[gdal-dev] Gdal 1.11.2 and libtiff
Even Rouault
even.rouault at spatialys.com
Thu Feb 5 10:21:12 PST 2015
Kurt,
Forwarding this publicly as this is of general interest.
I've created http://trac.osgeo.org/gdal/ticket/5830 and commited :
branches/1.11 r28417 "Internal libtiff: partial upgrade to 4.0.4beta
(everything, except changes in tif_jpeg.c that are not security related and
cause differences in output) (#5830)"
My personal statement would be that people with high security concerns or
risks should avoid using libtiff, GDAL or more generally most imaging libraries
on untrusted datasets on non-isolated / non-sandboxed environments. Regarding
libtiff, disabling codecs that are somewhat esoteric (like NEXT compression
that has received security fixes in libtiff 4.0.4beta) might be prudent too.
See http://trac.osgeo.org/gdal/wiki/SecurityIssues
Even
Le jeudi 05 février 2015 18:21:59, Kurt Schwehr a écrit :
> Sorry this is so last minute, but I suggest that 1.11.2 be held back until
> libtiff is updated. e.g. to
> ftp://ftp.remotesensing.org/pub/libtiff/tiff-4.0.4beta.tar.gz or head.
>
> There are a number of issues out in the wild:
>
> http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.t
> xt
>
> http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes.
> txt
>
> http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_a
> nd_Writes.txt
>
> -kurt
--
Spatialys - Geospatial professional services
http://www.spatialys.com
More information about the gdal-dev
mailing list