2008.08.29 22:53 "[Tiff] Some security fixes from RHEL", by Even Rouault

2008.09.01 18:00 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn

quite doable. In the same way that libtiff is perfectly functional for people who don't want to throw random things they found on the internet through it. I'm sure if people submit patches for new bugs they'll get applied eventually if they are correct. The real beauty of free software is you can apply them any time you like, without having to wait for someone else to find the time for that.

The TIFF format itself comes from a world (desktop publishing, FAX, and scientific research) where there was no reason to distrust the input other than if it was accidentally corrupted. Therefore the design of TIFF is quite flexible with file offsets being embedded directly in files, and many compression formats. There are "corner cases" galore. This makes it much more difficult to make secure for the web than a format like PNG or JPEG.

Regardless, people can help by discovering TIFF files which crash libtiff and submitting patches to eliminate the crash. Failure to crash is not the same as secure but it represents forward motion. It is a pity that we lost the old bug tracker system, along with all the outstanding bugs at that time. We have a new bug tracker now.

Bob
======================================
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/