Outdated LibTiff Sources in ITK Project (CVE-2016-9534) #4777
Labels
area:ThirdParty
Issues affecting the ThirdParty module
type:Bug
Inconsistencies or issues which will cause an incorrect result under some or all circumstances
Milestone
Comments
Garnik645
added
the
type:Bug
|
Thank you for contributing an issue! 🙏 Welcome to the ITK community! 🤗👋☀️ We are glad you are here and appreciate your contribution. Please keep in mind our community participation guidelines. 📜 This is an automatic message. Allow for time for the ITK community to be able to read the issue and comment on it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The master branch of the ITK project contains unpatched sources from libtiff, in which CVE-2016-9534 was reported with critical severity. The functions
TIFFFlushData1fromITK/Modules/ThirdParty/TIFF/src/itktiff/tif_write.cdoes not include security patches and updates available in newer versions of libtiff, which can cause heap-buffer-overflow. The fix for CVE can be found in this commit: libtiff commit.Possible Solution
To ensure that all security patches are applied, I strongly recommend updating the libtiff files in the ITK project to the latest version available.
Report Origin
My report was primarily based on a static analysis tool developed at CAST, which flagged the potential vulnerability due to similarities in the codebase.
The text was updated successfully, but these errors were encountered: