Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#74229 - [libtiff] [security] fix 9 CVEs
Attached to Project:
Arch Linux
Opened by T.J. Townsend (blakkheim) - Thursday, 24 March 2022, 19:48 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 29 March 2022, 23:22 GMT
Opened by T.J. Townsend (blakkheim) - Thursday, 24 March 2022, 19:48 GMT
Last edited by Levente Polyak (anthraxx) - Tuesday, 29 March 2022, 23:22 GMT
|
DetailsDescription:
The libtiff package is missing some CVE fixes that have been committed upstream since the last release 11 months ago. The attached diff fixes all of them that are in the Debian repo. CVE-2022-0561 CVE-2022-0562 CVE-2022-0865 CVE-2022-0891 CVE-2022-0907 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 CVE-2022-22844 Additional info: https://sources.debian.org/src/tiff/4.3.0-6/debian/patches/ |
This task depends upon
Closed by Levente Polyak (anthraxx)
Tuesday, 29 March 2022, 23:22 GMT
Reason for closing: Fixed
Additional comments about closing: 4.3.0-2 in [testing]
Tuesday, 29 March 2022, 23:22 GMT
Reason for closing: Fixed
Additional comments about closing: 4.3.0-2 in [testing]

Also, Even Rouault told me today that cutting a new libtiff release is "vaguely on his todo list" but could not provide an ETA. So I think it's worth backporting them for now.

unfortunate all downstreams need to carefully keep track and backport like 10 patches instead of getting a security point release