From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 07 09:20:33 2017 Received: (at 27603-done) by debbugs.gnu.org; 7 Jul 2017 13:20:33 +0000 Received: from localhost ([127.0.0.1]:55852 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTTBR-0008Id-9q for submit@debbugs.gnu.org; Fri, 07 Jul 2017 09:20:33 -0400 Received: from mail-pf0-f196.google.com ([209.85.192.196]:34996) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTTBM-0008IN-LH for 27603-done@debbugs.gnu.org; Fri, 07 Jul 2017 09:20:32 -0400 Received: by mail-pf0-f196.google.com with SMTP id q85so4623920pfq.2 for <27603-done@debbugs.gnu.org>; Fri, 07 Jul 2017 06:20:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=R3weYqrPF1FoAsGCmBgOfEhgs+ylR/TpueTuOyQ4axU=; b=QrDrhERpbrTg+v/Dqd0TZpnvthzOv0ED0qAb5ANAWkbfB2Mi3RLnV8VV57neX3zxCc KVoqg2kF+Jdyjto+BeB5yOci9lUwv52Q6fg0x+pmxzP1kxYWMcfh/O4WfUZ5X2Eb2FFH hAhW0v0tpfazZpMhbt1c+DrtH7Ji5S562qaoee85Xu1z3eVLBWyYL6fV8HcERtjtdL8f PLHibMTXJtjO/GNcO9FOOvxAsUYFitpjgn20oG2LLgKTW44dunZhxcC1vt+HHjX2JGgG SQJ2MLwUbvy4i0vh44eTwBEeyMtEh6izHA9W/0HZBUtB9e7G8JaqBR5Fhnxc3TFN/XSx tDEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=R3weYqrPF1FoAsGCmBgOfEhgs+ylR/TpueTuOyQ4axU=; b=AIJY+o5QuWZ6scjX6z7Jh837ztu7mVRW+rkBpPNXjv8fewcxS1iOrwwJwIZp6q5joz i/HEGdsmQOXH+IlfYByRQdriqkHWPVSQq1NMRT7/Dewr0gXLP7PYwrdMreKqJlkFC5BX W9/0A/CGdGx9eKeM1kT2Y17tTSbAVTE94WUVC9055dE202AITJeU1O0Y51UWMbBZvYEF 9iCI2l6itto0QBo6RcTAOypFA4Y+flcJ4CBMT9iO3NFw6t9Lu+qafhJIy+6VP++uzVB/ Tzp9kkEDB5/wqsPdKmwXlGPW7yWcVjipAziW36nxvC/3oNkNj6lpq2dcedWwnX/hH2Cr 9SPQ== X-Gm-Message-State: AIVw112aO+3ihawCdT3nkdL616RSUqGEIRhGPqEqvL3Dh4W80BOZpFGR o8Xi0U6/2qoPRQ== X-Received: by 10.99.122.81 with SMTP id j17mr1439480pgn.97.1499433622700; Fri, 07 Jul 2017 06:20:22 -0700 (PDT) Received: from debian (pcd372176.netvigator.com. [203.218.162.176]) by smtp.gmail.com with ESMTPSA id x25sm7522425pfi.58.2017.07.07.06.20.20 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 07 Jul 2017 06:20:21 -0700 (PDT) From: Alex Vong To: Leo Famulari Subject: Re: [bug#27603] [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}. References: <87r2xti4dz.fsf@gmail.com> <20170706234038.GB1280@jasmine.lan> <20170707040726.GA2920@jasmine.lan> Date: Fri, 07 Jul 2017 21:20:07 +0800 In-Reply-To: <20170707040726.GA2920@jasmine.lan> (Leo Famulari's message of "Fri, 7 Jul 2017 00:07:26 -0400") Message-ID: <87tw2o1j08.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.0 (--) X-Debbugs-Envelope-To: 27603-done Cc: 27603-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.0 (--) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Thu, Jul 06, 2017 at 07:40:38PM -0400, Leo Famulari wrote: >> On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote: >> > * gnu/packages/patches/libtiff-CVE-2017-9936.patch, >> > gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files. >> > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches. >> > * gnu/local.mk (dist_patch_DATA): Add them. >>=20 >> > +Patch lifted from upstream source repository (the changes to 'ChangeL= og' >> > +don't apply to the libtiff 4.0.8 release tarball): >> > + >> > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a= 24dbe74ba1 >>=20 >> This is actually not the upstream source repository. It's a 3rd party >> unofficial mirror. >> Ahhh, I blindly used the links from debian security tracker. Should have been more careful. I wonder why they use links from an unofficial mirror. >> To the chagrin of young packagers everywhere, libtiff is still using >> CVS. Unless somebody beats me to it, I'll extract the patches from their >> CVS repo later tonight. > :) > I pushed this as dab536fe1ae5a8775a2b50fa50556445b6ac7818. Thanks for > getting it started Alex! You're welcomed! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAllfiocACgkQxYq4eRf1 Ea6FVQ/+MaC8CGsOamoopdatK5CmR+Ao0MWRhaLDTRKE6tOURup9yFpyba/1q72x hfqjVln43TNHWcBWJ9PvsAN5KTzO96CM+QOT9Ca/Stm/ilItTEhhtoUt/lROJL0J k8rerQFcb2mVl6gIGhHHAOge+1pI7tuFCivBbj9meRBW1Q58vW7csw7tWVP0TAFi ZBJy+3DPt7P7B3rNjqsa9scjBJi1Crg/LGWgj+LYUYlnNnJfIS9+MqkKfg77QvdF jF0LRvellzfAhCU2Nqwc8rOayOqRxuUumrgkmUlUo1uQ3zvMX3KYtY9c84GYBKs0 JymyEt3ZetZf2T+SHyh94WaQ7+VOg+txzPSqoEUxI2m8nuH9Q3+R9EIPkfPl3Su5 SSmpmEZK3fOVJwVvRnF2LxJtkxoPRqE8lGoNNfXX/OprQWINTteBgzG/DQ1iZ0Ay bKj4uW84asRSG7Dyy4VL8OsKgtK4EH+splPsXBd39d0+liNjo9jXXCcDS7FTzymR 5SlFZ6+1P10LKEINlyopv0MRZ7CdKJpETGkgfR7XP7OU2QlCOwFJ9EzC24UTCCEX UwfHRFJkQ0KRh4vj78lE8+LvfB+iJyeo3OKnZuUEsv8tdlQjtoze4jqUPEOJRir+ IkX7FjR/r5gRTrBqepssyTaBWMG8zec2Pn+5aGyuxrewfrrj6B4= =4gBe -----END PGP SIGNATURE----- --=-=-=--