LibTiff Mailing List

On Sun, Aug 31, 2008 at 10:38:01AM -0500, Bob Friesenhahn wrote:
> If an application needs to be secure/stable in the face of hostile 
> files then it should not link against libtiff.

I would like to be able to view tiff files. Maybe some NASA site (*)
has "tiff" as the "higher quality" images.

My image viewer of choice is: gqview. But you're saying that because
it's linked against libtiff, I shouldn't be using it. 

Or that because gqview might be run on files from the internet, gqview
should not link against libtiff. 

So, because I might download an image from the internet, and try to 
modify it using the gimp, GIMP should not link against libtiff. 

Because Imagemagick might be used to convert an image from the internet, 
imagemagick should not link against libtiff.

Hylafax is used on tiff files recieved from fax machines on the other
end. Some malicious user might send invalid tiff files. 

My system lists 199 packages as depending on libtiff. Over half cannot
guarantee that they won't be run on data from the internet. 

For the record, I find your statement rediculous.

	Roger. 

(*) You'd say that I could "trust" the NASA. However, nasa delivers
the TIFF files unencrypted, so they might be modified en-route, or with
for example the recent DNS exploit, I might be browsing a hacked-side
pretending to be NASA. 

-- 
** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2600998 **
**    Delftechpark 26 2628 XH  Delft, The Netherlands. KVK: 27239233    **
*-- BitWizard writes Linux device drivers for any device you may have! --*
Q: It doesn't work. A: Look buddy, doesn't work is an ambiguous statement. 
Does it sit on the couch all day? Is it unemployed? Please be specific! 
Define 'it' and what it isn't doing. --------- Adapted from lxrbot FAQ


AWARE [SYSTEMS]		Imaging expertise for the Delphi developer
		TIFF and LibTiff Mailing List Archive
	LibTiff Mailing List TIFF and LibTiff Mailing List Archive August 2008 Previous Thread Next Thread Previous by Thread Next by Thread Previous by Date Next by Date Contact The TIFF Mailing List Homepage This list is run by Frank Warmerdam Archive maintained by AWare Systems	Thread 2008.08.29 22:53 "Some security fixes from RHEL", by Even Rouault 2008.08.30 02:08 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.01 22:18 "Re: libtiff security", by Dmitry V Levin 2008.08.31 15:17 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.08.31 15:38 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 21:09 "Re: Some security fixes from RHEL", by Rogier Wolff 2008.08.31 21:21 "Re: Some security fixes from RHEL", by <o.druemmer@callassoftware.com> 2008.08.31 21:51 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 22:08 "Re: Some security fixes from RHEL", by Lee Howard 2008.08.31 22:21 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 22:10 "Re: Some security fixes from RHEL", by Dmitry V Levin 2008.09.03 08:21 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.03 15:11 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 17:31 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 17:48 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 21:52 "Re: Some security fixes from RHEL", by Toby Thain 2008.08.31 22:01 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.08.31 21:59 "Re: Some security fixes from RHEL", by Lee Howard 2008.08.31 22:17 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 06:29 "Re: Some security fixes from RHEL", by Rogier Wolff 2008.09.01 06:53 "Re: Some security fixes from RHEL", by Toby Thain 2008.09.01 03:12 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.01 15:52 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.01 21:33 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.03 16:38 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 17:07 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 17:20 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 18:02 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 18:13 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 18:43 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 20:47 "Re: Some security fixes from RHEL", by Edward Lam 2008.09.03 21:01 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 18:32 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.03 19:04 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 19:32 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 21:39 "Re: Some security fixes from RHEL", by Lee Howard 2008.09.03 21:59 "Re: Some security fixes from RHEL", by Even Rouault 2008.09.03 22:35 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 23:31 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.04 07:47 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.04 12:55 "Re: Some security fixes from RHEL", by Edward Lam 2008.09.06 01:20 "Re: Some security fixes from RHEL", by Jay Berkenbilt 2008.09.04 07:22 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.04 08:05 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.04 08:52 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.04 20:06 "tiffsplit.c broken on Windows in trunk", by Edward Lam 2008.09.04 20:41 "Re: tiffsplit.c broken on Windows in trunk", by Toby Thain 2008.09.04 21:13 "Re: tiffsplit.c broken on Windows in trunk", by Edward Lam 2008.09.05 06:42 "Re: tiffsplit.c broken on Windows in trunk", by Andrey Kiselev 2008.09.03 17:16 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.04 07:45 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.01 22:30 "Re: Some security fixes from RHEL", by Dmitry V Levin 2008.09.03 08:05 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.01 05:11 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.01 15:30 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.01 15:33 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.02 08:13 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.02 08:24 "Re: Some security fixes from RHEL", by Tom Lane 2008.09.02 12:01 "Re: Some security fixes from RHEL", by Kai-uwe Behrmann 2008.09.02 15:49 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.03 08:14 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.09.03 14:07 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.03 15:53 "Re: Some security fixes from RHEL", by Frank Warmerdam 2008.09.01 16:23 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.01 18:00 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 22:04 "Re: Some security fixes from RHEL", by Dmitry V Levin 2008.09.01 15:40 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.01 18:19 "Re: Some security fixes from RHEL", by Rogier Wolff 2008.09.01 18:45 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.02 15:54 "Re: Some security fixes from RHEL", by <ron@debian.org> 2008.09.02 16:39 "Re: Some security fixes from RHEL", by Bob Friesenhahn 2008.09.03 08:03 "Re: Some security fixes from RHEL", by Andrey Kiselev 2008.08.31 21:09 "Re: Some security fixes from RHEL", by Rogier Wolff On Sun, Aug 31, 2008 at 10:38:01AM -0500, Bob Friesenhahn wrote: > If an application needs to be secure/stable in the face of hostile > files then it should not link against libtiff. I would like to be able to view tiff files. Maybe some NASA site () has "tiff" as the "higher quality" images. My image viewer of choice is: gqview. But you're saying that because it's linked against libtiff, I shouldn't be using it. Or that because gqview might be run on files from the internet, gqview should not link against libtiff. So, because I might download an image from the internet, and try to modify it using the gimp, GIMP should not link against libtiff. Because Imagemagick might be used to convert an image from the internet, imagemagick should not link against libtiff. Hylafax is used on tiff files recieved from fax machines on the other end. Some malicious user might send invalid tiff files. My system lists 199 packages as depending on libtiff. Over half cannot guarantee that they won't be run on data from the internet. For the record, I find your statement rediculous. Roger. () You'd say that I could "trust" the NASA. However, nasa delivers the TIFF files unencrypted, so they might be modified en-route, or with for example the recent DNS exploit, I might be browsing a hacked-side pretending to be NASA. -- R.E.Wolff@BitWizard.nl http://www.BitWizard.nl/ +31-15-2600998 Delftechpark 26 2628 XH Delft, The Netherlands. KVK: 27239233 -- BitWizard writes Linux device drivers for any device you may have! -- Q: It doesn't work. A: Look buddy, doesn't work is an ambiguous statement. Does it sit on the couch all day? Is it unemployed? Please be specific! Define 'it' and what it isn't doing. --------- Adapted from lxrbot FAQ

LibTiff Mailing List

Thread

2008.08.31 21:09 "Re: Some security fixes from RHEL", by Rogier Wolff