2016.09.23 14:36 "[Tiff] LibTIFF vulnerabilities", by Yves Younan
Cisco Talos has identified a couple of vulnerabilities in LibTIFF. Our vulnerability coordinator, Regina Wilson, has been trying to reach a maintainer of the library for a while but has been unable to get a response. She’s emailed both Frank Warmerdam (firstname.lastname@example.org) and email@example.com multiple times with details of the vulnerabilities but we’ve been unable to get a response.
Per our disclosure policy, which states that vulnerabilities are eligible to be released 60 days after vendor notification (http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html), the first of these vulnerabilities is eligible to be publicly disclosed Sunday, September 25th. However, if someone who is able to commit code is willing to contact us immediately to get these vulnerabilities fixed, we’re willing to delay public disclosure.