2008.08.29 22:53 "[Tiff] Some security fixes from RHEL", by Even Rouault

2008.08.31 15:17 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam

I've just read http://lwn.net/Articles/296197 and I downloaded the source rpm.

I've attached here 2 vendor security patches from Redhat for their RHELs that aren't yet applied to CVS head (I haven't check for 3.9 branch): - libtiff-3.8.2-CVE-2006-2193.patch

- libtiff-3.8.2-lzw-bugs.patch: Fixes for CVE-2008-2327. Partly reported and proposed patch in http://bugzilla.maptools.org/show_bug.cgi?id=1929. But Redhat's patch has a few extra lines. See https://bugzilla.redhat.com/show_bug.cgi?id=458674

I'm just curious about how vendors usually interact with libtiff upstream team? It would have been nice if they had dropped a word on it on libtiff bugzilla...

Even,

I was originally contact by someone from Apple a couple weeks ago, who offered advance information in return for an agreement to embargo any disclosure till the publication date. I agreed, but in fact never got around to further reviewing the matter even now with the date gone by.

Honestly, I think libtiff has lots of security issues in the fact of hostile TIFF files, and I find it hard to get excited about any particular issue.

Also, apparently security folks don't like filing visible bugs on these sorts of issues which makes it even harder for me to cope with since my email folder is a black hole.

Best regards,
--
---------------------------------------+--------------------------------------

I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam

and watch the world go round - Rush    | Geospatial Programmer for Rent