[gdal-dev] Gdal 1.11.2 and libtiff

Kurt Schwehr schwehr at gmail.com
Thu Feb 5 10:26:45 PST 2015


Excellent!  Thanks!

-kurt

On Thu, Feb 5, 2015 at 10:21 AM, Even Rouault <even.rouault at spatialys.com>
wrote:

> Kurt,
>
> Forwarding this publicly as this is of general interest.
>
> I've created http://trac.osgeo.org/gdal/ticket/5830 and commited :
> branches/1.11 r28417 "Internal libtiff: partial upgrade to 4.0.4beta
> (everything, except changes in tif_jpeg.c that are not security related and
> cause differences in output) (#5830)"
>
> My personal statement would be that people with high security concerns or
> risks should avoid using libtiff, GDAL or more generally most imaging
> libraries
> on untrusted datasets on non-isolated / non-sandboxed environments.
> Regarding
> libtiff, disabling codecs that are somewhat esoteric (like NEXT compression
> that has received security fixes in libtiff 4.0.4beta) might be prudent
> too.
> See http://trac.osgeo.org/gdal/wiki/SecurityIssues
>
> Even
>
> Le jeudi 05 février 2015 18:21:59, Kurt Schwehr a écrit :
> > Sorry this is so last minute, but I suggest that 1.11.2 be held back
> until
> > libtiff is updated.  e.g. to
> > ftp://ftp.remotesensing.org/pub/libtiff/tiff-4.0.4beta.tar.gz or head.
> >
> > There are a number of issues out in the wild:
> >
> >
> http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.t
> > xt
> >
> >
> http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes
> .
> > txt
> >
> >
> http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_a
> > nd_Writes.txt
> >
> > -kurt
>
> --
> Spatialys - Geospatial professional services
> http://www.spatialys.com
>



-- 
--
http://schwehr.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/gdal-dev/attachments/20150205/5524797f/attachment.html>


More information about the gdal-dev mailing list