[IPOL discuss] embedded libraries vs. security updates
Jean-Michel Morel
morel at cmla.ens-cachan.fr
Mon Apr 4 08:45:26 CEST 2011
Dear Nicolas,
I suggest this recommendation to be added to the recommendations to
authors on the IPOL site.
Best,
JM
Nicolas Limare a écrit :
> Hi all,
>
> Today, a security update for libtiff has been released[1]. There were
> three vulnerabilities discovered and fixed in the libtiff library
> code. Theoretically these vulnerabilities could allow someone to
> upload to IPOL demos a specially crafted TIFF image and use this
> vector to execute their own program from the server. This kind of
> vulnerability and security update is frequent and easily addressed by
> updating the "libtiff" software on the server.
>
> But if IPOL demos authors had decided to include the libtiff code or
> binary with their implementation, the situation would have been more
> sensible, and would have required to check and fix all the libtiff
> code in all the demos, and recompile the demos.
>
> This is one of the reasons why I think libraries should not be
> included with the algorithms' code, and we should only pick the parts
> of external libraries we need, not the whole code.
>
> [1]http://www.debian.org/security/2011/dsa-2210
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> discuss mailing list
> discuss at list.ipol.im
> http://tools.ipol.im/mailman/listinfo/discuss
More information about the discuss
mailing list