LibTIFF vulnerabilities

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

LibTIFF vulnerabilities

Yves Younan (yvyounan)
Hi,

Cisco Talos has identified a couple of vulnerabilities in LibTIFF. Our vulnerability coordinator, Regina Wilson, has been trying to reach a maintainer of the library for a while but has been unable to get a response. She’s emailed both Frank Warmerdam ([hidden email]) and [hidden email] multiple times with details of the vulnerabilities but we’ve been unable to get a response.

Per our disclosure policy, which states that vulnerabilities are eligible to be released 60 days after vendor notification (http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html), the first of these vulnerabilities is eligible to be publicly disclosed Sunday, September 25th. However, if someone who is able to commit code is willing to contact us immediately to get these vulnerabilities fixed, we’re willing to delay public disclosure.

Thanks,

Yves Younan

_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: LibTIFF vulnerabilities

Bob Friesenhahn
On Fri, 23 Sep 2016, Yves Younan (yvyounan) wrote:

> Hi,
>
> Cisco Talos has identified a couple of vulnerabilities in LibTIFF.
> Our vulnerability coordinator, Regina Wilson, has been trying to
> reach a maintainer of the library for a while but has been unable to
> get a response. She’s emailed both Frank Warmerdam
> ([hidden email]) and [hidden email] multiple times with
> details of the vulnerabilities but we’ve been unable to get a
> response.

This is the first I have heard of it.  The remotesensing.org domain
was lost a couple of weeks ago and we have not heard from Frank
Warmerdam in some time.

In the mean time I put the current libtiff web site content up at
"http://www.simplesystems.org/libtiff/" and it was already mirrored at
"http://libtiff.maptools.org/".

I will update the libtiff main page (wherever it is actively mirrored)
to reflect current realities.

> Per our disclosure policy, which states that vulnerabilities are
> eligible to be released 60 days after vendor notification
> (http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html),
> the first of these vulnerabilities is eligible to be publicly
> disclosed Sunday, September 25th. However, if someone who is able to
> commit code is willing to contact us immediately to get these
> vulnerabilities fixed, we’re willing to delay public disclosure.

Recent libtiff maintenance has primarily been done by Even Rouault and
myself.  We are able to commit code.  Please send your vulnerability
report to me and I will make sure that Even gets a copy.

It is ideal if the reporter applies for a CVE for any vulnerability so
that the problem may be tracked.

While a fix may be commited to libtiff CVS expediently, this does not
necessarily result in an expedient fix to the millions of copies of
libtiff which are already in use.

Bob
--
Bob Friesenhahn
[hidden email], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: LibTIFF vulnerabilities

Lee Howard-2
On 09/23/2016 08:15 AM, Bob Friesenhahn wrote:
> While a fix may be commited to libtiff CVS expediently, this does not
> necessarily result in an expedient fix to the millions of copies of
> libtiff which are already in use.

Ideally there would be a coordinated release that involved packages at
as many distributions as possible... RedHat, SuSE, Fedora, Debian,
Ubuntu, etc.

That said, the most-recently fixed vulnerabilities were in the tools
side rather than the library side... so that mitigates the risks
considerably.  If these vulnerabilities are similarly risk-mitigated,
then the effort for a coordinated release may not be wholly necessary or
even more-productive than an earlier announcement.

Thanks,

Lee.
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: LibTIFF vulnerabilities

Bob Friesenhahn
On Fri, 23 Sep 2016, Lee Howard wrote:

> On 09/23/2016 08:15 AM, Bob Friesenhahn wrote:
>> While a fix may be commited to libtiff CVS expediently, this does not
>> necessarily result in an expedient fix to the millions of copies of
>> libtiff which are already in use.
>
> Ideally there would be a coordinated release that involved packages at
> as many distributions as possible... RedHat, SuSE, Fedora, Debian,
> Ubuntu, etc.

Many of the distributions are only willing to apply source patches to
already released versions and are not willing to update to the latest
release.  This is definitely the norm for Debian.

Bob
--
Bob Friesenhahn
[hidden email], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: LibTIFF vulnerabilities

Jeff McKenna
In reply to this post by Yves Younan (yvyounan)
Thank for this information Yves, I'll inform the leads for the various
OSGeo projects.

-jeff


--
Jeff McKenna
President Emeritus, OSGeo
http://wiki.osgeo.org/wiki/Jeff_McKenna




On 2016-09-23 11:36 AM, Yves Younan (yvyounan) wrote:
> Hi,
>
> Cisco Talos has identified a couple of vulnerabilities in LibTIFF. Our vulnerability coordinator, Regina Wilson, has been trying to reach a maintainer of the library for a while but has been unable to get a response. She’s emailed both Frank Warmerdam ([hidden email]) and [hidden email] multiple times with details of the vulnerabilities but we’ve been unable to get a response.
>
> Per our disclosure policy, which states that vulnerabilities are eligible to be released 60 days after vendor notification (http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html), the first of these vulnerabilities is eligible to be publicly disclosed Sunday, September 25th. However, if someone who is able to commit code is willing to contact us immediately to get these vulnerabilities fixed, we’re willing to delay public disclosure.
>
> Thanks,
>
> Yves Younan
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: LibTIFF vulnerabilities

Even Rouault-2
In reply to this post by Lee Howard-2
Le vendredi 23 septembre 2016 19:03:46, Lee Howard a écrit :
> On 09/23/2016 08:15 AM, Bob Friesenhahn wrote:
> > While a fix may be commited to libtiff CVS expediently, this does not
> > necessarily result in an expedient fix to the millions of copies of
> > libtiff which are already in use.
>
> Ideally there would be a coordinated release that involved packages at
> as many distributions as possible... RedHat, SuSE, Fedora, Debian,
> Ubuntu, etc.

Before that, ideally more people would help looking at fixing the issues
themselves. I'm personnaly not going to look at the Cisco reports in the short
term, having already exceeded my volunteer time & energy on reports from other
folks, and Bob wrote to me he's busy with other things. So if other libtiff
committers want to join the party, please raise your hand.

Even

--
Spatialys - Geospatial professional services
http://www.spatialys.com
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: LibTIFF vulnerabilities

Lee Howard-2
On 09/23/2016 03:34 PM, Even Rouault wrote:

> Le vendredi 23 septembre 2016 19:03:46, Lee Howard a écrit :
>> On 09/23/2016 08:15 AM, Bob Friesenhahn wrote:
>>> While a fix may be commited to libtiff CVS expediently, this does not
>>> necessarily result in an expedient fix to the millions of copies of
>>> libtiff which are already in use.
>> Ideally there would be a coordinated release that involved packages at
>> as many distributions as possible... RedHat, SuSE, Fedora, Debian,
>> Ubuntu, etc.
> Before that, ideally more people would help looking at fixing the issues
> themselves. I'm personnaly not going to look at the Cisco reports in the short
> term, having already exceeded my volunteer time & energy on reports from other
> folks, and Bob wrote to me he's busy with other things. So if other libtiff
> committers want to join the party, please raise your hand.

I can commit... or at least I used to.  So, I will be happy to help as
much as I can.

Thanks,

Lee.
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: LibTIFF vulnerabilities

Bob Friesenhahn
On Fri, 23 Sep 2016, Lee Howard wrote:
>> Before that, ideally more people would help looking at fixing the issues
>> themselves. I'm personnaly not going to look at the Cisco reports in the short
>> term, having already exceeded my volunteer time & energy on reports from other
>> folks, and Bob wrote to me he's busy with other things. So if other libtiff
>> committers want to join the party, please raise your hand.
>
> I can commit... or at least I used to.  So, I will be happy to help as
> much as I can.

I am not gone entirely.  I will take a look at the condition of things
(based on files at hand) tomorrow.

Bob
--
Bob Friesenhahn
[hidden email], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: LibTIFF vulnerabilities

Olivier Paquet-2
In reply to this post by Even Rouault-2
2016-09-23 18:34 GMT-04:00 Even Rouault <[hidden email]>:
> Before that, ideally more people would help looking at fixing the issues
> themselves. I'm personnaly not going to look at the Cisco reports in the short
> term, having already exceeded my volunteer time & energy on reports from other
> folks, and Bob wrote to me he's busy with other things. So if other libtiff
> committers want to join the party, please raise your hand.

I may be able to put a little time on it over the weekend if someone
would kindly let me know about the bugs. My involvement stops at
comitting a fix to CVS though.

Olivier
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: LibTIFF vulnerabilities

Bob Friesenhahn
On Sat, 24 Sep 2016, Olivier Paquet wrote:

> 2016-09-23 18:34 GMT-04:00 Even Rouault <[hidden email]>:
>> Before that, ideally more people would help looking at fixing the issues
>> themselves. I'm personnaly not going to look at the Cisco reports in the short
>> term, having already exceeded my volunteer time & energy on reports from other
>> folks, and Bob wrote to me he's busy with other things. So if other libtiff
>> committers want to join the party, please raise your hand.
>
> I may be able to put a little time on it over the weekend if someone
> would kindly let me know about the bugs. My involvement stops at
> comitting a fix to CVS though.

After I finish mowing my lawn, I plan to test with various reported
problem files and distill a set of files which still cause problems.

Bob
--
Bob Friesenhahn
[hidden email], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: LibTIFF vulnerabilities

Henk Jan Priester
In reply to this post by Bob Friesenhahn
On 09/23/2016 05:15 PM, Bob Friesenhahn wrote:
On Fri, 23 Sep 2016, Yves Younan (yvyounan) wrote:

Hi,

Cisco Talos has identified a couple of vulnerabilities in LibTIFF. Our vulnerability coordinator, Regina Wilson, has been trying to reach a maintainer of the library for a while but has been unable to get a response. She’s emailed both Frank Warmerdam ([hidden email]) and [hidden email] multiple times with details of the vulnerabilities but we’ve been unable to get a response.

This is the first I have heard of it.  The remotesensing.org domain was lost a couple of weeks ago and we have not heard from Frank Warmerdam in some time.

In the mean time I put the current libtiff web site content up at "http://www.simplesystems.org/libtiff/" and it was already mirrored at "http://libtiff.maptools.org/".

I will update the libtiff main page (wherever it is actively mirrored) to reflect current realities.

Per our disclosure policy, which states that vulnerabilities are eligible to be released 60 days after vendor notification (http://www.cisco.com/web/about/security/psirt/vendor_vulnerability_policy.html), the first of these vulnerabilities is eligible to be publicly disclosed Sunday, September 25th. However, if someone who is able to commit code is willing to contact us immediately to get these vulnerabilities fixed, we’re willing to delay public disclosure.

Recent libtiff maintenance has primarily been done by Even Rouault and myself.  We are able to commit code.  Please send your vulnerability report to me and I will make sure that Even gets a copy.

It is ideal if the reporter applies for a CVE for any vulnerability so that the problem may be tracked.

While a fix may be commited to libtiff CVS expediently, this does not necessarily result in an expedient fix to the millions of copies of libtiff which are already in use.
Will there be a libtiff 4.0.7 if these problems are fixed?

Henk Jan

Bob


_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/



_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: LibTIFF vulnerabilities

Bob Friesenhahn
On Tue, 4 Oct 2016, Henk Jan Priester wrote:
>
> Will there be a libtiff 4.0.7 if these problems are fixed?

There will (of course) be a libtiff 4.0.7.

Bob
--
Bob Friesenhahn
[hidden email], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/