[PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}.

Done

Details

2 participants

Alex Vong
Leo Famulari

Owner: unassigned

Submitted by: Alex Vong

Severity: important

Alex Vong wrote on 7 Jul 2017 00:31

Recipients:(address . guix-patches@gnu.org)

Message-ID:87r2xti4dz.fsf@gmail.com

Severity: important

Tags: patch security

Hello,

This patch fixes two latest CVEs of libtiff:

Attachment: 0001-gnu-libtiff-Fix-CVE-2017-9936-10688.patch

Cheers,

Alex

Leo Famulari wrote on 7 Jul 2017 01:40

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27603@debbugs.gnu.org)

Message-ID:20170706234038.GB1280@jasmine.lan

On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:

Toggle quote (10 lines)

> * gnu/packages/patches/libtiff-CVE-2017-9936.patch,

> gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.

> * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.

> * gnu/local.mk (dist_patch_DATA): Add them.

> +Patch lifted from upstream source repository (the changes to 'ChangeLog'

> +don't apply to the libtiff 4.0.8 release tarball):

> +

> +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1

This is actually not the upstream source repository. It's a 3rd party
unofficial mirror.

To the chagrin of young packagers everywhere, libtiff is still using
CVS. Unless somebody beats me to it, I'll extract the patches from their
CVS repo later tonight.

Leo Famulari wrote on 7 Jul 2017 06:07

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27603-done@debbugs.gnu.org)

Message-ID:20170707040726.GA2920@jasmine.lan

On Thu, Jul 06, 2017 at 07:40:38PM -0400, Leo Famulari wrote:

Toggle quote (18 lines)> On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:
> > * gnu/packages/patches/libtiff-CVE-2017-9936.patch,
> >   gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.
> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> 
> > +Patch lifted from upstream source repository (the changes to 'ChangeLog'
> > +don't apply to the libtiff 4.0.8 release tarball):
> > +
> > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
> 
> This is actually not the upstream source repository. It's a 3rd party
> unofficial mirror.
> 
> To the chagrin of young packagers everywhere, libtiff is still using
> CVS. Unless somebody beats me to it, I'll extract the patches from their
> CVS repo later tonight.

I pushed this as dab536fe1ae5a8775a2b50fa50556445b6ac7818. Thanks for

getting it started Alex!

Closed

Alex Vong wrote on 7 Jul 2017 15:20

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 27603-done@debbugs.gnu.org)

Message-ID:87tw2o1j08.fsf@gmail.com

Leo Famulari <leo@famulari.name> writes:

Toggle quote (15 lines)> On Thu, Jul 06, 2017 at 07:40:38PM -0400, Leo Famulari wrote:
>> On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:
>> > * gnu/packages/patches/libtiff-CVE-2017-9936.patch,
>> >   gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.
>> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.
>> > * gnu/local.mk (dist_patch_DATA): Add them.
>> 
>> > +Patch lifted from upstream source repository (the changes to 'ChangeLog'
>> > +don't apply to the libtiff 4.0.8 release tarball):
>> > +
>> > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
>> 
>> This is actually not the upstream source repository. It's a 3rd party
>> unofficial mirror.
>>

Ahhh, I blindly used the links from debian security tracker. Should have

been more careful. I wonder why they use links from an unofficial mirror.

Toggle quote (4 lines)

>> To the chagrin of young packagers everywhere, libtiff is still using

>> CVS. Unless somebody beats me to it, I'll extract the patches from their

>> CVS repo later tonight.

Toggle quote (3 lines)

> I pushed this as dab536fe1ae5a8775a2b50fa50556445b6ac7818. Thanks for

> getting it started Alex!

You're welcomed!

Closed

Leo Famulari wrote on 7 Jul 2017 18:30

Recipients:(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 27603-done@debbugs.gnu.org)

Message-ID:20170707163047.GA18417@jasmine.lan

On Fri, Jul 07, 2017 at 09:20:07PM +0800, Alex Vong wrote:

Toggle quote (3 lines)

> Ahhh, I blindly used the links from debian security tracker. Should have

> been more careful. I wonder why they use links from an unofficial mirror.

I noticed they were doing that, and I don't understand why. It *is*

convenient to have a relatively stable changeset ID in the form of Git

commit hashes.

I asked about it on oss-security and the repo was confirmed to be

unofficial:

http://seclists.org/oss-sec/2017/q1/15

It has been acknowledged by the libtiff maintainer:

http://maptools-org.996276.n3.nabble.com/git-version-control-td13746.html

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 27603@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 27603

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date