On 05/02/2016 08:22 AM, Carsten Haitzler (The Rasterman) wrote: > On Sun, 1 May 2016 21:19:46 +0200 Adrien Nader <adr...@notk.org> said: > >> There are basically two categories of CVEs for libtiff. If you want to >> see a list of recent issues, you can quite simply go look at the >> changelog for the most recent release: >> http://www.remotesensing.org/libtiff/v4.0.6.html . >> >> There have been security issues every few weeks now. For instance, >> CVE-2015-8665, CVE-2015-8784 and a few issues pending CVEs, about which >> a maintainer (Bob Friesenhahn) is saying the following: >> >>> To my knowledge, none of the issues recently posted on this list have >>> been addressed yet in libtiff. >>> >>> It is always our priority to fix issues occuring in libtiff itself >>> before addressing issues in the libtiff utilities. Some of the >>> libtiff maintainers care about only a few of the utilities. We are >>> all volunteers and available time is limited. >>> >>> It is my intention to spend time addressing the libtiff utility issues >>> (some of which might be due to issues in core libtiff) once I have >>> addressed the remaining CVEs in GraphicsMagick. Issues appearing to >>> be due to problems in libtiff itself will get attention first. >> >> So, yeah, many issues and updates are a bit laggy. > > so we are talking about cve's in libtiff itself? that's still unkown. what > cve's was cedric looking at? let's assume he was. i don't see that we should > disable libtiff just because they are taking a bit of time (several weeks) to > address them. it looks like they intend to do the right thing. fix libtiff > first. then worry about utilities. we don't care what cve's are in libtiff's > utils. they do not affect us. > > i think it's premature to go disabling libs just because they take a few weeks > to respond. the lib can be updated long after efl has been installed so we > don't > have to do work to rev a fix, so why disable then? if it was a few years of > silence... ok - maybe get worried. > > looking at the cve db with libtiff - all cve's in 2014/15/16 reported are dos > or > dos overflow. no code execution. i would call this "minor". execution would be > something to really worry about. anyway... i don't think we need to disable > tiff support because of this. yes i know it can be enabled again. it just > means > that by default we're less functional for what is not a very good reason imho. > >> -- >> Adrien Nader >>
From looking through SUSE's bugtracker (Contains a bug report for every CVE in a SUSE/openSUSE product), There is 1 medium priority bug in tifftogif, there are 3 other medium priority bugs (all with patches available and either have bugfix packages released or well on there way in openSUSE), you can presume other distro's with an active security team are in a similar situation. All the other CVE's have been marked as minor by SUSE's security team and not requiring immediate attention so they are about on par with the majority of the imlib2 bugs that have come through here in the last 2 weeks. So yes efl should keep building with tiff support the important fixes are being fixed and going into distro's, if theres ever a major issue one of the enterprise distro's engineers will fix it and provide patches (Thats what customers pay for) Cheers -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adeliade Australia, UTC+9:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
