On 02/18/2015 08:53 AM, Thijs Kinkhorst wrote: > Hi John, > > On Wed, February 18, 2015 14:51, John Goerzen wrote: >> CVE-2013-1961 Stack-based buffer overflow in the t2p_write_pdf_page... >> <http://security-tracker.debian.org/tracker/CVE-2013-1961> >> - libtiff4 (remotely exploitable, high urgency) > The reason is explained when you follow this link you quote above: > > [wheezy] - tiff3 <no-dsa> (the changes that [a]ffect the library are just > hardening, converting uses of sprintf to snprintf. those can be rolled > into the next tiff3 update, but a separate dsa isn't needed) > > I saw that too, though the bug report says something different, the DSA note is probably correct. But then why is wheezy listed as vulnerable?
Do they think that sprintf is safe? John -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54e4d0ed.90...@complete.org
