff/tiff-" version ".tar.gz")) =2D (patches (search-patches "libtiff-tiffgetfield-bugs.patch")) + (patches (search-patches "libtiff-tiffgetfield-bugs.patch" + "libtiff-CVE-2017-9936.patch" + "libtiff-CVE-2017-10688.patch")) (sha256 (base32 "0419mh6kkhz5fkyl77gv0in8x4d2jpdpfs147y8mj86rrjlabmsr")))))) diff --git a/gnu/packages/patches/libtiff-CVE-2017-10688.patch b/gnu/packag= es/patches/libtiff-CVE-2017-10688.patch new file mode 100644 index 000000000..3b5d27fd7 =2D-- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-10688.patch @@ -0,0 +1,80 @@ +Fix CVE-2017-10688: + +http://bugzilla.maptools.org/show_bug.cgi?id=3D2712 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-10688 +https://security-tracker.debian.org/tracker/CVE-2017-10688 + +Patch lifted from upstream source repository (the changes to 'ChangeLog' +don't apply to the libtiff 4.0.8 release tarball): + +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe= 74ba1 + +From 6173a57d39e04d68b139f8c1aa499a24dbe74ba1 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Fri, 30 Jun 2017 17:29:44 +0000 +Subject: [PATCH] * libtiff/tif_dirwrite.c: in + TIFFWriteDirectoryTagCheckedXXXX() functions associated with LONG8/SLONG8 + data type, replace assertion that the file is BigTIFF, by a non-fatal err= or. + Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2712 Reported by team + OWL337 + +--- + ChangeLog | 8 ++++++++ + libtiff/tif_dirwrite.c | 20 ++++++++++++++++---- + 2 files changed, 24 insertions(+), 4 deletions(-) + +diff --git a/libtiff/tif_dirwrite.c b/libtiff/tif_dirwrite.c +index 2967da58..8d6686ba 100644 +--- a/libtiff/tif_dirwrite.c ++++ b/libtiff/tif_dirwrite.c +@@ -2111,7 +2111,10 @@ TIFFWriteDirectoryTagCheckedLong8(TIFF* tif, uint32= * ndir, TIFFDirEntry* dir, ui + { + uint64 m; + assert(sizeof(uint64)=3D=3D8); +- assert(tif->tif_flags&TIFF_BIGTIFF); ++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { ++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","L= ONG8 not allowed for ClassicTIFF"); ++ return(0); ++ } + m=3Dvalue; + if (tif->tif_flags&TIFF_SWAB) + TIFFSwabLong8(&m); +@@ -2124,7 +2127,10 @@ TIFFWriteDirectoryTagCheckedLong8Array(TIFF* tif, u= int32* ndir, TIFFDirEntry* di + { + assert(count<0x20000000); + assert(sizeof(uint64)=3D=3D8); +- assert(tif->tif_flags&TIFF_BIGTIFF); ++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { ++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","L= ONG8 not allowed for ClassicTIFF"); ++ return(0); ++ } + if (tif->tif_flags&TIFF_SWAB) + TIFFSwabArrayOfLong8(value,count); + return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_LONG8,count,count= *8,value)); +@@ -2136,7 +2142,10 @@ TIFFWriteDirectoryTagCheckedSlong8(TIFF* tif, uint3= 2* ndir, TIFFDirEntry* dir, u + { + int64 m; + assert(sizeof(int64)=3D=3D8); +- assert(tif->tif_flags&TIFF_BIGTIFF); ++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { ++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","S= LONG8 not allowed for ClassicTIFF"); ++ return(0); ++ } + m=3Dvalue; + if (tif->tif_flags&TIFF_SWAB) + TIFFSwabLong8((uint64*)(&m)); +@@ -2149,7 +2158,10 @@ TIFFWriteDirectoryTagCheckedSlong8Array(TIFF* tif, = uint32* ndir, TIFFDirEntry* d + { + assert(count<0x20000000); + assert(sizeof(int64)=3D=3D8); +- assert(tif->tif_flags&TIFF_BIGTIFF); ++ if( !(tif->tif_flags&TIFF_BIGTIFF) ) { ++ TIFFErrorExt(tif->tif_clientdata,"TIFFWriteDirectoryTagCheckedLong8","S= LONG8 not allowed for ClassicTIFF"); ++ return(0); ++ } + if (tif->tif_flags&TIFF_SWAB) + TIFFSwabArrayOfLong8((uint64*)value,count); + return(TIFFWriteDirectoryTagData(tif,ndir,dir,tag,TIFF_SLONG8,count,coun= t*8,value)); +--=20 +2.13.2 + diff --git a/gnu/packages/patches/libtiff-CVE-2017-9936.patch b/gnu/package= s/patches/libtiff-CVE-2017-9936.patch new file mode 100644 index 000000000..a3d51e0ef =2D-- /dev/null +++ b/gnu/packages/patches/libtiff-CVE-2017-9936.patch @@ -0,0 +1,39 @@ +Fix CVE-2017-9936: + +http://bugzilla.maptools.org/show_bug.cgi?id=3D2706 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-9936 +https://security-tracker.debian.org/tracker/CVE-2017-9936 + +Patch lifted from upstream source repository (the changes to 'ChangeLog' +don't apply to the libtiff 4.0.8 release tarball): + +https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20= cf67a + +From fe8d7165956b88df4837034a9161dc5fd20cf67a Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Mon, 26 Jun 2017 15:19:59 +0000 +Subject: [PATCH] * libtiff/tif_jbig.c: fix memory leak in error code path = of + JBIGDecode() Fixes http://bugzilla.maptools.org/show_bug.cgi?id=3D2706 Re= ported + by team OWL337 + +* libtiff/tif_jpeg.c: error out at decoding time if anticipated libjpeg +--- + ChangeLog | 8 +++++++- + libtiff/tif_jbig.c | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c +index 5f5f75e2..c75f31d9 100644 +--- a/libtiff/tif_jbig.c ++++ b/libtiff/tif_jbig.c +@@ -94,6 +94,7 @@ static int JBIGDecode(TIFF* tif, uint8* buffer, tmsize_t= size, uint16 s) + jbg_strerror(decodeStatus) + #endif + ); ++ jbg_dec_free(&decoder); + return 0; + } +=20 +--=20 +2.13.2 + =2D-=20 2.13.2 --=-=-= Content-Type: text/plain Cheers, Alex --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlleukgACgkQxYq4eRf1 Ea54TBAAtB/o0RgBcUfD7N1WyNz5Alp1fDUA6YEJnAGbpXgfhRt7hvADBliK7gRh nEQTk5JNxwFUQ49h5DBP8fBLFITPqNSjz7O1SheJAQV7O0il/qti0jL/wMnNHCwi 4V4zk0tNK3n0WPZww/bOf67r0SokH/LR4cfZAmyvoXaByLkTF3Qos+SrrtozWxeF UZ6jTK52QesklAYzwvNlmXuxDIR3UGSSj16UqV911UStXLg20+K0CL2eDK97WUd8 AkUZgRVZZXCiPSJKgpxiXqq2CZlSmEYHNdvk1t5p/REqdtn8VCPEyhXdN3aGzfgX TXnILn+i6s6knKV4i65byho7Wkkg7BWNyOUqNsLYQrk/2/7Qi3T3AOV+cqDWJQfM I5yB39D6zL+sC1U1obwPN+ZV+un/A90dgAYNGXpQpNsQqfD8pGcrTEn4Z2T7ZYOF lDyhTNNyQAd14qscSlI6kzTyRk1QB4dqVuE1XHHhpoJ+xjCC4yJ18X232AU8y8Ny FLM2scU4u1107vfWM6vfe84qhkYmYdFuZztnWsygbUovBl6UUXl7f0VolV/JdCtx eMN0vrBszztjL8cGySdnpFpHj9mOlr6EMSzW7rJ62th65Kz8+BJE5n7AZaWcD8dO 1jxMyaGtEqGhz+SnvEzJAyrwTM6KYHorJpzprsO+Eoeuh78h4LA= =lHMv -----END PGP SIGNATURE----- --==-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Jul 06 19:40:47 2017 Received: (at 27603) by debbugs.gnu.org; 6 Jul 2017 23:40:48 +0000 Received: from localhost ([127.0.0.1]:55514 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTGO7-0000wj-Cm for submit@debbugs.gnu.org; Thu, 06 Jul 2017 19:40:47 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:52389) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTGNz-0000wT-Ue for 27603@debbugs.gnu.org; Thu, 06 Jul 2017 19:40:44 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 75D6E208A3; Thu, 6 Jul 2017 19:40:39 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Thu, 06 Jul 2017 19:40:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=i76Jf4JxkTZtiiPVJzvcQgAy9ZZabIBstjdm39 rxLPk=; b=VzEykEic/0W/FnjgnT6VA0/xzu9IK50YGYYkslhRPMx1JE1gqRYTC3 vkOXfDFnJgt1esWFkMjCOD8X5+R7Y84/UXiJrhataRh84pC7ZC+td9GAkog6jUhN 1TLWzAMASV1ScLPEt4py9OKvliSbICbHLPA0qfh6Fy5LuPWcb4kpc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=i76Jf4JxkTZtiiPVJz vcQgAy9ZZabIBstjdm39rxLPk=; b=edhqqJ4XMpo5Mfwj9ji7vAQXojZ1O+EbmZ Hvk9TVsDUS7HB4qOywFH+K71FH7SelH5nuD3A84b7oDVJFV1T5kR44o05b3bPjA0 N4FFA01IRQx0vjptCuDx3ZaA3rqVS/sepkPVmxEFxmj5vtTPRhYmP/LwZWgSp7Pg eJVi345wi+c3/Ff19oUF+qK/5eK8imvUECa7SZsc0Og+2RCUq+/zl90wkOVI0a11 SB75mSlrytJXdliCKIi6AvVVwjTIxDNfk9eSIPm/jYGBVlL7in71BWeLST3m63/y AYC8KZmwXpWsnBe2pOITyUpyWPdRo36naoduUZDatiZTkXdXbvFg== X-ME-Sender: X-Sasl-enc: /HFrFBOgCy5tdcbvOrxA1dEiiYmpFvteW0B3eamWiAuc 1499384439 Received: from localhost (pool-108-26-246-73.bstnma.fios.verizon.net [108.26.246.73]) by mail.messagingengine.com (Postfix) with ESMTPA id 23D6D24776; Thu, 6 Jul 2017 19:40:39 -0400 (EDT) Date: Thu, 6 Jul 2017 19:40:38 -0400 From: Leo Famulari To: Alex Vong Subject: Re: [bug#27603] [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}. Message-ID: <20170706234038.GB1280@jasmine.lan> References: <87r2xti4dz.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="8P1HSweYDcXXzwPJ" Content-Disposition: inline In-Reply-To: <87r2xti4dz.fsf@gmail.com> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 27603 Cc: 27603@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --8P1HSweYDcXXzwPJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote: > * gnu/packages/patches/libtiff-CVE-2017-9936.patch, > gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files. > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches. > * gnu/local.mk (dist_patch_DATA): Add them. > +Patch lifted from upstream source repository (the changes to 'ChangeLog' > +don't apply to the libtiff 4.0.8 release tarball): > + > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 This is actually not the upstream source repository. It's a 3rd party unofficial mirror. To the chagrin of young packagers everywhere, libtiff is still using CVS. Unless somebody beats me to it, I'll extract the patches from their CVS repo later tonight. --8P1HSweYDcXXzwPJ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlleynYACgkQJkb6MLrK fwjOlhAArA43UWfSe8IWbwqa+CReOJe+oJomj/c6lih7FtQgVLsWE96oNy3XI9My ifMBlrclWpvIzgB0klGTrjkx+mbTw9UAFHvhJsDRnYMbLR30pm4mJ/gXsZ0sSBPt RxcDj/iI2L6dtRMebDcDoTa6P+a0uFcvev1GhgbzizysiolGi6CXJeMLhEMneLez DPVa46eJsyaTZz42w5cvaHNMu5IuJ4I+Hn/yuh0aQKjUfzY9FPNri2P/K2hV44jR gZSYhGc3d0mMhinhL2JyNcJUajYn6ZtmtIvD05QPfQ9j6Hrto81MGqdZwMgENEnU 2VgzUPAlOB/DqqxwFKJObTNjiWiVvkMY5IqXQBxdvJi4mH3fEN9TEQbNbMGq7Xp3 CrwQJ1895IrtJ94p15ICTXE07TOMlgEbL2f5GD0gLbD6amCnuYbeVrlfI3SwCCLM 702WdjCtnnUxEGAqcb5W9QYDF91myq++6r3zvURRzFn81ZScYJkITLRbFssHCXlZ nVqmUetCGQuM0KYsjJkBB2rvjpqjWX9/+nmgHTlK+nOynN0qTVD93UEkxE3/YTbh A220leFPEXwYjHFFXMj41n/gFJDJ7IRUL/qwrLjo9PKXCCDm3e+YiY1RT3Hpzkxf CagVImk6NLuPUEesr8RzvoPKlAfUVn1+dRni7iGIkzl88Vodkm4= =Lw3H -----END PGP SIGNATURE----- --8P1HSweYDcXXzwPJ-- From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 07 00:07:35 2017 Received: (at 27603-done) by debbugs.gnu.org; 7 Jul 2017 04:07:35 +0000 Received: from localhost ([127.0.0.1]:55632 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTKYJ-000261-F1 for submit@debbugs.gnu.org; Fri, 07 Jul 2017 00:07:35 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:44141) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTKYF-00025s-E8 for 27603-done@debbugs.gnu.org; Fri, 07 Jul 2017 00:07:33 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D9F2220969; Fri, 7 Jul 2017 00:07:27 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Fri, 07 Jul 2017 00:07:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=md/7qPvOGNKrWqQZRdFxt5MDMPRduZfaUlBnqm Lcz1I=; b=syzQjc+l0qmLuU2A83LXLbRTLjbSDLQIzXeDcy1Zq6WauNX70B+7eu KXx3AnabINo+fnnpt6gNSXb/IDPK9bcekCwHtPf/jCkbwGXJSYUqTs3lT2YHSXPq tBUDD3OI1RE2LkJaMUexOQt+Ol1g41OOQRCJhXokaqzgYo0k5/7/E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=md/7qPvOGNKrWqQZRd Fxt5MDMPRduZfaUlBnqmLcz1I=; b=j76knz9jkxL5Faa1mqasDtwmPjL0FEYTH6 fxrKhokxHfd6cVVd3X95BL1FW4cKjqYU/mbUweL5xr5pbnz/u/uuv7jvW9sRW1ej xBqLZnVY2G3YmCSCklADWdpqZmFc5E0lm8Qs8Kj5F4cMdWUbLI28znvcvTjssUMw wXRvLayaQdb1zwoXHcDiY1nO49aSgALTme5neyQc3ouPYbYgYLWKdpo9GPLvs5vB jpPTOxSz2O+g8xRzoUjBudYfqRtwY4E/i4iRCQBXLOCJ1WBq6TnryqPTaMInPikp +7R2wip/vzX4XImyuKxDH8dDOl9yNg3MpfyqSds3F/5cb2N3IzSg== X-ME-Sender: X-Sasl-enc: VKuM9VsEywZHVeqLZj7IWmH7jAqI62/CZ9DrXs9/JSDn 1499400447 Received: from localhost (pool-108-26-246-73.bstnma.fios.verizon.net [108.26.246.73]) by mail.messagingengine.com (Postfix) with ESMTPA id 9F55E24426; Fri, 7 Jul 2017 00:07:27 -0400 (EDT) Date: Fri, 7 Jul 2017 00:07:26 -0400 From: Leo Famulari To: Alex Vong Subject: Re: [bug#27603] [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}. Message-ID: <20170707040726.GA2920@jasmine.lan> References: <87r2xti4dz.fsf@gmail.com> <20170706234038.GB1280@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gBBFr7Ir9EOA20Yy" Content-Disposition: inline In-Reply-To: <20170706234038.GB1280@jasmine.lan> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 27603-done Cc: 27603-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 06, 2017 at 07:40:38PM -0400, Leo Famulari wrote: > On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote: > > * gnu/packages/patches/libtiff-CVE-2017-9936.patch, > > gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files. > > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches. > > * gnu/local.mk (dist_patch_DATA): Add them. >=20 > > +Patch lifted from upstream source repository (the changes to 'ChangeLo= g' > > +don't apply to the libtiff 4.0.8 release tarball): > > + > > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a2= 4dbe74ba1 >=20 > This is actually not the upstream source repository. It's a 3rd party > unofficial mirror. >=20 > To the chagrin of young packagers everywhere, libtiff is still using > CVS. Unless somebody beats me to it, I'll extract the patches from their > CVS repo later tonight. I pushed this as dab536fe1ae5a8775a2b50fa50556445b6ac7818. Thanks for getting it started Alex! --gBBFr7Ir9EOA20Yy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllfCP4ACgkQJkb6MLrK fwgGQA/+KXR7lmE1tacok/GH1AF4nsDWi4nOiW0N9/LI2zqVWFjNqXbxBb0lABBk bhysFayI9H2+TYoZJrupR1blvBdJ9cbIccP7cIdW1FV3N1A/5pcymr3TAzFwODT+ c7vcNn5xx05CqeNlot2CiuffQNAuqfz3WdUGMtkdVQfH6ipSs6b3EyhHgkm2gsau WfgAkNVFCLfO5BuFtfGoHdfedUOTZl21O81NnsujrqgVg2VaXJ412r1oVjWcNRuC IkRTYoETQko6RLwYe/8vcxFc+FUoNVgB+0x9ui1ky3gp//m/GOx54VRFNnNvQe71 tmuBuaF87qmutqOtICYHiyaOuB9nMXctMIfZUYADIvgQqTjt0Xyvp3WOh7INV4sX uUCVnP1cDD1RWFbVcItKoJ3GmITCk9QwV4Eb/vuWb1tpta8ZOSejORA4/2I8HIQt csgpkwzBuLM5I58hSgzlyWh1coVkxx76h8TbKSDFq4tdlToa9GfwwQX8xJqrKX0H A+2/tum0ZhSXtfJWV+hEBXH7nWId5tQzncbZTOJm7jQ+CUn7jc58A1zb7ia4aX/L OW3QiW4uD7Fgpe+H2KvJlNOurRXUu9fmoZcNEv0fQ3wYktxsYsO276ya+lJXsjRf qKI+plDznfB1wcfJuOMpGxbSUU/qoZK3z9AQwga4+NFp+joZgGw= =LknR -----END PGP SIGNATURE----- --gBBFr7Ir9EOA20Yy-- From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 07 09:20:33 2017 Received: (at 27603-done) by debbugs.gnu.org; 7 Jul 2017 13:20:33 +0000 Received: from localhost ([127.0.0.1]:55852 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTTBR-0008Id-9q for submit@debbugs.gnu.org; Fri, 07 Jul 2017 09:20:33 -0400 Received: from mail-pf0-f196.google.com ([209.85.192.196]:34996) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTTBM-0008IN-LH for 27603-done@debbugs.gnu.org; Fri, 07 Jul 2017 09:20:32 -0400 Received: by mail-pf0-f196.google.com with SMTP id q85so4623920pfq.2 for <27603-done@debbugs.gnu.org>; Fri, 07 Jul 2017 06:20:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=R3weYqrPF1FoAsGCmBgOfEhgs+ylR/TpueTuOyQ4axU=; b=QrDrhERpbrTg+v/Dqd0TZpnvthzOv0ED0qAb5ANAWkbfB2Mi3RLnV8VV57neX3zxCc KVoqg2kF+Jdyjto+BeB5yOci9lUwv52Q6fg0x+pmxzP1kxYWMcfh/O4WfUZ5X2Eb2FFH hAhW0v0tpfazZpMhbt1c+DrtH7Ji5S562qaoee85Xu1z3eVLBWyYL6fV8HcERtjtdL8f PLHibMTXJtjO/GNcO9FOOvxAsUYFitpjgn20oG2LLgKTW44dunZhxcC1vt+HHjX2JGgG SQJ2MLwUbvy4i0vh44eTwBEeyMtEh6izHA9W/0HZBUtB9e7G8JaqBR5Fhnxc3TFN/XSx tDEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=R3weYqrPF1FoAsGCmBgOfEhgs+ylR/TpueTuOyQ4axU=; b=AIJY+o5QuWZ6scjX6z7Jh837ztu7mVRW+rkBpPNXjv8fewcxS1iOrwwJwIZp6q5joz i/HEGdsmQOXH+IlfYByRQdriqkHWPVSQq1NMRT7/Dewr0gXLP7PYwrdMreKqJlkFC5BX W9/0A/CGdGx9eKeM1kT2Y17tTSbAVTE94WUVC9055dE202AITJeU1O0Y51UWMbBZvYEF 9iCI2l6itto0QBo6RcTAOypFA4Y+flcJ4CBMT9iO3NFw6t9Lu+qafhJIy+6VP++uzVB/ Tzp9kkEDB5/wqsPdKmwXlGPW7yWcVjipAziW36nxvC/3oNkNj6lpq2dcedWwnX/hH2Cr 9SPQ== X-Gm-Message-State: AIVw112aO+3ihawCdT3nkdL616RSUqGEIRhGPqEqvL3Dh4W80BOZpFGR o8Xi0U6/2qoPRQ== X-Received: by 10.99.122.81 with SMTP id j17mr1439480pgn.97.1499433622700; Fri, 07 Jul 2017 06:20:22 -0700 (PDT) Received: from debian (pcd372176.netvigator.com. [203.218.162.176]) by smtp.gmail.com with ESMTPSA id x25sm7522425pfi.58.2017.07.07.06.20.20 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 07 Jul 2017 06:20:21 -0700 (PDT) From: Alex Vong To: Leo Famulari Subject: Re: [bug#27603] [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}. References: <87r2xti4dz.fsf@gmail.com> <20170706234038.GB1280@jasmine.lan> <20170707040726.GA2920@jasmine.lan> Date: Fri, 07 Jul 2017 21:20:07 +0800 In-Reply-To: <20170707040726.GA2920@jasmine.lan> (Leo Famulari's message of "Fri, 7 Jul 2017 00:07:26 -0400") Message-ID: <87tw2o1j08.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.0 (--) X-Debbugs-Envelope-To: 27603-done Cc: 27603-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.0 (--) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Thu, Jul 06, 2017 at 07:40:38PM -0400, Leo Famulari wrote: >> On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote: >> > * gnu/packages/patches/libtiff-CVE-2017-9936.patch, >> > gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files. >> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches. >> > * gnu/local.mk (dist_patch_DATA): Add them. >>=20 >> > +Patch lifted from upstream source repository (the changes to 'ChangeL= og' >> > +don't apply to the libtiff 4.0.8 release tarball): >> > + >> > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a= 24dbe74ba1 >>=20 >> This is actually not the upstream source repository. It's a 3rd party >> unofficial mirror. >> Ahhh, I blindly used the links from debian security tracker. Should have been more careful. I wonder why they use links from an unofficial mirror. >> To the chagrin of young packagers everywhere, libtiff is still using >> CVS. Unless somebody beats me to it, I'll extract the patches from their >> CVS repo later tonight. > :) > I pushed this as dab536fe1ae5a8775a2b50fa50556445b6ac7818. Thanks for > getting it started Alex! You're welcomed! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllfiocACgkQxYq4eRf1 Ea6FVQ/+MaC8CGsOamoopdatK5CmR+Ao0MWRhaLDTRKE6tOURup9yFpyba/1q72x hfqjVln43TNHWcBWJ9PvsAN5KTzO96CM+QOT9Ca/Stm/ilItTEhhtoUt/lROJL0J k8rerQFcb2mVl6gIGhHHAOge+1pI7tuFCivBbj9meRBW1Q58vW7csw7tWVP0TAFi ZBJy+3DPt7P7B3rNjqsa9scjBJi1Crg/LGWgj+LYUYlnNnJfIS9+MqkKfg77QvdF jF0LRvellzfAhCU2Nqwc8rOayOqRxuUumrgkmUlUo1uQ3zvMX3KYtY9c84GYBKs0 JymyEt3ZetZf2T+SHyh94WaQ7+VOg+txzPSqoEUxI2m8nuH9Q3+R9EIPkfPl3Su5 SSmpmEZK3fOVJwVvRnF2LxJtkxoPRqE8lGoNNfXX/OprQWINTteBgzG/DQ1iZ0Ay bKj4uW84asRSG7Dyy4VL8OsKgtK4EH+splPsXBd39d0+liNjo9jXXCcDS7FTzymR 5SlFZ6+1P10LKEINlyopv0MRZ7CdKJpETGkgfR7XP7OU2QlCOwFJ9EzC24UTCCEX UwfHRFJkQ0KRh4vj78lE8+LvfB+iJyeo3OKnZuUEsv8tdlQjtoze4jqUPEOJRir+ IkX7FjR/r5gRTrBqepssyTaBWMG8zec2Pn+5aGyuxrewfrrj6B4= =4gBe -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 07 12:30:54 2017 Received: (at 27603-done) by debbugs.gnu.org; 7 Jul 2017 16:30:54 +0000 Received: from localhost ([127.0.0.1]:56976 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTW9e-0006Ng-8Z for submit@debbugs.gnu.org; Fri, 07 Jul 2017 12:30:54 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:43251) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTW9a-0006NW-JB for 27603-done@debbugs.gnu.org; Fri, 07 Jul 2017 12:30:51 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 6302820B44; Fri, 7 Jul 2017 12:30:50 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Fri, 07 Jul 2017 12:30:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=njYMQRcsfX2Z7QmQ0cRy+Gur4Q3smQcEp3oSqw QqNtE=; b=Psrcll5cB9QRPnYsow21esiqKKMx4qbpqR0NOZ5rhPouifCaLqt7Mo pR7gqL6qYiUmIyMfsTXLKig6uQ+6fO5DFAUhpMB/Z44RSnZW0o143pJT7DRncaxC +IM4j3hdgnAOrlM0VGpnQE01ExHiLY0iNAy7cOUWx/b32i++KGg94= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=njYMQRcsfX2Z7QmQ0c Ry+Gur4Q3smQcEp3oSqwQqNtE=; b=Tu4tXfXNkcAk3Lo5e66bpVRmfHMnDms4el 9Fgc37B4puhoxbz5t4IzOxZoQ+IUp8wM8avwh3AIrZKQr8pMzrrasxb66vWd/G9o Ut9UG6Y9hwyx8tVr7LEBmbbUtefEgcaDtUgF5jfWQQoYz8SuNd0CkLZwRrkOJIwh giyrCXiIJXI5WkihPCq/BAR01dO39Ycx12DYGzLjHso5H2ti5rgQf0w/00mdKC4F 3j+90JohVlo4VIDJ9zvtAVLhWUhoONmfIH33uBcBSopd66rAgF2jNWuP+BExnELw dsCSWq2kIPMhmqS8uDRa6CGECc0Uyr8GOb/lVtjctPJyXlYbUjvg== X-ME-Sender: X-Sasl-enc: T0A3fJXmFGyFYDZw9Ix1f1IXgDsrmzd38RfnUg+mKfBC 1499445050 Received: from localhost (unknown [172.58.217.92]) by mail.messagingengine.com (Postfix) with ESMTPA id 02D987E2C1; Fri, 7 Jul 2017 12:30:49 -0400 (EDT) Date: Fri, 7 Jul 2017 12:30:47 -0400 From: Leo Famulari To: Alex Vong Subject: Re: [bug#27603] [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}. Message-ID: <20170707163047.GA18417@jasmine.lan> References: <87r2xti4dz.fsf@gmail.com> <20170706234038.GB1280@jasmine.lan> <20170707040726.GA2920@jasmine.lan> <87tw2o1j08.fsf@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG" Content-Disposition: inline In-Reply-To: <87tw2o1j08.fsf@gmail.com> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: 0.6 (/) X-Debbugs-Envelope-To: 27603-done Cc: 27603-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.6 (/) --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Jul 07, 2017 at 09:20:07PM +0800, Alex Vong wrote: > Ahhh, I blindly used the links from debian security tracker. Should have > been more careful. I wonder why they use links from an unofficial mirror. I noticed they were doing that, and I don't understand why. It *is* convenient to have a relatively stable changeset ID in the form of Git commit hashes. I asked about it on oss-security and the repo was confirmed to be unofficial: http://seclists.org/oss-sec/2017/q1/15 It has been acknowledged by the libtiff maintainer: http://maptools-org.996276.n3.nabble.com/git-version-control-td13746.html --OgqxwSJOaUobr8KG Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllftzcACgkQJkb6MLrK fwgqvBAAmF6uwoJehGaknNi/1vhAk9TuEsI0Agqpz7wBSwU9s7ncNVyUQ7ay0pvX FP782st5Wszh/SH+DZ9u9xTf+/wxU06dh8FeJ0/uxuvoZZzTeafXmV2SIgS/hVV2 DIB4mMhqdog6+XBC0Yz1ncCBJjUe7M4Y+wooqYNi0G0awqe3LXR2mRSOmi/ZjWqs jXRLIrM1lQUm9XLK05+zKNaHfnEYC/aQDuXm7mEo5N/aiDq/TjLoMSzx4dD5h8m2 xo5M/1jAZxj89YDwzCcUQ0I2kTtVW5q+q2/7rRxau7XFY5LpZnYbJ3NM2gcGfMNm CuXAYKlx4VrSXsd04NABuxeyailrFat26O5vCx7Xy4nTQrluwjateSzMEM9+B/rc CLmop1y+7/laQSxcO/xjLZSR9/Bni6aNXwKp3eHMmvoTEELXThWqU7iZJXedWxMQ 2aDp0el0WeWfRNwv2hv7UcBVxyEgHvuYh+629NVtC465lpPngavTmiTbmH9WGry+ RR3IyZJ6XhJPm1ZqiVavGHFxZTIrgIPuCUvTJS1VHbQ0pqTH7mwAPXaVGDEfK97g FMRp/nWzg8Sl36yoGvzEqAZr4mFxSybvp8Ar7uiau1pyDHgsSS1CgFwaTLJLy9F2 dIDyTBE9XdTbtqUsk//I3446zCw0LVUbwO2X/rwr8GE1gDp62z4= =HCH/ -----END PGP SIGNATURE----- --OgqxwSJOaUobr8KG-- From unknown Thu Jun 19 14:27:04 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 05 Aug 2017 11:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator