-
2016.09.23 15:15 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
- 2016.09.23 17:03 "Re: [Tiff] LibTIFF vulnerabilities", by Lee Howard
- 2016.10.04 11:19 "Re: [Tiff] LibTIFF vulnerabilities", by Henk Jan Priester
- 2016.10.07 10:15 "Re: [Tiff] Converting TIFFs with old-style JPEG compression", by John Brown
- 2016.09.23 20:50 "Re: [Tiff] LibTIFF vulnerabilities", by Jeff McKenna
2016.09.23 20:50 "Re: [Tiff] LibTIFF vulnerabilities", by Jeff McKenna
Thank for this information Yves, I'll inform the leads for the various OSGeo projects.
-jeff
--
Jeff McKenna
President Emeritus, OSGeo http://wiki.osgeo.org/wiki/Jeff_McKenna
On 2016-09-23 11:36 AM, Yves Younan (yvyounan) wrote:
Cisco Talos has identified a couple of vulnerabilities in LibTIFF. Our vulnerability coordinator, Regina Wilson, has been trying to reach a maintainer of the library for a while but has been unable to get a response. She’s emailed both Frank Warmerdam (warmerdam@pobox.com) and tiff@remotesensing.org multiple times with details of the vulnerabilities but we’ve been unable to get a response.
Per our disclosure policy, which states that vulnerabilities are eligible to be released 60 days after vendor notification (http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html), the first of these vulnerabilities is eligible to be publicly disclosed Sunday, September 25th. However, if someone who is able to commit code is willing to contact us immediately to get these vulnerabilities fixed, we’re willing to delay public disclosure.