MantisBT - ITK
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0005469ITKpublic2007-08-09 12:032011-06-17 13:02
ReporterSean McBride 
Assigned ToLuis Ibanez 
PriorityurgentSeveritycrashReproducibilityalways
StatusassignedResolutionopen 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Resolution Date
Sprint
Sprint Status
Summary0005469: VTK/ITK use old versions of libtiff (containing security vulnerabilities); should update
DescriptionAs of 2007-08-09 the latest version of libTIFF is 3.8.2. See http://www.remotesensing.org/libtiff/ [^]

VTK includes 3.5.7 according to its "VERSION" file. ITK includes 3.7.2 according to its "VERSION" flie.

A quick search of the Common Vulnerabilities and Exposures (CVE) database reveals that there have been several serious bugs that may allow arbitrary code execution:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libtiff [^]

VTK and ITK are therefore likely vulnerable as well!

That's one good reason to update. Another is that there have been 2 requests already, bugs 529 and 2320. Another is that the newer libtiff is likely to better support 64 bit machines, as they have become much more popular in recent years.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2007-08-09 12:03Sean McBrideNew Issue
2007-08-14 15:12Sean McBrideNote Added: 0008460
2007-10-17 10:08Sean McBrideDescription Updated
2008-01-28 18:46Sean McBrideNote Added: 0010318
2008-01-28 18:46Sean McBrideStatusnew => assigned
2008-01-28 18:46Sean McBrideAssigned To => David Cole
2008-05-08 14:12Sean McBrideNote Added: 0011763
2008-05-08 14:13Sean McBrideAssigned ToDavid Cole => Andinet
2008-07-28 11:25Sean McBrideAssigned ToAndinet => Luis Ibanez
2008-09-02 13:28Sean McBrideProject@1@ => ITK
2010-11-07 00:52Luis IbanezNote Added: 0022968
2010-11-08 09:45Sean McBrideNote Added: 0023055
2011-06-17 13:02Hans JohnsonNote Added: 0026904

Notes
(0008460)
Sean McBride   
2007-08-14 15:12   
As evidence of the 64 bit problems that likely exist in the current CVS version, consider:

/Users/sean/kitware/VTK/Utilities/vtktiff/tif_packbits.c: In function ‘PackBitsEncodeChunk’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_packbits.c:191: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_packbits.c:201: warning: cast from pointer to integer of different size
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_pixarlog.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_predict.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_print.o
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_print.c: In function ‘vtk_TIFFPrintDirectory’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_print.c:75: warning: format ‘%lx’ expects type ‘long unsigned int’, but argument 3 has type ‘toff_t’
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_read.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_strip.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_swab.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_thunder.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_tile.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_version.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_warning.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_write.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_zip.o
[ 5%] Building C object Utilities/vtktiff/CMakeFiles/vtktiff.dir/tif_unix.o
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘_tiffReadProc’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:38: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘_tiffWriteProc’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:44: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘_tiffSeekProc’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:53: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘_tiffCloseProc’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:60: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘_tiffSizeProc’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:77: warning: cast from pointer to integer of different size
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c: In function ‘vtk_TIFFFdOpen’:
/Users/sean/kitware/VTK/Utilities/vtktiff/tif_unix.c:130: warning: cast to pointer from integer of different size
(0010318)
Sean McBride   
2008-01-28 18:46   
Because this involves security vulnerabilities, I think it should be fixed for 5.2.
(0011763)
Sean McBride   
2008-05-08 14:12   
Andinet recently updated vtk to 3.8.2, but itk is still not updated.
(0022968)
Luis Ibanez   
2010-11-07 00:52   
We are updating libtiff in ITKv4 to the version TIFF 4beta6.
(0023055)
Sean McBride   
2010-11-08 09:45   
That's good news. Will VTK to kept in sync?
(0026904)
Hans Johnson   
2011-06-17 13:02   
Luis will address.