ISC Stormcast For Monday, June 6th 2016 http://isc.sans.edu/podcastdetail.html?id=5027

What's Going on With libtiff?

Published: 2016-06-05
Last Updated: 2016-06-05 17:03:11 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

"libtiff", as the name implies, is a library used to parse TIFF formatted images. While you don't run into TIFF images on the web every day, the format is quite popular for higher-resolution/high quality applications like printing. TIFF allows the user to select between lossless or lossy compression depending on the preferences of the user.

While the library is very popular, a reader wrote in last week asking if the library is still maintained.

Currently, there are three security issues listed in NIST's vulnerability database. These issues affect the most recent version of libtiff (4.0.6), which was released in September last year.  Popular software, like for example Google Chrome, uses libtiff and could be used to exploit these vulnerabilities.

This issue isn't unique to libtiff. Important libraries (not just open source, the same problem can come up with commercial software as well...) stop being maintained without notice, and users of these libraries have no idea that new vulnerabilities are no longer patched. 

If you develop software, it is critical that you track code that you include (again: open source and commercial). There are a number of check you should perform before adding a library to your repository of "approved third party code":

- is the code still maintained? (e.g. are there any outstanding vulnerabilities known)
- how would you learn about a patch being released? (mailing list? )
- is the code's license compatible with your project? (some open source licenses restrict commercial use)

And most important: Have a repository of "approved third party code"! Don't just include libraries without considering alternatives first. Code reuse is great, and developers should take advantage of already written code, but you have to manage the use of third party code.

And finally: What is your exit strategy? I have no idea what to recommend in the libtiff case. Can you do without it? Can you afford to wait (I don't see any exploits ... yet ... publicly...) 

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
7 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives