2009.08.23 16:20 "Re: [Tiff] libtiff 4.0.0beta3", by Jay Berkenbilt
Also, it is necessary to assure that various submitted security patches have been applied. I don't receive notifications from Bugzilla when new bugs are submitted (and don't know how to enable that) so I am not sure how many such patches have been submitted.
It would be helpful if bug reports in bugzilla as well as CVS commit comments contained CVE numbers for security-related patches. It would make it much easier to verify that security fixes have been committed or at least acknowledged. But I did a careful analysis of this just a few days ago while preparing debian packages for 3.9.0 and 4.0.0 beta 3.
Executive summary: bugs 1895, 2024, and 2079 have not been applied to the trunk. They are all relatively simple.
Based on my analysis, the only CVE security patch not in the trunk is CVE-2009-2347.patch (bug 2079). In addition, there are two potentially security-related patches (because of potential denial of service) that have been applied to 3.9.0 but do not yet appear in the trunk: bugs 1895 and 2024. In my notes for the debian package, I have a warning to myself that the logic for bug 1895 is subtle and to check the code carefully to make sure all cases are handled. This is in the bug report. You will be familiar with 2024 and 2079 as you just recently applied them to the 3.9 branch. After these are applied, if my analysis is correct, all security-related bugs ever reported against tiff in debian will be in the trunk.
My analysis method was to take all the security-related patches in the debian tiff package and to manually check them against the trunk. Then I also checked the latest Fedora package in rawhide to see whether there are any security patches applied there that were not in the debian package. (There aren't.)
There is no guarantee that I haven't missed something, but I do track all security-related patches carefully to all my packages, and I've been maintaining TIFF for debian since 2004. I'd say there's a high likelihood that my analysis is complete. If a security patch to an earlier version may have been improperly or incompletely applied to the trunk, I may not have noticed that as when verifying that the patches appeared in the trunk, I was more focused on making sure the changes in the patch were there even if in a different place. In some cases, a patch was only partially applied because the code had changed in a way to make the original problem irrelevant, so a partial application is not necessarily an indication of a problem. (I know you know this. I'm just stating it for completeness.)
Jay Berkenbilt <email@example.com>