Kurt, Forwarding this publicly as this is of general interest.
I've created http://trac.osgeo.org/gdal/ticket/5830 and commited : branches/1.11 r28417 "Internal libtiff: partial upgrade to 4.0.4beta (everything, except changes in tif_jpeg.c that are not security related and cause differences in output) (#5830)" My personal statement would be that people with high security concerns or risks should avoid using libtiff, GDAL or more generally most imaging libraries on untrusted datasets on non-isolated / non-sandboxed environments. Regarding libtiff, disabling codecs that are somewhat esoteric (like NEXT compression that has received security fixes in libtiff 4.0.4beta) might be prudent too. See http://trac.osgeo.org/gdal/wiki/SecurityIssues Even Le jeudi 05 février 2015 18:21:59, Kurt Schwehr a écrit : > Sorry this is so last minute, but I suggest that 1.11.2 be held back until > libtiff is updated. e.g. to > ftp://ftp.remotesensing.org/pub/libtiff/tiff-4.0.4beta.tar.gz or head. > > There are a number of issues out in the wild: > > http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.t > xt > > http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes. > txt > > http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_a > nd_Writes.txt > > -kurt -- Spatialys - Geospatial professional services http://www.spatialys.com _______________________________________________ gdal-dev mailing list gdal-dev@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/gdal-dev