2008.08.29 22:53 "[Tiff] Some security fixes from RHEL", by Even Rouault

2008.09.01 15:30 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam

As maintainer of Red Hat's libtiff package, I am now seriously wondering whether I must recommend that Red Hat disable TIFF support in any application that has any internet exposure.

Tom,

Well, thats your call I suppose, though I'd hope you would also balance such a decision against the lost utility. I do think it would be foolish for something like firefox to automatically use libtiff to read and attempt to display TIFF files embedded as images on web sites. At the very least users ought to be making a trust-decision for web sourced TIFF files before they are opened.

Likewise, I would seriously consider not automatically accessing TIFF files and offering cute little previews on desktops by default, though at least in these situations the user has presumably deliberately choosen to download the image and save it to their file system.

 > My rough estimate is that

the number of packages that would continue to support TIFF after such a recommendation would be zero. libtiff would become an instant pariah.

 >

I realize that hardening libtiff is likely to be a long and tedious process. But I think failing to accept that you've got to do it is a good way to kill the project.

The point is that Bob, Joris, Andrey and myself have very limited amounts of time to apply to libtiff maintenance and we have a hard time keeping up with existing routine maintenance. We do not generally have the skills required for a serious security audit of libtiff.

So, either folks who care about the security issues will need to step forward and take on the task as libtiff co-maintainers, or else it is not going to happen.

Frankly, TIFF will not become a pariah in my community of use so the issue isn't all that pressing for me.

Best regards,
--
---------------------------------------+--------------------------------------

I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam

and watch the world go round - Rush    | Geospatial Programmer for Rent