subject:"Re\: \[Tiff\] clarification on the fix status for new CVE\-2022\-3570\?"

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-07 Thread Ellen Johnson

Thank you Bob for explaining more about libtiff and security fixes.  Believe 
me, I feel libtiff developers' pain with CVEs, as we have a challenging time 
keeping up with all the CVE reports we get for third party libraries and 
cross-checking the NVD details with library bug reports and source code commits 
to see if they are resolved.

Yes, we don't ship the tiffcrop utility - so the tiffcrop CVE in CVE-2022-3570 
is not a concern.  But a large customer reported 16 additional libtiff CVEs to 
us, and I already determined a subset of these are in core libtiff source code 
and most are already fixed in the master branch.  Thus we'd like to know if 
libtiff has a timeframe for a release with these fixes so we can let the 
customer know.  I can provide all the 16 CVE numbers and my findings on each of 
them if that helps.

Thanks!

From: Bob Friesenhahn 
Sent: Monday, November 7, 2022 6:41 PM
To: Ellen Johnson 
Cc: tiff@lists.osgeo.org
Subject: Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

On Mon, 7 Nov 2022, Ellen Johnson wrote:

> Thank you Kurt. And thank you to all the libtiff developers. Kurt,
> thanks for your suggestion about using libtiff from head as you do
> for Google and it would be great if we could do that too. However
> here at MathWorks our product security team requires us to use
> official library releases. Only under rare circumstances would we
> be able to obtain an exception for this policy.

FYI, more often than not, the libtiff project does not know CVE
numbers for issues which were solved. Often CVEs are issued after the
problems were solved and developers may be unaware of that. The
wording of CVEs is intentionaly vague. The libtiff project does not
have a CVE tracking facility.

The project does have control over when it creates new releases.

The 'tiffcrop' utility is included with libtiff, but it is not part of
the libtiff library itself. If you don't provide it your product's
users, then there is no risk due to it.

Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us<mailto:bfrie...@simple.dallas.tx.us>, 
http://www.simplesystems.org/users/bfriesen/<http://www.simplesystems.org/users/bfriesen>
GraphicsMagick Maintainer, 
http://www.GraphicsMagick.org/<http://www.GraphicsMagick.org>
Public Key, 
http://www.simplesystems.org/users/bfriesen/public-key.txt<http://www.simplesystems.org/users/bfriesen/public-key.txt>
___
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-07 Thread Bob Friesenhahn


On Mon, 7 Nov 2022, Ellen Johnson wrote:

Thank you Kurt.  And thank you to all the libtiff developers. Kurt, 
thanks for your suggestion about using libtiff from head as you do 
for Google and it would be great if we could do that too.  However 
here at MathWorks our product security team requires us to use 
official library releases.  Only under rare circumstances would we 
be able to obtain an exception for this policy.


FYI, more often than not, the libtiff project does not know CVE 
numbers for issues which were solved.  Often CVEs are issued after the 
problems were solved and developers may be unaware of that.  The 
wording of CVEs is intentionaly vague.  The libtiff project does not 
have a CVE tracking facility.


The project does have control over when it creates new releases.

The 'tiffcrop' utility is included with libtiff, but it is not part of 
the libtiff library itself.  If you don't provide it your product's 
users, then there is no risk due to it.


Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
___
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-07 Thread Ellen Johnson

Thank you Kurt.  And thank you to all the libtiff developers.
Kurt, thanks for your suggestion about using libtiff from head as you do for 
Google and it would be great if we could do that too.  However here at 
MathWorks our product security team requires us to use official library 
releases.  Only under rare circumstances would we be able to obtain an 
exception for this policy.

From: Jeff Breidenbach 
Sent: Friday, November 4, 2022 7:12 PM
To: Kurt Schwehr 
Cc: Ellen Johnson ; tiff@lists.osgeo.org
Subject: Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

And thank you, Kurt.

On Fri, Nov 4, 2022 at 4:10 PM Kurt Schwehr 
mailto:schw...@gmail.com>> wrote:
Hi Ellen,

A side note:  (I'm pretty sure I've shared this in the past, but I can't 
remember where)

I use libtiff from head for Google.  That way...

- can report any troubles right away back to the maintainers and reports and 
patches are easier
- usually ahead of the CVE game.  CVEs have not been helpful to me
- There are enough tests in our system that each update does a pretty good job 
of exercising libtiff.  While MatLab isn't the size of google3, it's probably 
big enough to have good confidence in deploying tiff from head.
- I have a pretty large fuzzer generated corpus that gets checked daily in asan 
and msan mode.  It's not hard to make your own corpus e.g. 
gtiff_fuzzer.cc<https://github.com/schwehr/gdal-autotest2/blob/master/cpp/frmts/gtiff/gtiff_fuzzer.cc>
 which is apache 2.0 licensed and the fuzzers in the gdal code base.
- never have to ask for a point releases

As always, thanks to everyone who contributes to libtiff!

-kurt

On Fri, Nov 4, 2022 at 2:12 PM Ellen Johnson 
mailto:ell...@mathworks.com>> wrote:
Hi Su and libtiff folks,
  We just received a slew of 16 libtiff CVEs reported to us by a large customer 
– this is in addition to CVE-2022-3570 I previously wrote about.  I see most of 
these CVEs are fixed in the libtiff master branch but not yet in an official 
release.
  I have two questions:

  1.  Can anyone provide an update on an estimated release timeframe for a 
libtiff version (presumably 4.5.0) containing all the CVE fixes that have been 
successfully integrated into libtiff master branch since release of 4.4.0?
  2.  For newly reported CVE-2022-34266 in 
https://nvd.nist.gov/vuln/detail/CVE-2022-34266<https://nvd.nist.gov/vuln/detail/CVE-2022-34266>:
  I’m confused about this one.  It states there’s a vulneratbility in 
TIFFFetchStripThing in tif_dirread.c in the libtiff-4.0.3-35.amzn2.0.1 package 
for LibTIFF on Amazon Linux 2, and states it’s a different vulnerability than 
CVE-2022-0562.  The NVD report for CVE-2022-34266 doesn’t contain any links to 
a libtiff GitLab issue describing the vulnerability, but I do see that the 
libtiff fix for CVE-2022-0562 was released in 4.4.0.  Can you please let me 
know if CVE-2022-34266 is a new vulnerability that’s different from 
CVE-2022-0562 as stated in the NVD CVE report?
  Thank you,
ellen

From: Ellen Johnson
Sent: Wednesday, October 26, 2022 5:50 PM
To: Sulau mailto:su...@freenet.de>>; 
tiff@lists.osgeo.org<mailto:tiff@lists.osgeo.org>
Subject: RE: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi Su,
  Thank you so much for clarifying.
  Do you have an estimate on the timeframe for release of 4.5.0?
  Thanks,
 ellen

From: Sulau mailto:su...@freenet.de>>
Sent: Wednesday, October 26, 2022 4:51 PM
To: tiff@lists.osgeo.org<mailto:tiff@lists.osgeo.org>
Cc: Ellen Johnson mailto:ell...@mathworks.com>>
Subject: AW: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi Ellen,

issues 381 and 386 are fixed and related MR is merged into the master branch 
one week ago. So they will probably be released with next version 4.5.0

Regards,
Su

Von: Tiff [mailto:tiff-boun...@lists.osgeo.org] Im Auftrag von Ellen Johnson
Gesendet: Montag, 24. Oktober 2022 19:05
An: tiff@lists.osgeo.org<mailto:tiff@lists.osgeo.org>
Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi libtiff developers,

  I’m confused about the new CVE reported in libtiff >= 4.4.0 related to the 
previous CVEs in tiffcrop.c.  There’s a lot of comments in the GitLab issues 
and I’m trying to detangle whether this is fixed in 4.4.0, or in the master 
branch waiting to be released into a new libtiff version, or still open and not 
yet merged into any branch.
NVD link:  
https://nvd.nist.gov/vuln/detail/CVE-2022-3570<https://nvd.nist.gov/vuln/detail/CVE-2022-3570>
Related libtiff GitLab issue:  
https://gitlab.com/gitlab-org/cves/-/issues/479<https://gitlab.com/gitlab-org/cves/-/issues/479>

  From the GitLab posts and merge requests, it looks like it’s related to the 
previous CVEs fixed in 
https://gitlab.com/libtiff/libtiff/-/merge_requests/382<https://gitlab.com/libtiff/libtiff/-/merge_requests/382>.
  In these two GitLab issues, the CVE reporter is say

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-04 Thread Jeff Breidenbach

And thank you, Kurt.

On Fri, Nov 4, 2022 at 4:10 PM Kurt Schwehr  wrote:

> Hi Ellen,
>
> A side note:  (I'm pretty sure I've shared this in the past, but I can't
> remember where)
>
> I use libtiff from head for Google.  That way...
>
> - can report any troubles right away back to the maintainers and reports
> and patches are easier
> - usually ahead of the CVE game.  CVEs have not been helpful to me
> - There are enough tests in our system that each update does a pretty good
> job of exercising libtiff.  While MatLab isn't the size of google3, it's
> probably big enough to have good confidence in deploying tiff from head.
> - I have a pretty large fuzzer generated corpus that gets checked daily in
> asan and msan mode.  It's not hard to make your own corpus e.g.
> gtiff_fuzzer.cc
> <https://github.com/schwehr/gdal-autotest2/blob/master/cpp/frmts/gtiff/gtiff_fuzzer.cc>
>  which
> is apache 2.0 licensed and the fuzzers in the gdal code base.
> - never have to ask for a point releases
>
> As always, thanks to everyone who contributes to libtiff!
>
> -kurt
>
>
> On Fri, Nov 4, 2022 at 2:12 PM Ellen Johnson  wrote:
>
>> Hi Su and libtiff folks,
>>
>>   We just received a slew of 16 libtiff CVEs reported to us by a large
>> customer – this is in addition to CVE-2022-3570 I previously wrote about.
>> I see most of these CVEs are fixed in the libtiff master branch but not yet
>> in an official release.
>>
>>   I have two questions:
>>
>>1. Can anyone provide an update on an estimated release timeframe for
>>a libtiff version (presumably 4.5.0) containing all the CVE fixes that 
>> have
>>been successfully integrated into libtiff master branch since release of
>>4.4.0?
>>2. For newly reported CVE-2022-34266 in
>>https://nvd.nist.gov/vuln/detail/CVE-2022-34266:  I’m confused about
>>this one.  It states there’s a vulneratbility in TIFFFetchStripThing in
>>tif_dirread.c in the libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF
>>on Amazon Linux 2, and states it’s a different vulnerability than
>>CVE-2022-0562.  The NVD report for CVE-2022-34266 doesn’t contain any 
>> links
>>to a libtiff GitLab issue describing the vulnerability, but I do see that
>>the libtiff fix for CVE-2022-0562 was released in 4.4.0.  Can you please
>>let me know if CVE-2022-34266 is a new vulnerability that’s different from
>>    CVE-2022-0562 as stated in the NVD CVE report?
>>
>>   Thank you,
>>
>> ellen
>>
>>
>>
>> *From:* Ellen Johnson
>> *Sent:* Wednesday, October 26, 2022 5:50 PM
>> *To:* Sulau ; tiff@lists.osgeo.org
>> *Subject:* RE: [Tiff] clarification on the fix status for new
>> CVE-2022-3570?
>>
>>
>>
>> Hi Su,
>>
>>   Thank you so much for clarifying.
>>
>>   Do you have an estimate on the timeframe for release of 4.5.0?
>>
>>   Thanks,
>>
>>  ellen
>>
>>
>>
>> *From:* Sulau 
>> *Sent:* Wednesday, October 26, 2022 4:51 PM
>> *To:* tiff@lists.osgeo.org
>> *Cc:* Ellen Johnson 
>> *Subject:* AW: [Tiff] clarification on the fix status for new
>> CVE-2022-3570?
>>
>>
>>
>> Hi Ellen,
>>
>>
>>
>> issues 381 and 386 are fixed and related MR is merged into the master
>> branch one week ago. So they will probably be released with next version
>> 4.5.0
>>
>>
>>
>> Regards,
>>
>> Su
>>
>>
>>
>> *Von:* Tiff [mailto:tiff-boun...@lists.osgeo.org
>> ] *Im Auftrag von *Ellen Johnson
>> *Gesendet:* Montag, 24. Oktober 2022 19:05
>> *An:* tiff@lists.osgeo.org
>> *Betreff:* [Tiff] clarification on the fix status for new CVE-2022-3570?
>>
>>
>>
>> Hi libtiff developers,
>>
>>
>>
>>   I’m confused about the new CVE reported in libtiff >= 4.4.0 related to
>> the previous CVEs in tiffcrop.c.  There’s a lot of comments in the GitLab
>> issues and I’m trying to detangle whether this is fixed in 4.4.0, or in the
>> master branch waiting to be released into a new libtiff version, or still
>> open and not yet merged into any branch.
>>
>> NVD link:  https://nvd.nist.gov/vuln/detail/CVE-2022-3570
>>
>> Related libtiff GitLab issue:
>> https://gitlab.com/gitlab-org/cves/-/issues/479
>>
>>
>>
>>   From the GitLab posts and merge requests, it looks like it’s related to
>> the previous CVEs fixed in
>> https://gitlab.com/libtiff/libtiff/-/merge_requests/382.
>>
>>   In these t

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-04 Thread Kurt Schwehr

Hi Ellen,

A side note:  (I'm pretty sure I've shared this in the past, but I can't
remember where)

I use libtiff from head for Google.  That way...

- can report any troubles right away back to the maintainers and reports
and patches are easier
- usually ahead of the CVE game.  CVEs have not been helpful to me
- There are enough tests in our system that each update does a pretty good
job of exercising libtiff.  While MatLab isn't the size of google3, it's
probably big enough to have good confidence in deploying tiff from head.
- I have a pretty large fuzzer generated corpus that gets checked daily in
asan and msan mode.  It's not hard to make your own corpus e.g.
gtiff_fuzzer.cc
<https://github.com/schwehr/gdal-autotest2/blob/master/cpp/frmts/gtiff/gtiff_fuzzer.cc>
which
is apache 2.0 licensed and the fuzzers in the gdal code base.
- never have to ask for a point releases

As always, thanks to everyone who contributes to libtiff!

-kurt


On Fri, Nov 4, 2022 at 2:12 PM Ellen Johnson  wrote:

> Hi Su and libtiff folks,
>
>   We just received a slew of 16 libtiff CVEs reported to us by a large
> customer – this is in addition to CVE-2022-3570 I previously wrote about.
> I see most of these CVEs are fixed in the libtiff master branch but not yet
> in an official release.
>
>   I have two questions:
>
>1. Can anyone provide an update on an estimated release timeframe for
>a libtiff version (presumably 4.5.0) containing all the CVE fixes that have
>been successfully integrated into libtiff master branch since release of
>4.4.0?
>2. For newly reported CVE-2022-34266 in
>https://nvd.nist.gov/vuln/detail/CVE-2022-34266:  I’m confused about
>this one.  It states there’s a vulneratbility in TIFFFetchStripThing in
>tif_dirread.c in the libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on
>Amazon Linux 2, and states it’s a different vulnerability than
>CVE-2022-0562.  The NVD report for CVE-2022-34266 doesn’t contain any links
>to a libtiff GitLab issue describing the vulnerability, but I do see that
>the libtiff fix for CVE-2022-0562 was released in 4.4.0.  Can you please
>let me know if CVE-2022-34266 is a new vulnerability that’s different from
>CVE-2022-0562 as stated in the NVD CVE report?
>
>   Thank you,
>
> ellen
>
>
>
> *From:* Ellen Johnson
> *Sent:* Wednesday, October 26, 2022 5:50 PM
> *To:* Sulau ; tiff@lists.osgeo.org
> *Subject:* RE: [Tiff] clarification on the fix status for new
> CVE-2022-3570?
>
>
>
> Hi Su,
>
>   Thank you so much for clarifying.
>
>   Do you have an estimate on the timeframe for release of 4.5.0?
>
>   Thanks,
>
>  ellen
>
>
>
> *From:* Sulau 
> *Sent:* Wednesday, October 26, 2022 4:51 PM
> *To:* tiff@lists.osgeo.org
> *Cc:* Ellen Johnson 
> *Subject:* AW: [Tiff] clarification on the fix status for new
> CVE-2022-3570?
>
>
>
> Hi Ellen,
>
>
>
> issues 381 and 386 are fixed and related MR is merged into the master
> branch one week ago. So they will probably be released with next version
> 4.5.0
>
>
>
> Regards,
>
> Su
>
>
>
> *Von:* Tiff [mailto:tiff-boun...@lists.osgeo.org
> ] *Im Auftrag von *Ellen Johnson
> *Gesendet:* Montag, 24. Oktober 2022 19:05
> *An:* tiff@lists.osgeo.org
> *Betreff:* [Tiff] clarification on the fix status for new CVE-2022-3570?
>
>
>
> Hi libtiff developers,
>
>
>
>   I’m confused about the new CVE reported in libtiff >= 4.4.0 related to
> the previous CVEs in tiffcrop.c.  There’s a lot of comments in the GitLab
> issues and I’m trying to detangle whether this is fixed in 4.4.0, or in the
> master branch waiting to be released into a new libtiff version, or still
> open and not yet merged into any branch.
>
> NVD link:  https://nvd.nist.gov/vuln/detail/CVE-2022-3570
>
> Related libtiff GitLab issue:
> https://gitlab.com/gitlab-org/cves/-/issues/479
>
>
>
>   From the GitLab posts and merge requests, it looks like it’s related to
> the previous CVEs fixed in
> https://gitlab.com/libtiff/libtiff/-/merge_requests/382.
>
>   In these two GitLab issues, the CVE reporter is saying they are still
> open issues in 4.4.0:
>
> https://gitlab.com/libtiff/libtiff/-/issues/381
>
> https://gitlab.com/libtiff/libtiff/-/issues/386
>
>
>
>   Can you please advise on the fix status for
> https://nvd.nist.gov/vuln/detail/CVE-2022-3570?
>
>   Thank you!
>
>  ellen
>
>
> ___
> Tiff mailing list
> Tiff@lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/tiff
>
___
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-04 Thread Ellen Johnson

Hi Su and libtiff folks,
  We just received a slew of 16 libtiff CVEs reported to us by a large customer 
- this is in addition to CVE-2022-3570 I previously wrote about.  I see most of 
these CVEs are fixed in the libtiff master branch but not yet in an official 
release.
  I have two questions:

  1.  Can anyone provide an update on an estimated release timeframe for a 
libtiff version (presumably 4.5.0) containing all the CVE fixes that have been 
successfully integrated into libtiff master branch since release of 4.4.0?
  2.  For newly reported CVE-2022-34266 in 
https://nvd.nist.gov/vuln/detail/CVE-2022-34266:  I'm confused about this one.  
It states there's a vulneratbility in TIFFFetchStripThing in tif_dirread.c in 
the libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2, and 
states it's a different vulnerability than CVE-2022-0562.  The NVD report for 
CVE-2022-34266 doesn't contain any links to a libtiff GitLab issue describing 
the vulnerability, but I do see that the libtiff fix for CVE-2022-0562 was 
released in 4.4.0.  Can you please let me know if CVE-2022-34266 is a new 
vulnerability that's different from CVE-2022-0562 as stated in the NVD CVE 
report?
  Thank you,
ellen

From: Ellen Johnson
Sent: Wednesday, October 26, 2022 5:50 PM
To: Sulau ; tiff@lists.osgeo.org
Subject: RE: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi Su,
  Thank you so much for clarifying.
  Do you have an estimate on the timeframe for release of 4.5.0?
  Thanks,
 ellen

From: Sulau mailto:su...@freenet.de>>
Sent: Wednesday, October 26, 2022 4:51 PM
To: tiff@lists.osgeo.org<mailto:tiff@lists.osgeo.org>
Cc: Ellen Johnson mailto:ell...@mathworks.com>>
Subject: AW: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi Ellen,

issues 381 and 386 are fixed and related MR is merged into the master branch 
one week ago. So they will probably be released with next version 4.5.0

Regards,
Su

Von: Tiff [mailto:tiff-boun...@lists.osgeo.org] Im Auftrag von Ellen Johnson
Gesendet: Montag, 24. Oktober 2022 19:05
An: tiff@lists.osgeo.org<mailto:tiff@lists.osgeo.org>
Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi libtiff developers,

  I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the 
previous CVEs in tiffcrop.c.  There's a lot of comments in the GitLab issues 
and I'm trying to detangle whether this is fixed in 4.4.0, or in the master 
branch waiting to be released into a new libtiff version, or still open and not 
yet merged into any branch.
NVD link:  
https://nvd.nist.gov/vuln/detail/CVE-2022-3570<https://nvd.nist.gov/vuln/detail/CVE-2022-3570>
Related libtiff GitLab issue:  
https://gitlab.com/gitlab-org/cves/-/issues/479<https://gitlab.com/gitlab-org/cves/-/issues/479>

  From the GitLab posts and merge requests, it looks like it's related to the 
previous CVEs fixed in 
https://gitlab.com/libtiff/libtiff/-/merge_requests/382<https://gitlab.com/libtiff/libtiff/-/merge_requests/382>.
  In these two GitLab issues, the CVE reporter is saying they are still open 
issues in 4.4.0:

https://gitlab.com/libtiff/libtiff/-/issues/381<https://gitlab.com/libtiff/libtiff/-/issues/381>

https://gitlab.com/libtiff/libtiff/-/issues/386<https://gitlab.com/libtiff/libtiff/-/issues/386>

  Can you please advise on the fix status for 
https://nvd.nist.gov/vuln/detail/CVE-2022-3570<https://nvd.nist.gov/vuln/detail/CVE-2022-3570>?
  Thank you!
 ellen

___
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-10-26 Thread Ellen Johnson

Hi Su,
  Thank you so much for clarifying.
  Do you have an estimate on the timeframe for release of 4.5.0?
  Thanks,
 ellen

From: Sulau 
Sent: Wednesday, October 26, 2022 4:51 PM
To: tiff@lists.osgeo.org
Cc: Ellen Johnson 
Subject: AW: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi Ellen,

issues 381 and 386 are fixed and related MR is merged into the master branch 
one week ago. So they will probably be released with next version 4.5.0

Regards,
Su

Von: Tiff [mailto:tiff-boun...@lists.osgeo.org] Im Auftrag von Ellen Johnson
Gesendet: Montag, 24. Oktober 2022 19:05
An: tiff@lists.osgeo.org
Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi libtiff developers,

  I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the 
previous CVEs in tiffcrop.c.  There's a lot of comments in the GitLab issues 
and I'm trying to detangle whether this is fixed in 4.4.0, or in the master 
branch waiting to be released into a new libtiff version, or still open and not 
yet merged into any branch.
NVD link:  
https://nvd.nist.gov/vuln/detail/CVE-2022-3570
Related libtiff GitLab issue:  
https://gitlab.com/gitlab-org/cves/-/issues/479

  From the GitLab posts and merge requests, it looks like it's related to the 
previous CVEs fixed in 
https://gitlab.com/libtiff/libtiff/-/merge_requests/382.
  In these two GitLab issues, the CVE reporter is saying they are still open 
issues in 4.4.0:

https://gitlab.com/libtiff/libtiff/-/issues/381

https://gitlab.com/libtiff/libtiff/-/issues/386

  Can you please advise on the fix status for 
https://nvd.nist.gov/vuln/detail/CVE-2022-3570?
  Thank you!
 ellen

___
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-10-26 Thread Sulau

Hi Ellen,

 

issues 381 and 386 are fixed and related MR is merged into the master branch
one week ago. So they will probably be released with next version 4.5.0

 

Regards,

Su

 

Von: Tiff [mailto:tiff-boun...@lists.osgeo.org] Im Auftrag von Ellen Johnson
Gesendet: Montag, 24. Oktober 2022 19:05
An: tiff@lists.osgeo.org
Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570?

 

Hi libtiff developers,

 

  I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the
previous CVEs in tiffcrop.c.  There's a lot of comments in the GitLab issues
and I'm trying to detangle whether this is fixed in 4.4.0, or in the master
branch waiting to be released into a new libtiff version, or still open and
not yet merged into any branch.  

NVD link:   
https://nvd.nist.gov/vuln/detail/CVE-2022-3570

Related libtiff GitLab issue:

https://gitlab.com/gitlab-org/cves/-/issues/479

  

  From the GitLab posts and merge requests, it looks like it's related to
the previous CVEs fixed in

https://gitlab.com/libtiff/libtiff/-/merge_requests/382.

  In these two GitLab issues, the CVE reporter is saying they are still open
issues in 4.4.0:

 
https://gitlab.com/libtiff/libtiff/-/issues/381

 
https://gitlab.com/libtiff/libtiff/-/issues/386

 

  Can you please advise on the fix status for

https://nvd.nist.gov/vuln/detail/CVE-2022-3570? 

  Thank you!

 ellen

 

___
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

8 matches

Site Navigation

Mail list logo

Footer information