Excellent! Thanks! -kurt
On Thu, Feb 5, 2015 at 10:21 AM, Even Rouault <even.roua...@spatialys.com> wrote: > Kurt, > > Forwarding this publicly as this is of general interest. > > I've created http://trac.osgeo.org/gdal/ticket/5830 and commited : > branches/1.11 r28417 "Internal libtiff: partial upgrade to 4.0.4beta > (everything, except changes in tif_jpeg.c that are not security related and > cause differences in output) (#5830)" > > My personal statement would be that people with high security concerns or > risks should avoid using libtiff, GDAL or more generally most imaging > libraries > on untrusted datasets on non-isolated / non-sandboxed environments. > Regarding > libtiff, disabling codecs that are somewhat esoteric (like NEXT compression > that has received security fixes in libtiff 4.0.4beta) might be prudent > too. > See http://trac.osgeo.org/gdal/wiki/SecurityIssues > > Even > > Le jeudi 05 février 2015 18:21:59, Kurt Schwehr a écrit : > > Sorry this is so last minute, but I suggest that 1.11.2 be held back > until > > libtiff is updated. e.g. to > > ftp://ftp.remotesensing.org/pub/libtiff/tiff-4.0.4beta.tar.gz or head. > > > > There are a number of issues out in the wild: > > > > > http://www.conostix.com/pub/adv/CVE-2014-8127-LibTIFF-Out-of-bounds_Reads.t > > xt > > > > > http://www.conostix.com/pub/adv/CVE-2014-8128-LibTIFF-Out-of-bounds_Writes > . > > txt > > > > > http://www.conostix.com/pub/adv/CVE-2014-8129-LibTIFF-Out-of-bounds_Reads_a > > nd_Writes.txt > > > > -kurt > > -- > Spatialys - Geospatial professional services > http://www.spatialys.com > -- -- http://schwehr.org
_______________________________________________ gdal-dev mailing list gdal-dev@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/gdal-dev