AWARE SYSTEMS
TIFF and LibTiff Mail List Archive

Thread

2005.06.03 07:17 "[Tiff] BitsPerSample buffer overflow - security release?", by Gervase Markham
2005.06.03 13:42 "RE: [Tiff] BitsPerSample buffer overflow - security release?", by Thom DeCarlo
2005.06.07 17:41 "Re: [Tiff] BitsPerSample buffer overflow - security release?", by Andrey Kiselev

2005.06.03 07:17 "[Tiff] BitsPerSample buffer overflow - security release?", by Gervase Markham

[Resending from correct address now I'm subscribed.]

Hi,

Is there a planned release date for a stable version of libTIFF with a fix for the BitsPerSample stack-based buffer overflow[0]?

You guys fixed the problem in CVS early last month[1].

Gentoo[2] and Ubuntu[3] have already issued updated packages. We use a binary version of libTIFF embedded in FreeImage[4], and so can't easily patch our local copy, so ideally you guys would release an update and then we'd get them to release one as well. Do you have a planned release date for the next version?

Thanks for your time,

Gerv

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1544 [1] http://bugzilla.remotesensing.org/show_bug.cgi?id=843 [2] http://www.gentoo.org/security/en/glsa/glsa-200505-07.xml [3] http://www.ubuntulinux.org/support/documentation/usn/usn-130-1 [4] http://freeimage.sourceforge.net/