2008.08.29 22:53 "[Tiff] Some security fixes from RHEL", by Even Rouault

2008.08.31 22:17 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn

Maintainers and developers of any software should be committed to the software development and to the health of the community that uses that software. Some degree of responsibility is expected. When flaws in the

software are discovered, be they rather benign or security-related, the community looks to developers and maintainers to take action. Failure to

I agree. One reason why Frank is feeling a bit jaded regarding security issues at the moment is that he is likely aware of ten or twenty equally significant issues which have yet to be properly fixed/addressed in libtiff. Some of these are architecture specific.

take action leads the community into an atmosphere of uncertainty and mistrust... all of which further inhibits the software development cycle.

While libtiff is for the large part high quality software, the sophistication of the black-hats (and white-hats too) should not be underestimated. Earlier this year I discovered a jackpot of malicious files (collected by a white-hat) and spent a few weeks fixing GraphicsMagick so that it was resistent to them. The level of genius represented by these files is pretty astounding. Some of the file formats were virtually forgotten and poorly specified yet the author of the maligned files managed to circumvent code which thought it was taking the necessary precautions to prevent improper access and overflows. This shows that people are spending considerable time studying file formats and implementations to see how to crash the readers or cause them to execute user-supplied data.

Bob
======================================
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/