On Sun, 1 May 2016 21:19:46 +0200 Adrien Nader <adr...@notk.org> said:
> There are basically two categories of CVEs for libtiff. If you want to > see a list of recent issues, you can quite simply go look at the > changelog for the most recent release: > http://www.remotesensing.org/libtiff/v4.0.6.html . > > There have been security issues every few weeks now. For instance, > CVE-2015-8665, CVE-2015-8784 and a few issues pending CVEs, about which > a maintainer (Bob Friesenhahn) is saying the following: > > > To my knowledge, none of the issues recently posted on this list have > > been addressed yet in libtiff. > > > > It is always our priority to fix issues occuring in libtiff itself > > before addressing issues in the libtiff utilities. Some of the > > libtiff maintainers care about only a few of the utilities. We are > > all volunteers and available time is limited. > > > > It is my intention to spend time addressing the libtiff utility issues > > (some of which might be due to issues in core libtiff) once I have > > addressed the remaining CVEs in GraphicsMagick. Issues appearing to > > be due to problems in libtiff itself will get attention first. > > So, yeah, many issues and updates are a bit laggy. so we are talking about cve's in libtiff itself? that's still unkown. what cve's was cedric looking at? let's assume he was. i don't see that we should disable libtiff just because they are taking a bit of time (several weeks) to address them. it looks like they intend to do the right thing. fix libtiff first. then worry about utilities. we don't care what cve's are in libtiff's utils. they do not affect us. i think it's premature to go disabling libs just because they take a few weeks to respond. the lib can be updated long after efl has been installed so we don't have to do work to rev a fix, so why disable then? if it was a few years of silence... ok - maybe get worried. looking at the cve db with libtiff - all cve's in 2014/15/16 reported are dos or dos overflow. no code execution. i would call this "minor". execution would be something to really worry about. anyway... i don't think we need to disable tiff support because of this. yes i know it can be enabled again. it just means that by default we're less functional for what is not a very good reason imho. > -- > Adrien Nader > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications Manager > Applications Manager provides deep performance insights into multiple tiers of > your business applications. It resolves application problems quickly and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > _______________________________________________ > enlightenment-devel mailing list > enlightenment-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/enlightenment-devel > -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- The Rasterman (Carsten Haitzler) ras...@rasterman.com ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
