On Wed, Feb 18, 2015 at 12:50 PM, John Goerzen wrote: >> [wheezy] - tiff3 <no-dsa> (the changes that [a]ffect the library are just >> hardening, converting uses of sprintf to snprintf. those can be rolled >> into the next tiff3 update, but a separate dsa isn't needed) >> >> > I saw that too, though the bug report says something different, the DSA > note is probably correct. But then why is wheezy listed as vulnerable? > > Do they think that sprintf is safe?
The patch for CVE-2013-1961 is right there attached to my nmu message in #706674. Please feel free to wheezy-pu tiff3 if the lack of snprintf hardening there really bothers you. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=MM_jw+nr6HPC6mY-xEnLej7dn7t8B_x6v86=mdpacv...@mail.gmail.com