AWARE SYSTEMS
TIFF and LibTiff Mail List Archive

Thread

2016.06.04 22:59 "[Tiff] TiffLib tools as a means for mitigating the ImageTragick exploit", by Prophet of the Way
2016.06.05 14:25 "Re: [Tiff] TiffLib tools as a means for mitigating the ImageTragick exploit", by Bob Friesenhahn

2016.06.04 22:59 "[Tiff] TiffLib tools as a means for mitigating the ImageTragick exploit", by Prophet of the Way

A major security whole was recently found in ImageMagick. A name "ImageMagick" was coined to get people's attention and a dedicated website (https://imagetragick.com/) was set up.

Here is advice on mitigating the threat in a blog entry linked to the ImageTragick site:

Clearing up some misconceptions around the "ImageTragick" bug https://lcamtuf.blogspot.jp/2016/05/clearing-up-some-misconceptions-around.html

  If all you need to do is simple transcoding or thumbnailing of potentially
  untrusted images, don't use ImageMagick. Make a direct use of libpng,
  libjpeg-turbo, and giflib; for a robust way to use these libraries,
  have a look at the source code of Chromium or Firefox. The resulting
  implementation will be considerably faster, too.

  - lcamtuf's blog May 11, 2016

One question I'd like to ask: how about the accessory programs which come with TiffLib? Using bmp2tiff, gif2tiff, tiff2pdf, etc. instead of ImageMagick is in accord with the above advice, but how can one tell that this is really an improvement security-wise?

I'd like to re-phrase my question in general terms. One looking for alternatives to ImageMagick for a certain task may encounter an image processing tool which provides the necessary functions but whose name is not well known. Lack of publicity may well be an indication of absence of active maintenance. Where does one draw the line?