<div dir="ltr">Excellent! Thanks!<div><br></div><div>-kurt</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 5, 2015 at 10:21 AM, Even Rouault <span dir="ltr"><<a href="mailto:even.rouault@spatialys.com" target="_blank">even.rouault@spatialys.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Kurt,<br>
<br>
Forwarding this publicly as this is of general interest.<br>
<br>
I've created <a href="http://trac.osgeo.org/gdal/ticket/5830" target="_blank">http://trac.osgeo.org/gdal/ticket/5830</a> and commited :<br>
branches/1.11 r28417 "Internal libtiff: partial upgrade to 4.0.4beta<br>
(everything, except changes in tif_jpeg.c that are not security related and<br>
cause differences in output) (#5830)"<br>
<br>
My personal statement would be that people with high security concerns or<br>
risks should avoid using libtiff, GDAL or more generally most imaging libraries<br>
on untrusted datasets on non-isolated / non-sandboxed environments. Regarding<br>
libtiff, disabling codecs that are somewhat esoteric (like NEXT compression<br>
that has received security fixes in libtiff 4.0.4beta) might be prudent too.<br>
See <a href="http://trac.osgeo.org/gdal/wiki/SecurityIssues" target="_blank">http://trac.osgeo.org/gdal/wiki/SecurityIssues</a><br>
<br>
Even<br>
<br>
Le jeudi 05 février 2015 18:21:59, Kurt Schwehr a écrit :<br>
<div class="HOEnZb"><div class="h5">> Sorry this is so last minute, but I suggest that 1.11.2 be held back until<br>
> libtiff is updated. e.g. to<br>
> <a href="ftp://ftp.remotesensing.org/pub/libtiff/tiff-4.0.4beta.tar.gz" target="_blank">ftp://ftp.remotesensing.org/pub/libtiff/tiff-4.0.4beta.tar.gz</a> or head.<br>
><br>
> There are a number of issues out in the wild:<br>
><br>
> <a href="http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.t" target="_blank">http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.t</a><br>
> xt<br>
><br>
> <a href="http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes" target="_blank">http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes</a>.<br>
> txt<br>
><br>
> <a href="http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_a" target="_blank">http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_a</a><br>
> nd_Writes.txt<br>
><br>
> -kurt<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Spatialys - Geospatial professional services<br>
<a href="http://www.spatialys.com" target="_blank">http://www.spatialys.com</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">--<div><a href="http://schwehr.org" target="_blank">http://schwehr.org</a></div></div>
</div>