AWARE [SYSTEMS] Imaging expertise for the Delphi developer
AWare Systems, Imaging expertise for the Delphi developer, Home TIFF and LibTiff Mailing List Archive

LibTiff Mailing List

TIFF and LibTiff Mailing List Archive
August 2008

Previous Thread
Next Thread

Previous by Thread
Next by Thread

Previous by Date
Next by Date

Contact

The TIFF Mailing List Homepage
This list is run by Frank Warmerdam
Archive maintained by AWare Systems



Valid HTML 4.01!



Thread

2008.08.29 22:53 "Some security fixes from RHEL", by Even Rouault
2008.08.30 02:08 "Re: Some security fixes from RHEL", by Tom Lane
2008.09.01 22:18 "Re: libtiff security", by Dmitry V Levin
2008.08.31 15:17 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.08.31 15:38 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.08.31 21:09 "Re: Some security fixes from RHEL", by Rogier Wolff
2008.08.31 21:21 "Re: Some security fixes from RHEL", by <o.druemmer@callassoftware.com>
2008.08.31 21:51 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.08.31 22:08 "Re: Some security fixes from RHEL", by Lee Howard
2008.08.31 22:21 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.01 22:10 "Re: Some security fixes from RHEL", by Dmitry V Levin
2008.09.03 08:21 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.03 15:11 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 17:31 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.03 17:48 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.08.31 21:52 "Re: Some security fixes from RHEL", by Toby Thain
2008.08.31 22:01 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.08.31 21:59 "Re: Some security fixes from RHEL", by Lee Howard
2008.08.31 22:17 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.01 06:29 "Re: Some security fixes from RHEL", by Rogier Wolff
2008.09.01 06:53 "Re: Some security fixes from RHEL", by Toby Thain
2008.09.01 03:12 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.01 15:52 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.01 21:33 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.03 16:38 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.03 17:07 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 17:20 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.03 18:02 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 18:13 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.03 18:43 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 20:47 "Re: Some security fixes from RHEL", by Edward Lam
2008.09.03 21:01 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.03 18:32 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.03 19:04 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 19:32 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.03 21:39 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.03 21:59 "Re: Some security fixes from RHEL", by Even Rouault
2008.09.03 22:35 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.03 23:31 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.04 07:47 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.04 12:55 "Re: Some security fixes from RHEL", by Edward Lam
2008.09.06 01:20 "Re: Some security fixes from RHEL", by Jay Berkenbilt
2008.09.04 07:22 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.04 08:05 "Re: Some security fixes from RHEL", by Tom Lane
2008.09.04 08:52 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.04 20:06 "tiffsplit.c broken on Windows in trunk", by Edward Lam
2008.09.04 20:41 "Re: tiffsplit.c broken on Windows in trunk", by Toby Thain
2008.09.04 21:13 "Re: tiffsplit.c broken on Windows in trunk", by Edward Lam
2008.09.05 06:42 "Re: tiffsplit.c broken on Windows in trunk", by Andrey Kiselev
2008.09.03 17:16 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.04 07:45 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.01 22:30 "Re: Some security fixes from RHEL", by Dmitry V Levin
2008.09.03 08:05 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.01 05:11 "Re: Some security fixes from RHEL", by Tom Lane
2008.09.01 15:30 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.01 15:33 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.02 08:13 "Re: Some security fixes from RHEL", by Tom Lane
2008.09.02 08:24 "Re: Some security fixes from RHEL", by Tom Lane
2008.09.02 12:01 "Re: Some security fixes from RHEL", by Kai-uwe Behrmann
2008.09.02 15:49 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.03 08:14 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.03 14:07 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.03 15:53 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.01 16:23 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.01 18:00 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.01 22:04 "Re: Some security fixes from RHEL", by Dmitry V Levin
2008.09.01 15:40 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.01 18:19 "Re: Some security fixes from RHEL", by Rogier Wolff
2008.09.01 18:45 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.02 15:54 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.02 16:39 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 08:03 "Re: Some security fixes from RHEL", by Andrey Kiselev

2008.08.31 21:52 "Re: Some security fixes from RHEL", by Toby Thain

On 31-Aug-08, at 6:09 PM, Rogier Wolff wrote:

> On Sun, Aug 31, 2008 at 10:38:01AM -0500, Bob Friesenhahn wrote:
>> If an application needs to be secure/stable in the face of hostile
>> files then it should not link against libtiff.
>
> I would like to be able to view tiff files. Maybe some NASA site (*)
> has "tiff" as the "higher quality" images.
>
> My image viewer of choice is: gqview. But you're saying that because
> it's linked against libtiff, I shouldn't be using it.
>
> Or that because gqview might be run on files from the internet, gqview
> should not link against libtiff.
>
> So, because I might download an image from the internet, and try to
> modify it using the gimp, GIMP should not link against libtiff.
>
> Because Imagemagick might be used to convert an image from the  
> internet,
> imagemagick should not link against libtiff.
>

As a response to all the threats above, it looks like libtiff needs  
some auditing and hardening. This is a community opportunity! Google  
Summer of Code, anyone?

> Hylafax is used on tiff files recieved from fax machines on the other
> end. Some malicious user might send invalid tiff files.

All of your other examples are reasonable, but this one is  
practically impossible, as the fax protocol does not transfer "a TIFF  
file" per se, but is an extremely narrowly defined protocol with  
extensive verification and handshaking. TIFF is only a convenient  
wrapper, created post facto, for the verified compressed multipage  
transmission. In other words, afaik, you can't insert "an arbitrary  
TIFF" in the sending end of the call and expect that to pop out the  
other end.

--Toby


>
> My system lists 199 packages as depending on libtiff. Over half cannot
> guarantee that they won't be run on data from the internet.
>
> For the record, I find your statement rediculous.
>
> 	Roger.
>
>
> (*) You'd say that I could "trust" the NASA. However, nasa delivers
> the TIFF files unencrypted, so they might be modified en-route, or  
> with
> for example the recent DNS exploit, I might be browsing a hacked-side
> pretending to be NASA.
>
> -- 
> ** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ **  
> +31-15-2600998 **
> **    Delftechpark 26 2628 XH  Delft, The Netherlands. KVK:  
> 27239233    **
> *-- BitWizard writes Linux device drivers for any device you may  
> have! --*
> Q: It doesn't work. A: Look buddy, doesn't work is an ambiguous  
> statement.
> Does it sit on the couch all day? Is it unemployed? Please be  
> specific!
> Define 'it' and what it isn't doing. --------- Adapted from lxrbot FAQ
> _______________________________________________
> Tiff mailing list: Tiff@lists.maptools.org
> http://lists.maptools.org/mailman/listinfo/tiff
> http://www.remotesensing.org/libtiff/