[IPOL discuss] embedded libraries vs. security updates

Nicolas Limare nicolas.limare at cmla.ens-cachan.fr
Mon Apr 4 08:38:05 CEST 2011

Hi all,

Today, a security update for libtiff has been released[1]. There were
three vulnerabilities discovered and fixed in the libtiff library
code. Theoretically these vulnerabilities could allow someone to
upload to IPOL demos a specially crafted TIFF image and use this
vector to execute their own program from the server. This kind of
vulnerability and security update is frequent and easily addressed by
updating the "libtiff" software on the server.

But if IPOL demos authors had decided to include the libtiff code or
binary with their implementation, the situation would have been more
sensible, and would have required to check and fix all the libtiff
code in all the demos, and recompile the demos.

This is one of the reasons why I think libraries should not be
included with the algorithms' code, and we should only pick the parts
of external libraries we need, not the whole code.


Nicolas LIMARE - CMLA - ENS Cachan    http://www.cmla.ens-cachan.fr/~limare/
IPOL - image processing on line                          http://www.ipol.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://tools.ipol.im/mailman/archive/discuss/attachments/20110404/55e56dbb/attachment.pgp>

More information about the discuss mailing list