AWARE [SYSTEMS] Imaging expertise for the Delphi developer
AWare Systems, Imaging expertise for the Delphi developer, Home TIFF and LibTiff Mailing List Archive

LibTiff Mailing List

TIFF and LibTiff Mailing List Archive
August 2008

Previous Thread
Next Thread

Previous by Thread
Next by Thread

Previous by Date
Next by Date

Contact

The TIFF Mailing List Homepage
This list is run by Frank Warmerdam
Archive maintained by AWare Systems



Valid HTML 4.01!



Thread

2008.08.29 22:53 "Some security fixes from RHEL", by Even Rouault
2008.08.30 02:08 "Re: Some security fixes from RHEL", by Tom Lane
2008.09.01 22:18 "Re: libtiff security", by Dmitry V Levin
2008.08.31 15:17 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.08.31 15:38 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.08.31 21:09 "Re: Some security fixes from RHEL", by Rogier Wolff
2008.08.31 21:21 "Re: Some security fixes from RHEL", by <o.druemmer@callassoftware.com>
2008.08.31 21:51 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.08.31 22:08 "Re: Some security fixes from RHEL", by Lee Howard
2008.08.31 22:21 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.01 22:10 "Re: Some security fixes from RHEL", by Dmitry V Levin
2008.09.03 08:21 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.03 15:11 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 17:31 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.03 17:48 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.08.31 21:52 "Re: Some security fixes from RHEL", by Toby Thain
2008.08.31 22:01 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.08.31 21:59 "Re: Some security fixes from RHEL", by Lee Howard
2008.08.31 22:17 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.01 06:29 "Re: Some security fixes from RHEL", by Rogier Wolff
2008.09.01 06:53 "Re: Some security fixes from RHEL", by Toby Thain
2008.09.01 03:12 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.01 15:52 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.01 21:33 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.03 16:38 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.03 17:07 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 17:20 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.03 18:02 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 18:13 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.03 18:43 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 20:47 "Re: Some security fixes from RHEL", by Edward Lam
2008.09.03 21:01 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.03 18:32 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.03 19:04 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 19:32 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.03 21:39 "Re: Some security fixes from RHEL", by Lee Howard
2008.09.03 21:59 "Re: Some security fixes from RHEL", by Even Rouault
2008.09.03 22:35 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.03 23:31 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.04 07:47 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.04 12:55 "Re: Some security fixes from RHEL", by Edward Lam
2008.09.06 01:20 "Re: Some security fixes from RHEL", by Jay Berkenbilt
2008.09.04 07:22 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.04 08:05 "Re: Some security fixes from RHEL", by Tom Lane
2008.09.04 08:52 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.04 20:06 "tiffsplit.c broken on Windows in trunk", by Edward Lam
2008.09.04 20:41 "Re: tiffsplit.c broken on Windows in trunk", by Toby Thain
2008.09.04 21:13 "Re: tiffsplit.c broken on Windows in trunk", by Edward Lam
2008.09.05 06:42 "Re: tiffsplit.c broken on Windows in trunk", by Andrey Kiselev
2008.09.03 17:16 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.04 07:45 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.01 22:30 "Re: Some security fixes from RHEL", by Dmitry V Levin
2008.09.03 08:05 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.01 05:11 "Re: Some security fixes from RHEL", by Tom Lane
2008.09.01 15:30 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.01 15:33 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.02 08:13 "Re: Some security fixes from RHEL", by Tom Lane
2008.09.02 08:24 "Re: Some security fixes from RHEL", by Tom Lane
2008.09.02 12:01 "Re: Some security fixes from RHEL", by Kai-uwe Behrmann
2008.09.02 15:49 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.03 08:14 "Re: Some security fixes from RHEL", by Andrey Kiselev
2008.09.03 14:07 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.03 15:53 "Re: Some security fixes from RHEL", by Frank Warmerdam
2008.09.01 16:23 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.01 18:00 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.01 22:04 "Re: Some security fixes from RHEL", by Dmitry V Levin
2008.09.01 15:40 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.01 18:19 "Re: Some security fixes from RHEL", by Rogier Wolff
2008.09.01 18:45 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.02 15:54 "Re: Some security fixes from RHEL", by <ron@debian.org>
2008.09.02 16:39 "Re: Some security fixes from RHEL", by Bob Friesenhahn
2008.09.03 08:03 "Re: Some security fixes from RHEL", by Andrey Kiselev

2008.09.01 15:30 "Re: Some security fixes from RHEL", by Frank Warmerdam

Tom Lane wrote:
> As maintainer of Red Hat's libtiff package, I am now seriously wondering
> whether I must recommend that Red Hat disable TIFF support in any
> application that has any internet exposure.  

Tom,

Well, thats your call I suppose, though I'd hope you would also balance
such a decision against the lost utility.  I do think it would be foolish
for something like firefox to automatically use libtiff to read and attempt
to display TIFF files embedded as images on web sites.  At the very least
users ought to be making a trust-decision for web sourced TIFF files before
they are opened.

Likewise, I would seriously consider not automatically accessing TIFF files
and offering cute little previews on desktops by default, though at least
in these situations the user has presumably deliberately choosen to download
the image and save it to their file system.

 > My rough estimate is that
> the number of packages that would continue to support TIFF after such a
> recommendation would be zero.  libtiff would become an instant pariah.
 >
> I realize that hardening libtiff is likely to be a long and tedious
> process.  But I think failing to accept that you've got to do it is
> a good way to kill the project.

The point is that Bob, Joris, Andrey and myself have very limited
amounts of time to apply to libtiff maintenance and we have a hard
time keeping up with existing routine maintenance.  We do not generally
have the skills required for a serious security audit of libtiff.

So, either folks who care about the security issues will need to step
forward and take on the task as libtiff co-maintainers, or else it is
not going to happen.

Frankly, TIFF will not become a pariah in my community of use so the
issue isn't all that pressing for me.

Best regards,
-- 
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush    | Geospatial Programmer for Rent