LibTiff Mailing List

• TIFF and LibTiff Mailing List Archive
• April 2023

• Previous Thread
• Next Thread

• Previous by Thread
• Next by Thread

• Previous by Date
• Next by Date

Contact

The TIFF Mailing List Homepage
Archive maintained by AWare Systems

Thread

2023.04.03 20:50 "[Tiff] Remove TIFFCROP from LibTiff", by Sulau

2023.04.04 12:59 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Even Rouault

2023.04.04 13:49 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Bob Friesenhahn

2023.04.04 14:04 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Even Rouault

2023.04.04 15:14 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Kurt Schwehr

2023.04.04 15:23 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Rob Boehne

2023.04.04 15:27 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Even Rouault

2023.04.04 15:40 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Miguel Medalha

2023.04.04 16:46 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Daniel McCoy

2023.04.04 22:47 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Kurt Schwehr

2023.04.05 19:11 "Re: [Tiff] Remove TIFFCROP from LibTiff", by Sulau

2023.04.06 19:07 "Re: [Tiff] Remove TIFFCROP from LibTiff", by Even Rouault

2023.04.07 00:05 "Re: [Tiff] Remove TIFFCROP from LibTiff", by Miguel Medalha

2023.04.07 00:20 "Re: [Tiff] Remove TIFFCROP from LibTiff", by Even Rouault

2023.04.07 13:28 "Re: [Tiff] Remove TIFFCROP from LibTiff", by Bob Friesenhahn

2023.04.04 15:27 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Even Rouault

Another alternative to consider is putting a disclaimer on those tools saying that CVEs might not be fixed and use at your own risk. Many pipelines use only trusted data, so they are fine. And folks using untrusted data, should be running their pipelines in a security sandbox. Setting up sandboxes is definitely a user responsibility.

I doubt people who have apparently "fun" (*) running fuzzers on libtiff utilities would notice the disclaimer or take it into account. IMHO the best way to stop the flow of security reports on such utilities which annoy libtiff developers and packagers is to no longer make them built by the supported build systems.

(*): or perhaps as part of their job, as I suspect libtiff is used as a showcase for some commercial security-related products or research activities.

http://www.spatialys.com
My software is free, but my time generally not.