Even Rouault <[email protected]> writes: > Le 22/05/2022 à 02:21, Greg Troxel a écrit : >> I locally updated the pkgsrc package to 4.4.0rc1. That builds with >> autoconf, and that seems right because README.md documents autoconf as >> the build system. >> >> It looks like patches for the following were applied (as the pkgsrc >> patches show as reversed and I dropped them): >> patches/patch-CVE-2022-0561 >> patches/patch-CVE-2022-0907 >> patches/patch-CVE-2022-0909 >> patches/patch-CVE-2022-0924 >> patches/patch-CVE-2022-22844 >> >> I don't find "CVE" in ChangeLog and there is no NEWS so it's hard to be >> sure. > Noting in the news which commit fixes which CVE would be a super > painful exercice, since there are not mentioned in commit messages, so > we'd have to go back to each ticket/merge request and look if someone > mentioned a CVE number.
Sure, I realize that's hard. But that degree of cross-correlation isn't
what I was getting at.
As a user and packager, I want to see NEWS, which omits 99% of what's in
a changelog and mentions:
API breaks
API additions
ABI breaks
CVEs fixed
anything else that's a big deal to a user
I realize volunteer time is slim etc. but it would be really nice if
commit and merge messages reference CVEs when known.
Looking at the patches in pkgsrc:
* patch-CVE-2022-0561
https://gitlab.com/libtiff/libtiff/-/issues/362
This fixes CVE-2022-0561 and CVE-2022-0562.
* patch-CVE-2022-0907
[PATCH] add checks for return value of limitMalloc (CVE-2022-0907)
https://gitlab.com/libtiff/libtiff/-/merge_requests/314.patch
[PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
extractImageSection (CVE-2022-0891)
https://gitlab.com/libtiff/libtiff/-/commit/46dc8fcd4d38c3b6f35ab28e532aee80e6f609d6.patch
* patch-CVE-2022-0909
[PATCH] fix FPE in tiffcrop
https://gitlab.com/libtiff/libtiff/-/merge_requests/310.patch
* patch-CVE-2022-0924
[PATCH] fix heap buffer overflow in tiffcp
https://gitlab.com/libtiff/libtiff/-/commit/408976c44ef0aad975e0d1b6c6dc80d60f9dc665.patch
* patch-CVE-2022-22844
https://gitlab.com/libtiff/libtiff/-/issues/355
This fixes CVE-2022-22844.
I followed the issue/MR links and the fixes were all merged.
signature.asc
Description: PGP signature
_______________________________________________ Tiff mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/tiff
