AWARE SYSTEMS
TIFF and LibTiff Mail List Archive

Thread

2016.09.23 14:36 "[Tiff] LibTIFF vulnerabilities", by Yves Younan
2016.09.23 15:15 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.09.23 17:03 "Re: [Tiff] LibTIFF vulnerabilities", by Lee Howard
2016.09.23 18:04 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.09.23 22:34 "Re: [Tiff] LibTIFF vulnerabilities", by Even Rouault
2016.09.23 22:58 "Re: [Tiff] LibTIFF vulnerabilities", by Lee Howard
2016.09.23 23:47 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.09.24 14:30 "Re: [Tiff] LibTIFF vulnerabilities", by Olivier Paquet
2016.09.24 14:45 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.10.04 11:19 "Re: [Tiff] LibTIFF vulnerabilities", by Henk Jan Priester
2016.10.04 13:20 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.10.07 10:15 "Re: [Tiff] Converting TIFFs with old-style JPEG compression", by John Brown
2016.10.07 10:41 "Re: [Tiff] Converting TIFFs with old-style JPEG compression", by John Brown
2016.09.23 20:50 "Re: [Tiff] LibTIFF vulnerabilities", by Jeff McKenna

2016.09.23 14:36 "[Tiff] LibTIFF vulnerabilities", by Yves Younan

Hi,

Cisco Talos has identified a couple of vulnerabilities in LibTIFF. Our vulnerability coordinator, Regina Wilson, has been trying to reach a maintainer of the library for a while but has been unable to get a response. She’s emailed both Frank Warmerdam (warmerdam@pobox.com) and tiff@remotesensing.org multiple times with details of the vulnerabilities but we’ve been unable to get a response.

Per our disclosure policy, which states that vulnerabilities are eligible to be released 60 days after vendor notification (http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html), the first of these vulnerabilities is eligible to be publicly disclosed Sunday, September 25th. However, if someone who is able to commit code is willing to contact us immediately to get these vulnerabilities fixed, we’re willing to delay public disclosure.

Thanks,

Yves Younan