[IPOL discuss] embedded libraries vs. security updates

Jean-Michel Morel morel at cmla.ens-cachan.fr
Mon Apr 4 08:45:26 CEST 2011

Dear Nicolas,

I suggest this recommendation to be added to the recommendations to 
authors on the IPOL site.

Nicolas Limare a écrit :
> Hi all,
> Today, a security update for libtiff has been released[1]. There were
> three vulnerabilities discovered and fixed in the libtiff library
> code. Theoretically these vulnerabilities could allow someone to
> upload to IPOL demos a specially crafted TIFF image and use this
> vector to execute their own program from the server. This kind of
> vulnerability and security update is frequent and easily addressed by
> updating the "libtiff" software on the server.
> But if IPOL demos authors had decided to include the libtiff code or
> binary with their implementation, the situation would have been more
> sensible, and would have required to check and fix all the libtiff
> code in all the demos, and recompile the demos.
> This is one of the reasons why I think libraries should not be
> included with the algorithms' code, and we should only pick the parts
> of external libraries we need, not the whole code.
> [1]http://www.debian.org/security/2011/dsa-2210
> ------------------------------------------------------------------------
> _______________________________________________
> discuss mailing list
> discuss at list.ipol.im
> http://tools.ipol.im/mailman/listinfo/discuss

More information about the discuss mailing list