This is a portion of the patch we were carrying for CVE-2009-2347 in 3.8.2. Unfortunately the upstream fix in 3.9.2 is incomplete, so we still need this part. Original bug for this CVE: http://bugs.gentoo.org/show_bug.cgi?id=276988 Upstream bug reported by Fedora: http://bugzilla.maptools.org/show_bug.cgi?id=2079 The missing piece of the fix: http://cvs.fedoraproject.org/viewvc/rpms/libtiff/devel/libtiff-CVE-2009-2347.patch?view=markup
+*tiff-3.9.2-r1 (26 Feb 2010) + + 26 Feb 2010; Samuli Suominen <ssuominen@gentoo.org> +tiff-3.9.2-r1.ebuild, + +files/tiff-3.9.2-CVE-2009-2347.patch: + Fix CVE-2009-2347 again wrt security #307001.
Nice catch, Samuli, thanks! Arches, please test and mark stable: =media-libs/tiff-3.9.2-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
x86 stable
ppc64 done
Stable for HPPA.
alpha/arm/ia64/m68k/s390/sh/sparc stable
amd64 stable
Marked ppc stable.
GLSA request filed. Please don't forget "all arches done", it will easy bug handling for the security team.
This issue was resolved and addressed in GLSA 201209-02 at http://security.gentoo.org/glsa/glsa-201209-02.xml by GLSA coordinator Sean Amoss (ackle).