☰LibTiff Mailing List Archive

2008.08.29 22:53 "[Tiff] Some security fixes from RHEL", by Even Rouault

2008.08.30 02:08 "Re: [Tiff] Some security fixes from RHEL", by Tom Lane
- 2008.09.01 22:18 "Re: [Tiff] libtiff security", by Dmitry V. Levin
2008.08.31 15:17 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
- 2008.08.31 15:38 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 08:03 "Re: [Tiff] Some security fixes from RHEL", by Andrey Kiselev
- 2008.09.04 20:48 "Re: [Tiff] beta2 release - lfind() problem on Win64", by Edward Lam
  - 2008.09.05 06:18 "Re: [Tiff] beta2 release - lfind() problem on Win64", by Andrey Kiselev
    - 2008.09.04 20:06 "[Tiff] tiffsplit.c broken on Windows in trunk", by Edward Lam
      - 2008.09.04 20:41 "Re: [Tiff] tiffsplit.c broken on Windows in trunk", by Toby Thain
        2008.09.04 21:13 "Re: [Tiff] tiffsplit.c broken on Windows in trunk", by Edward Lam
      - 2008.09.05 06:42 "[Tiff] Re: tiffsplit.c broken on Windows in trunk", by Andrey Kiselev
    - 2008.09.05 13:09 "Re: [Tiff] beta2 release - lfind() problem on Win64", by Edward Lam
2008.09.03 21:01 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.03 18:13 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
  - 2008.09.03 18:43 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
  - 2008.09.03 20:47 "Re: [Tiff] Some security fixes from RHEL", by Edward Lam
2008.09.03 21:59 "Re: [Tiff] Some security fixes from RHEL", by Even Rouault

2008.08.31 15:38 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn

Honestly, I think libtiff has lots of security issues in the fact of hostile TIFF files, and I find it hard to get excited about any particular issue.

I do agree that libtiff maintenance has not historically been in knee-jerk synchronized response to reports of security exploits. Probably there has never been a release due to a security exploit. Libtiff releases are few and far between and occur due to the actions of an interested maintainer.

It is not particularly difficult to find TIFF files which could crash libtiff. If 'tiffinfo' crashes, then it is likely that a program using libtiff will also crash.

Coverity shows that libtiff has been riddled with issues. There are likely many more complex issues that Coverity would not spot.

If an application needs to be secure/stable in the face of hostile files then it should not link against libtiff.

Bob
======================================
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/