LibTiff Mailing List
TIFF and LibTiff Mailing List Archive
August 2008
Previous Thread
Next Thread
Previous by Thread
Next by Thread
Previous by Date
Next by Date
Contact
The TIFF Mailing List Homepage
This list is run by Frank Warmerdam
Archive maintained by AWare Systems
Thread
2008.08.31 15:17 "Re: Some security fixes from RHEL", by Frank Warmerdam
Even Rouault wrote: > I've just read http://lwn.net/Articles/296197 and I downloaded the source rpm. > > I've attached here 2 vendor security patches from Redhat for their RHELs that > aren't yet applied to CVS head (I haven't check for 3.9 branch) : > - libtiff-3.8.2-CVE-2006-2193.patch > - libtiff-3.8.2-lzw-bugs.patch: Fixes for CVE-2008-2327. Partly reported and > proposed patch in http://bugzilla.maptools.org/show_bug.cgi?id=1929. But > Redhat's patch has a few extra lines. See > https://bugzilla.redhat.com/show_bug.cgi?id=458674 > > I'm just curious about how vendors usually interact with libtiff upstream > team ? It would have been nice if they had dropped a word on it on libtiff > bugzilla... Even, I was originally contact by someone from Apple a couple weeks ago, who offered advance information in return for an agreement to embargo any disclosure till the publication date. I agreed, but in fact never got around to further reviewing the matter even now with the date gone by. Honestly, I think libtiff has lots of security issues in the fact of hostile TIFF files, and I find it hard to get excited about any particular issue. Also, apparently security folks don't like filing visible bugs on these sorts of issues which makes it even harder for me to cope with since my email folder is a black hole. Best regards, -- ---------------------------------------+-------------------------------------- I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com light and sound - activate the windows | http://pobox.com/~warmerdam and watch the world go round - Rush | Geospatial Programmer for Rent