2024.02.04 19:53 "Re: [Tiff] www.libtiff.org is restored", by Bob Friesenhahn

What percentage of the tiff utility CVEs are coding errors in the utilities compared to issues that the utilities expose in libtiff?

Most of the issues in modern times have been with the utilities code. The utilities code was originally "proof of concept" or "demo" level code, very similar to other code implemented at the time (the first libtiff release was in 1988!). Priority was placed on function and features.

Libtiff itself got more attention from developers to make it robust and secure. A glance at the libtiff WikiPedia page (https://en.wikipedia.org/wiki/LibTIFF) shows that there is no much there other than mentions of past security issues.

Iterative patching/fixing the utilities code (based on reported/detected issues) has not gotten it to where it should be. A thorough examination needs to be made in order to discover core weaknesses, and come up new designs which avoid intrinsic weaknesses, while still supporting existing requirements, and modern demands.

Bob

Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt