View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005469ITKpublic2007-08-09 12:032011-06-17 13:02
ReporterSean McBride 
Assigned ToLuis Ibanez 
PriorityurgentSeveritycrashReproducibilityalways
StatusassignedResolutionopen 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0005469: VTK/ITK use old versions of libtiff (containing security vulnerabilities); should update
DescriptionAs of 2007-08-09 the latest version of libTIFF is 3.8.2. See http://www.remotesensing.org/libtiff/ [^]

VTK includes 3.5.7 according to its "VERSION" file. ITK includes 3.7.2 according to its "VERSION" flie.

A quick search of the Common Vulnerabilities and Exposures (CVE) database reveals that there have been several serious bugs that may allow arbitrary code execution:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libtiff [^]

VTK and ITK are therefore likely vulnerable as well!

That's one good reason to update. Another is that there have been 2 requests already, bugs 529 and 2320. Another is that the newer libtiff is likely to better support 64 bit machines, as they have become much more popular in recent years.
TagsNo tags attached.
Resolution Date
Sprint
Sprint Status
Attached Files

 Relationships

  Notes
(0008460)
Sean McBride (developer)
2007-08-14 15:12

 As evidence of the 64 bit problems that likely exist in the current CVS version, consider:

/Users/sean/kitware/VTK/Utilities/vtktiff/tif_packbits.c: In function ‘PackBitsEncodeChunk’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_packbits.c:191: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_packbits.c:201: warning: cast from pointer to integer of different size
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_pixarlog.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_predict.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_print.o
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_print.c: In function ‘vtk_TIFFPrintDirectory’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_print.c:75: warning: format ‘%lx’ expects type ‘long unsigned int’, but argument 3 has type ‘toff_t’
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_read.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_strip.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_swab.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_thunder.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_tile.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_version.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_warning.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_write.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_zip.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_unix.o
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘_tiffReadProc’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:38: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘_tiffWriteProc’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:44: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘_tiffSeekProc’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:53: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘_tiffCloseProc’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:60: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘_tiffSizeProc’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:77: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘vtk_TIFFFdOpen’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:130: warning: cast to pointer from integer of different size
(0010318)
Sean McBride (developer)
2008-01-28 18:46

 Because this involves security vulnerabilities, I think it should be fixed for 5.2.
(0011763)
Sean McBride (developer)
2008-05-08 14:12

 Andinet recently updated vtk to 3.8.2, but itk is still not updated.
(0022968)
Luis Ibanez (manager)
2010-11-07 00:52

 We are updating libtiff in ITKv4 to the version TIFF 4beta6.
(0023055)
Sean McBride (developer)
2010-11-08 09:45

 That's good news. Will VTK to kept in sync?
(0026904)
Hans Johnson (developer)
2011-06-17 13:02

 Luis will address.

 Issue History
Date Modified Username Field Change
2007-08-09 12:03 Sean McBride New Issue
2007-08-14 15:12 Sean McBride Note Added: 0008460
2007-10-17 10:08 Sean McBride Description Updated
2008-01-28 18:46 Sean McBride Note Added: 0010318
2008-01-28 18:46 Sean McBride Status new => assigned
2008-01-28 18:46 Sean McBride Assigned To => David Cole
2008-05-08 14:12 Sean McBride Note Added: 0011763
2008-05-08 14:13 Sean McBride Assigned To David Cole => Andinet
2008-07-28 11:25 Sean McBride Assigned To Andinet => Luis Ibanez
2008-09-02 13:28 Sean McBride Project @1@ => ITK
2010-11-07 00:52 Luis Ibanez Note Added: 0022968
2010-11-08 09:45 Sean McBride Note Added: 0023055
2011-06-17 13:02 Hans Johnson Note Added: 0026904

Copyright © 2000 - 2018 MantisBT Team