AWARE SYSTEMS
TIFF and LibTiff Mail List Archive

Thread

2016.09.23 14:36 "[Tiff] LibTIFF vulnerabilities", by Yves Younan
2016.09.23 15:15 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.09.23 17:03 "Re: [Tiff] LibTIFF vulnerabilities", by Lee Howard
2016.09.23 18:04 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.09.23 22:34 "Re: [Tiff] LibTIFF vulnerabilities", by Even Rouault
2016.09.23 22:58 "Re: [Tiff] LibTIFF vulnerabilities", by Lee Howard
2016.09.23 23:47 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.09.24 14:30 "Re: [Tiff] LibTIFF vulnerabilities", by Olivier Paquet
2016.09.24 14:45 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.10.04 11:19 "Re: [Tiff] LibTIFF vulnerabilities", by Henk Jan Priester
2016.10.04 13:20 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn
2016.10.07 10:15 "Re: [Tiff] Converting TIFFs with old-style JPEG compression", by John Brown
2016.10.07 10:41 "Re: [Tiff] Converting TIFFs with old-style JPEG compression", by John Brown
2016.09.23 20:50 "Re: [Tiff] LibTIFF vulnerabilities", by Jeff McKenna

2016.09.23 15:15 "Re: [Tiff] LibTIFF vulnerabilities", by Bob Friesenhahn

On Fri, 23 Sep 2016, Yves Younan (yvyounan) wrote:

Cisco Talos has identified a couple of vulnerabilities in LibTIFF. Our vulnerability coordinator, Regina Wilson, has been trying to reach a maintainer of the library for a while but has been unable to get a response. She’s emailed both Frank Warmerdam (warmerdam@pobox.com) and tiff@remotesensing.org multiple times with details of the vulnerabilities but we’ve been unable to get a response.

This is the first I have heard of it. The remotesensing.org domain was lost a couple of weeks ago and we have not heard from Frank Warmerdam in some time.

In the mean time I put the current libtiff web site content up at "http://www.simplesystems.org/libtiff/" and it was already mirrored at "http://libtiff.maptools.org/".

I will update the libtiff main page (wherever it is actively mirrored) to reflect current realities.

Per our disclosure policy, which states that vulnerabilities are eligible to be released 60 days after vendor notification (http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html), the first of these vulnerabilities is eligible to be publicly disclosed Sunday, September 25th. However, if someone who is able to commit code is willing to contact us immediately to get these vulnerabilities fixed, we’re willing to delay public disclosure.

Recent libtiff maintenance has primarily been done by Even Rouault and myself. We are able to commit code. Please send your vulnerability report to me and I will make sure that Even gets a copy.

It is ideal if the reporter applies for a CVE for any vulnerability so that the problem may be tracked.

While a fix may be commited to libtiff CVS expediently, this does not necessarily result in an expedient fix to the millions of copies of libtiff which are already in use.

Bob
--
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/