Version franaise
Home About Download Resources Contact us
Browse thread
New 3.0.2 release of the Caml Images library
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: -- (:)
From: Mehdi Dogguy <mehdi.dogguy@p...>
Subject: Re: [Caml-list] New 3.0.2 release of the Caml Images library
Pierre Weis wrote:
> 
> This is a bug fix release.
> 

There is still a security issue not fixed in this release which concerns
TIFF images. A CVE has been announced a while ago:
	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3296

I tried to contact the authors (one month ago) but received no answer
yet. That's why I'm sending this message on the list: to let users and
packagers know about the bug.

The vulenarable file is “src/tiffread.c”. The patch is available at:

	http://tinyurl.com/cve-tiff-1

and the source code of “oversized.h” is available at:

	http://tinyurl.com/cve-tiff-2

These changes are applied in the Debian packages and were backported to
the stable and oldstable releases.

Best regards,

-- 
Mehdi Dogguy مهدي الدڤي
http://www.pps.jussieu.fr/~dogguy
Tel.: (+33).1.44.27.28.38