2016.10.04 11:19 "Re: [Tiff] LibTIFF vulnerabilities", by Henk Jan Priester

On 09/23/2016 05:15 PM, Bob Friesenhahn wrote:

On Fri, 23 Sep 2016, Yves Younan (yvyounan) wrote:

Cisco Talos has identified a couple of vulnerabilities in LibTIFF. Our vulnerability coordinator, Regina Wilson, has been trying to reach a maintainer of the library for a while but has been unable to get a response. She’s emailed both Frank Warmerdam (warmerdam@pobox.com) and tiff@remotesensing.org multiple times with details of the vulnerabilities but we’ve been unable to get a response.

This is the first I have heard of it. The remotesensing.org domain was lost a couple of weeks ago and we have not heard from Frank Warmerdam in some time.

In the mean time I put the current libtiff web site content up at "http://www.simplesystems.org/libtiff/" and it was already mirrored at "http://libtiff.maptools.org/".

I will update the libtiff main page (wherever it is actively mirrored) to reflect current realities.

Per our disclosure policy, which states that vulnerabilities are eligible to be released 60 days after vendor notification (http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html), the first of these vulnerabilities is eligible to be publicly disclosed Sunday, September 25th. However, if someone who is able to commit code is willing to contact us immediately to get these vulnerabilities fixed, we’re willing to delay public disclosure.

Recent libtiff maintenance has primarily been done by Even Rouault and myself. We are able to commit code. Please send your vulnerability report to me and I will make sure that Even gets a copy.

It is ideal if the reporter applies for a CVE for any vulnerability so that the problem may be tracked.

While a fix may be commited to libtiff CVS expediently, this does not necessarily result in an expedient fix to the millions of copies of libtiff which are already in use.

Will there be a libtiff 4.0.7 if these problems are fixed?

Henk Jan

>
> Bob