- 2008.08.30 02:08 "Re: [Tiff] Some security fixes from RHEL", by Tom Lane
-
2008.08.31 15:17 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.08.31 15:38 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.08.31 21:09 "Re: [Tiff] Some security fixes from RHEL", by Rogier Wolff
- 2008.08.31 21:21 "Re: [Tiff] Some security fixes from RHEL", by Olaf_Drümmer
-
2008.08.31 21:51 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
- 2008.08.31 22:08 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.08.31 21:52 "Re: [Tiff] Some security fixes from RHEL", by Toby Thain
- 2008.09.01 15:40 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.08.31 21:59 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.08.31 22:17 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.01 03:12 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.09.01 15:52 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.01 21:33 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.09.03 16:38 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.03 17:07 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 17:20 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.03 18:02 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 19:32 "Re: [Tiff] Some security fixes from RHEL", by Ron
- 2008.09.03 21:39 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.03 17:20 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.03 17:16 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
- 2008.09.04 07:45 "Re: [Tiff] Some security fixes from RHEL", by Andrey Kiselev
-
2008.09.03 17:07 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 16:38 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.01 22:30 "Re: [Tiff] Some security fixes from RHEL", by Dmitry V. Levin
-
2008.09.01 21:33 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
-
2008.09.01 15:52 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
-
2008.09.01 05:11 "Re: [Tiff] Some security fixes from RHEL", by Tom Lane
- 2008.09.01 15:30 "Re: [Tiff] Some security fixes from RHEL", by Frank Warmerdam
- 2008.09.01 15:33 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
- 2008.09.01 16:23 "Re: [Tiff] Some security fixes from RHEL", by Ron
- 2008.09.01 22:04 "Re: [Tiff] Some security fixes from RHEL", by Dmitry V. Levin
-
2008.08.31 21:09 "Re: [Tiff] Some security fixes from RHEL", by Rogier Wolff
-
2008.08.31 15:38 "Re: [Tiff] Some security fixes from RHEL", by Bob Friesenhahn
-
2008.09.03 08:03 "Re: [Tiff] Some security fixes from RHEL", by Andrey Kiselev
- 2008.09.04 20:48 "Re: [Tiff] beta2 release - lfind() problem on Win64", by Edward Lam
- 2008.09.03 21:01 "Re: [Tiff] Some security fixes from RHEL", by Lee Howard
- 2008.09.03 21:59 "Re: [Tiff] Some security fixes from RHEL", by Even Rouault
2008.09.01 05:11 "Re: [Tiff] Some security fixes from RHEL", by Tom Lane
If an application needs to be secure/stable in the face of hostile files then it should not link against libtiff.
While the above statements are undoubtedly accurate, the sentiments that they express are unhealthy for the large community that uses libtiff.
More than that: they're unhealthy for the future of TIFF itself.
What this position is basically saying is that "TIFF is unsafe for use on the internet". Well, the internet is a sufficiently large chunk of the potential application space these days that making any such restriction is effectively signing your own death warrant. People will simply stop using TIFF in favor of other alternatives that are more widely supported by safer (or perceived-to-be-safer) software.
As maintainer of Red Hat's libtiff package, I am now seriously wondering whether I must recommend that Red Hat disable TIFF support in any application that has any internet exposure. My rough estimate is that the number of packages that would continue to support TIFF after such a recommendation would be zero. libtiff would become an instant pariah.
I realize that hardening libtiff is likely to be a long and tedious process. But I think failing to accept that you've got to do it is a good way to kill the project.
regards, tom lane