LibTiff Mailing List Archive, "Re: Some security fixes from RHEL", by Bob Friesenhahn


AWARE [SYSTEMS]		Imaging expertise for the Delphi developer
		TIFF and LibTiff Mailing List Archive
	LibTiff Mailing List TIFF and LibTiff Mailing List Archive August 2008 Previous Thread Next Thread Previous by Thread Next by Thread Previous by Date Next by Date Contact The TIFF Mailing List Homepage This list is run by Frank Warmerdam Archive maintained by AWare Systems	Thread 2008.08.29 22:53 "Some security fixes from RHEL", by Even Rouault 2008.08.30 02:08 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.01 22:18 "Re: libtiff security", by Dmitry V Levin 2008.08.31 15:17 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.08.31 15:38 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 21:09 "Re: Some security fixes from RHEL", by Rogier Wolff 2008.08.31 21:21 "Re: Some security fixes from RHEL", by <o.druemmer@callassoftware.com> 2008.08.31 21:51 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 22:08 "Re: Some security fixes from RHEL", by Lee Howard 2008.08.31 22:21 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 22:10 "Re: Some security fixes from RHEL", by Dmitry V Levin 2008.09.03 08:21 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.03 15:11 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 17:31 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 17:48 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 21:52 "Re: Some security fixes from RHEL", by Toby Thain 2008.08.31 22:01 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 21:59 "Re: Some security fixes from RHEL", by Lee Howard 2008.08.31 22:17 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 06:29 "Re: Some security fixes from RHEL", by Rogier Wolff 2008.09.01 06:53 "Re: Some security fixes from RHEL", by Toby Thain 2008.09.01 03:12 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.01 15:52 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.01 21:33 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.03 16:38 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 17:07 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 17:20 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 18:02 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 18:13 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 18:43 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 20:47 "Re: Some security fixes from RHEL", by Edward Lam 2008.09.03 21:01 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 18:32 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.03 19:04 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 19:32 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 21:39 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 21:59 "Re: Some security fixes from RHEL", by Even Rouault 2008.09.03 22:35 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 23:31 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.04 07:47 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.04 12:55 "Re: Some security fixes from RHEL", by Edward Lam 2008.09.06 01:20 "Re: Some security fixes from RHEL", by Jay Berkenbilt 2008.09.04 07:22 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.04 08:05 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.04 08:52 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.04 20:06 "tiffsplit.c broken on Windows in trunk", by Edward Lam 2008.09.04 20:41 "Re: tiffsplit.c broken on Windows in trunk", by Toby Thain 2008.09.04 21:13 "Re: tiffsplit.c broken on Windows in trunk", by Edward Lam 2008.09.05 06:42 "Re: tiffsplit.c broken on Windows in trunk", by Andrey Kiselev 2008.09.03 17:16 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.04 07:45 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.01 22:30 "Re: Some security fixes from RHEL", by Dmitry V Levin 2008.09.03 08:05 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.01 05:11 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.01 15:30 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.01 15:33 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.02 08:13 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.02 08:24 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.02 12:01 "Re: Some security fixes from RHEL", by Kai-uwe Behrmann 2008.09.02 15:49 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 08:14 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.03 14:07 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.03 15:53 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.01 16:23 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.01 18:00 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 22:04 "Re: Some security fixes from RHEL", by Dmitry V Levin 2008.09.01 15:40 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 18:19 "Re: Some security fixes from RHEL", by Rogier Wolff 2008.09.01 18:45 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.02 15:54 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.02 16:39 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 08:03 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.08.31 15:38 "Re: Some security fixes from RHEL", by Bob Friesenhahn On Sun, 31 Aug 2008, Frank Warmerdam wrote: > > Honestly, I think libtiff has lots of security issues in the fact of hostile > TIFF files, and I find it hard to get excited about any particular issue. I do agree that libtiff maintenance has not historically been in knee-jerk synchronized response to reports of security exploits. Probably there has never been a release due to a security exploit. Libtiff releases are few and far between and occur due to the actions of an interested maintainer. It is not particularly difficult to find TIFF files which could crash libtiff. If 'tiffinfo' crashes, then it is likely that a program using libtiff will also crash. Coverity shows that libtiff has been riddled with issues. There are likely many more complex issues that Coverity would not spot. If an application needs to be secure/stable in the face of hostile files then it should not link against libtiff. Bob ====================================== Bob Friesenhahn bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/

LibTiff Mailing List

Thread

2008.08.31 15:38 "Re: Some security fixes from RHEL", by Bob Friesenhahn