GNU bug report logs - #27603
[PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}.

Previous Next

Full log

View this message in rfc822 format

From: Alex Vong <alexvong1995 <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 27603-done <at> debbugs.gnu.org
Subject: [bug#27603] [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}.
Date: Fri, 07 Jul 2017 21:20:07 +0800

[Message part 1 (text/plain, inline)]

Leo Famulari <leo <at> famulari.name> writes:

> On Thu, Jul 06, 2017 at 07:40:38PM -0400, Leo Famulari wrote:
>> On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:
>> > * gnu/packages/patches/libtiff-CVE-2017-9936.patch,
>> >   gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.
>> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.
>> > * gnu/local.mk (dist_patch_DATA): Add them.
>> 
>> > +Patch lifted from upstream source repository (the changes to 'ChangeLog'
>> > +don't apply to the libtiff 4.0.8 release tarball):
>> > +
>> > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
>> 
>> This is actually not the upstream source repository. It's a 3rd party
>> unofficial mirror.
>>
Ahhh, I blindly used the links from debian security tracker. Should have
been more careful. I wonder why they use links from an unofficial mirror.

>> To the chagrin of young packagers everywhere, libtiff is still using
>> CVS. Unless somebody beats me to it, I'll extract the patches from their
>> CVS repo later tonight.
>
:)

> I pushed this as dab536fe1ae5a8775a2b50fa50556445b6ac7818. Thanks for
> getting it started Alex!

You're welcomed!

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.