2023.09.19 15:24 "[Tiff] unsupported/archived tools and feature in v4.6.0", by Lee Howard

2023.09.19 18:51 "Re: [Tiff] unsupported/archived tools and feature in v4.6.0", by Bob Friesenhahn

I also rely on some of those utilities being in distributions. Is there a concise list of the relevant CVEs? I would rather spend some time fixing issues than see a valuable utility get dropped.

Rather than worrying about the existing CVEs, I recommend a thorough top/down, left/right, more holostic evaluation/analysis of each utility, resulting in re-working/re-writing the utility the way it should have been in the first place. Perhaps even starting using the older code as a reference (before the utility code started being full of band-aid patches) is a good approach.

Other than tiffcrop (a very powerful utility), most of the utilities have little source code. The utilities were written specifically for TIFF (and libtiff) in order to gain capabilities and efficiencies not readily possible for general-purpose software.

Without doing this, there will only be more CVEs.

The current active libtiff maintainers are not interested in taking on this work. If it is done independently, then perhaps a new implementation could be submitted to libtiff, or the utilities could easily live in a different distribution/repository so they can respond to bugs and feature requests independently of libtiff release cycles.

The CVEs were getting way out of hand. There were CVEs written because it was possible to crash the utility due to incorrect permutations of arguments, rather than due to the utility inputs.

A good way to make sure that code is working is to submit the project for oss-fuzz's fuzz testing (https://github.com/google/oss-fuzz). Oss-fuzz normally tests APIs but a means could be provided so that the utilities can appear as an API for testing. For example, fmemopen() can be inserted in place of fopen().

It is useful to take advantage of Synopsis Coverity free testing for open-source software (e.g. https://scan.coverity.com/projects/tiff) since it is good at ferreting out certain types of problems.


Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt