AWARE SYSTEMS
TIFF and LibTiff Mail List Archive

Thread

2016.09.23 14:36 "[Tiff] LibTIFF vulnerabilities", by Yves Younan
2016.09.23 15:15 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.09.23 17:03 "Re: [Tiff] LibTIFF vulnerabilities", by Lee Howard
2016.09.23 18:04 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.09.23 22:34 "Re: [Tiff] LibTIFF vulnerabilities", by Even Rouault
2016.09.23 22:58 "Re: [Tiff] LibTIFF vulnerabilities", by Lee Howard
2016.09.23 23:47 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.09.24 14:30 "Re: [Tiff] LibTIFF vulnerabilities", by Olivier Paquet
2016.09.24 14:45 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.10.04 11:19 "Re: [Tiff] LibTIFF vulnerabilities", by Henk Jan Priester
2016.10.04 13:20 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.10.07 10:15 "Re: [Tiff] Converting TIFFs with old-style JPEG compression", by John Brown
2016.10.07 10:41 "Re: [Tiff] Converting TIFFs with old-style JPEG compression", by John Brown
2016.09.23 20:50 "Re: [Tiff] LibTIFF vulnerabilities", by Jeff McKenna

2016.09.23 17:03 "Re: [Tiff] LibTIFF vulnerabilities", by Lee Howard

On 09/23/2016 08:15 AM, Bob Friesenhahn wrote:

While a fix may be commited to libtiff CVS expediently, this does not necessarily result in an expedient fix to the millions of copies of libtiff which are already in use.

Ideally there would be a coordinated release that involved packages at as many distributions as possible... RedHat, SuSE, Fedora, Debian, Ubuntu, etc.

That said, the most-recently fixed vulnerabilities were in the tools side rather than the library side... so that mitigates the risks considerably. If these vulnerabilities are similarly risk-mitigated, then the effort for a coordinated release may not be wholly necessary or even more-productive than an earlier announcement.

Thanks,

Lee.