New release ? + remaining CVE tickets

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

New release ? + remaining CVE tickets

Even Rouault-2
Hi,

With all the annoying circus about recent security related fixes, I guess we
should consider a 4.0.7 release with what is already in CVS. The flow of
security reports will probably not stop soon, especially in utilities, so
better release with what we already have. That said, this is just words since
I'm not volunteering to do it.

If I trust bugzilla
http://bugzilla.maptools.org/buglist.cgi?query_format=advanced&short_desc_type=allwordssubstr&short_desc=&product=libtiff&long_desc_type=allwordssubstr&long_desc=&bug_file_loc_type=allwordssubstr&bug_file_loc=&status_whiteboard_type=allwordssubstr&status_whiteboard=&keywords_type=allwords&keywords=&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailtype1=substring&email1=&emailassigned_to2=1&emailreporter2=1&emailcc2=1&emailtype2=substring&email2=&bugidtype=include&bug_id=&votes=&chfieldfrom=&chfieldto=Now&chfieldvalue=&cmdtype=doit&order=Reuse+same+sort+as+last+time&field0-0-0=noop&type0-0-0=noop&value0-0-0=
we have 3 remaining tickets explicitly tagged CVE (but I guess most crashing
bugs can be considered security , all 3 about more or less the same issue with
TIFFGetField() use.
I created an enclosing ticket
http://bugzilla.maptools.org/show_bug.cgi?id=2580 that references those 3
tickets ( + http://bugzilla.maptools.org/show_bug.cgi?id=2433 and
http://bugzilla.maptools.org/show_bug.cgi?id=2441) since I feel this is more
or less the same issue, however I'm not sure about the proper way of
addressing this. At high level, I'd say that TIFFGetField() interface is just
impossible (or at the very least very hard) to use safely. If someone wants to
tackle that...

Even

--
Spatialys - Geospatial professional services
http://www.spatialys.com
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/
Reply | Threaded
Open this post in threaded view
|

Re: New release ? + remaining CVE tickets

Bob Friesenhahn
On Fri, 28 Oct 2016, Even Rouault wrote:

> Hi,
>
> With all the annoying circus about recent security related fixes, I guess we
> should consider a 4.0.7 release with what is already in CVS. The flow of
> security reports will probably not stop soon, especially in utilities, so
> better release with what we already have. That said, this is just words since
> I'm not volunteering to do it.

I am perfectly willing to do more releases and as far as I can tell,
all the resources we need to do a release do still exist.  The hardest
part about doing a release is preparing the release notes HTML files.

The code base is typically kept in a releasable state without loose
ends.

We are likely to see more security reports for the next year or two
until it becomes too expensive (e.g. CPU time) to find any remaining
issues.

Bob
--
Bob Friesenhahn
[hidden email], http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
_______________________________________________
Tiff mailing list: [hidden email]
http://lists.maptools.org/mailman/listinfo/tiff
http://www.remotesensing.org/libtiff/