Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#74229 - [libtiff] [security] fix 9 CVEs

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Thursday, 24 March 2022, 19:48 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 29 March 2022, 23:22 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The libtiff package is missing some CVE fixes that have been committed upstream since the last release 11 months ago. The attached diff fixes all of them that are in the Debian repo.

CVE-2022-0561
CVE-2022-0562
CVE-2022-0865
CVE-2022-0891
CVE-2022-0907
CVE-2022-0908
CVE-2022-0909
CVE-2022-0924
CVE-2022-22844

Additional info:
https://sources.debian.org/src/tiff/4.3.0-6/debian/patches/
   libtiff.diff (4.1 KiB)
This task depends upon

Closed by  Levente Polyak (anthraxx)
Tuesday, 29 March 2022, 23:22 GMT
Reason for closing:  Fixed
Additional comments about closing:  4.3.0-2 in [testing]
Comment by T.J. Townsend (blakkheim) - Thursday, 24 March 2022, 21:27 GMT
Also, Even Rouault told me today that cutting a new libtiff release is "vaguely on his todo list" but could not provide an ETA. So I think it's worth backporting them for now.
Comment by Levente Polyak (anthraxx) - Tuesday, 29 March 2022, 23:22 GMT
unfortunate all downstreams need to carefully keep track and backport like 10 patches instead of getting a security point release

Loading...