On Mon, 2 May 2016 09:09:14 +0930 Simon Lees <sfl...@suse.de> said: > > > On 05/02/2016 08:22 AM, Carsten Haitzler (The Rasterman) wrote: > > On Sun, 1 May 2016 21:19:46 +0200 Adrien Nader <adr...@notk.org> said: > > > >> There are basically two categories of CVEs for libtiff. If you want to > >> see a list of recent issues, you can quite simply go look at the > >> changelog for the most recent release: > >> http://www.remotesensing.org/libtiff/v4.0.6.html . > >> > >> There have been security issues every few weeks now. For instance, > >> CVE-2015-8665, CVE-2015-8784 and a few issues pending CVEs, about which > >> a maintainer (Bob Friesenhahn) is saying the following: > >> > >>> To my knowledge, none of the issues recently posted on this list have > >>> been addressed yet in libtiff. > >>> > >>> It is always our priority to fix issues occuring in libtiff itself > >>> before addressing issues in the libtiff utilities. Some of the > >>> libtiff maintainers care about only a few of the utilities. We are > >>> all volunteers and available time is limited. > >>> > >>> It is my intention to spend time addressing the libtiff utility issues > >>> (some of which might be due to issues in core libtiff) once I have > >>> addressed the remaining CVEs in GraphicsMagick. Issues appearing to > >>> be due to problems in libtiff itself will get attention first. > >> > >> So, yeah, many issues and updates are a bit laggy. > > > > so we are talking about cve's in libtiff itself? that's still unkown. what > > cve's was cedric looking at? let's assume he was. i don't see that we should > > disable libtiff just because they are taking a bit of time (several weeks) > > to address them. it looks like they intend to do the right thing. fix > > libtiff first. then worry about utilities. we don't care what cve's are in > > libtiff's utils. they do not affect us. > > > > i think it's premature to go disabling libs just because they take a few > > weeks to respond. the lib can be updated long after efl has been installed > > so we don't have to do work to rev a fix, so why disable then? if it was a > > few years of silence... ok - maybe get worried. > > > > looking at the cve db with libtiff - all cve's in 2014/15/16 reported are > > dos or dos overflow. no code execution. i would call this "minor". > > execution would be something to really worry about. anyway... i don't think > > we need to disable tiff support because of this. yes i know it can be > > enabled again. it just means that by default we're less functional for what > > is not a very good reason imho. > > > >> -- > >> Adrien Nader > >> > > From looking through SUSE's bugtracker (Contains a bug report for every > CVE in a SUSE/openSUSE product), There is 1 medium priority bug in > tifftogif, there are 3 other medium priority bugs (all with patches > available and either have bugfix packages released or well on there way > in openSUSE), you can presume other distro's with an active security > team are in a similar situation. All the other CVE's have been marked as > minor by SUSE's security team and not requiring immediate attention so > they are about on par with the majority of the imlib2 bugs that have > come through here in the last 2 weeks. > > So yes efl should keep building with tiff support the important fixes > are being fixed and going into distro's, if theres ever a major issue > one of the enterprise distro's engineers will fix it and provide patches > (Thats what customers pay for) > > Cheers
yeah.. so i reverted going back to on by default. it doesn't seem bad enough to warrant a response from efl. distros will patch libtiff if necessary and upstream does seem to do things (it's not dead). -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- The Rasterman (Carsten Haitzler) ras...@rasterman.com ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
