[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2017-9935 / tiff



"Roberto C. Sánchez" <roberto@debian.org> writes:

> That sounds like a flawed assumption.  The spec (I provide a working
> link below) describes the format of a TIFF as being made up of an 8 byte
> header and one or more images (IFDs, or image file directories).

Yes, that was my guess too, although I couldn't find any evidence.

> The specification is available from the ITU and also the Library of
> Congress (which in turn links to the Wayback Machine):
>
> https://www.itu.int/itudoc/itu-t/com16/tiff-fx/docs/tiff6.pdf
> https://www.loc.gov/preservation/digital/formats/fdd/fdd000022.shtml
> https://web.archive.org/web/20150503034412/http://partners.adobe.com/public/developer/en/tiff/TIFF6.pdf

Ok, thanks. Will have a look.

> That link is outdated.  I am curious where you found that link.  The
> debian/control lists a current URL.

Google helped me find it :-)

> Upstream can be found here now:
>
> http://libtiff.maptools.org/
> http://libtiff.maptools.org/bugs.html
> http://libtiff.maptools.org/support.html

Ok, thanks.

Oops, looks like I was getting confused with this CVE (security tracker
links to the upstream bug report) and CVE-2017-11613 (security tracker
links to redhat and has no upstream BTS reference).

So http://bugzilla.maptools.org/show_bug.cgi?id=2704 is the correct
reference for this CVE.

> Of these I dislike the third option the least.  The first two have the
> potential to fail silently or to just give subtly incorrect results.  I
> think that failing noisily with an error explaining why the failure
> occurred is less bad than silently giving subtly wrong results.

Yes, I tend to agree.
-- 
Brian May <bam@debian.org>


Reply to: