- 2008.08.30 02:08 "Re: [Tiff] Some security fixes from RHEL", by Tom Lane
-
2008.08.31 15:17 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.08.31 15:38 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.08.31 21:09 "Re: [Tiff] Some security fixes from RHEL", by Rogier Wolff
- 2008.08.31 21:21 "Re: [Tiff] Some security fixes from RHEL", by Olaf_Drümmer
-
2008.08.31 21:51 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
- 2008.08.31 22:08 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.08.31 21:52 "Re: [Tiff] Some security fixes from RHEL", by Toby Thain
- 2008.09.01 15:40 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.08.31 21:59 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.08.31 22:17 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.01 03:12 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.09.01 15:52 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.01 21:33 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.09.03 16:38 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.03 17:07 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 17:20 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.03 18:02 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 19:32 "Re: [Tiff] Some security fixes from RHEL", by Ron
- 2008.09.03 21:39 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.03 17:20 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.03 17:16 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
- 2008.09.04 07:45 "Re: [Tiff] Some security fixes from RHEL", by Andrey Kiselev
-
2008.09.03 17:07 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 16:38 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.01 22:30 "Re: [Tiff] Some security fixes from RHEL", by Dmitry V. Levin
-
2008.09.01 21:33 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.09.01 15:52 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.01 05:11 "Re: [Tiff] Some security fixes from RHEL", by Tom Lane
- 2008.09.01 15:30 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
- 2008.09.01 15:33 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
- 2008.09.01 16:23 "Re: [Tiff] Some security fixes from RHEL", by Ron
- 2008.09.01 22:04 "Re: [Tiff] Some security fixes from RHEL", by Dmitry V. Levin
-
2008.08.31 21:09 "Re: [Tiff] Some security fixes from RHEL", by Rogier Wolff
-
2008.08.31 15:38 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 08:03 "Re: [Tiff] Some security fixes from RHEL", by Andrey Kiselev
- 2008.09.04 20:48 "Re: [Tiff] beta2 release - lfind() problem on Win64", by Edward Lam
- 2008.09.03 21:01 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.03 21:59 "Re: [Tiff] Some security fixes from RHEL", by Even Rouault
2008.09.01 15:33 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
If an application needs to be secure/stable in the face of hostile files then it should not link against libtiff.
While the above statements are undoubtedly accurate, the sentiments that they express are unhealthy for the large community that uses libtiff.
More than that: they're unhealthy for the future of TIFF itself.
I agree with you that the perception of reality is often more important than actual reality. I also agree with Rogier Wolff that testing with randomly broken files will help uncover weaknesses in the library or its dependent applications.
Testing with randomly broken files would likely take months of an unpaid volunteer's time to produce the suitably broken files, diagnose the problems, and produce fixes to avoid misbehavior. Maybe it would take a year. A year without any income at all.
As maintainer of Red Hat's libtiff package, I am now seriously wondering whether I must recommend that Red Hat disable TIFF support in any application that has any internet exposure. My rough estimate is that the number of packages that would continue to support TIFF after such a recommendation would be zero. libtiff would become an instant pariah.
There is not really any reason to single libtiff out. You can insert many application/library names here.
Bob
======================================
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/