2016.10.28 18:50 "[Tiff] New release ? + remaining CVE tickets", by Even Rouault

2016.10.28 18:50 "[Tiff] New release ? + remaining CVE tickets", by Even Rouault

Hi,

With all the annoying circus about recent security related fixes, I guess we should consider a 4.0.7 release with what is already in CVS. The flow of security reports will probably not stop soon, especially in utilities, so better release with what we already have. That said, this is just words since I'm not volunteering to do it.

If I trust bugzilla
http://bugzilla.maptools.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&product=libtiff&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&keywords_type=allwords&keywords=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&field0-0-0=noop&type0-0-0=noop&value0-0-0=

we have 3 remaining tickets explicitly tagged CVE (but I guess most crashing bugs can be considered security, all 3 about more or less the same issue with TIFFGetField() use.

I created an enclosing ticket http://bugzilla.maptools.org/show_bug.cgi?id=2580 that references those 3 tickets ( + http://bugzilla.maptools.org/show_bug.cgi?id=2433 and http://bugzilla.maptools.org/show_bug.cgi?id=2441) since I feel this is more or less the same issue, however I'm not sure about the proper way of addressing this. At high level, I'd say that TIFFGetField() interface is just impossible (or at the very least very hard) to use safely. If someone wants to tackle that...

Even

--
Spatialys - Geospatial professional services
http://www.spatialys.com