On Tue, 19 Sep 2023, Steve Underwood wrote:
I also rely on some of those utilities being in distributions. Is there a
concise list of the relevant CVEs? I would rather spend some time fixing
issues than see a valuable utility get dropped.
Rather than worrying about the existing CVEs, I recommend a thorough
top/down, left/right, more holostic evaluation/analysis of each
utility, resulting in re-working/re-writing the utility the way it
should have been in the first place. Perhaps even starting using the
older code as a reference (before the utility code started being full
of band-aid patches) is a good approach.
Other than tiffcrop (a very powerful utility), most of the utilities
have little source code. The utilities were written specifically for
TIFF (and libtiff) in order to gain capabilities and efficiencies not
readily possible for general-purpose software.
Without doing this, there will only be more CVEs.
The current active libtiff maintainers are not interested in taking on
this work. If it is done independently, then perhaps a new
implementation could be submitted to libtiff, or the utilities could
easily live in a different distribution/repository so they can respond
to bugs and feature requests independently of libtiff release cycles.
The CVEs were getting way out of hand. There were CVEs written
because it was possible to crash the utility due to incorrect
permutations of arguments, rather than due to the utility inputs.
A good way to make sure that code is working is to submit the project
for oss-fuzz's fuzz testing (https://github.com/google/oss-fuzz).
Oss-fuzz normally tests APIs but a means could be provided so that the
utilities can appear as an API for testing. For example, fmemopen()
can be inserted in place of fopen().
It is useful to take advantage of Synopsis Coverity free testing for
open-source software (e.g. https://scan.coverity.com/projects/tiff)
since it is good at ferreting out certain types of problems.
Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
_______________________________________________
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff