Hi libtiff developers,
I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the
previous CVEs in tiffcrop.c. There's a lot of comments in the GitLab issues
and I'm trying to detangle whether this is fixed in 4.4.0, or in the master
branch waiting to be released into a new libtiff version, or still open and not
yet merged into any branch.
NVD link: https://nvd.nist.gov/vuln/detail/CVE-2022-3570
Related libtiff GitLab issue:
https://gitlab.com/gitlab-org/cves/-/issues/479
From the GitLab posts and merge requests, it looks like it's related to the
previous CVEs fixed in https://gitlab.com/libtiff/libtiff/-/merge_requests/382.
In these two GitLab issues, the CVE reporter is saying they are still open
issues in 4.4.0:
https://gitlab.com/libtiff/libtiff/-/issues/381
https://gitlab.com/libtiff/libtiff/-/issues/386
Can you please advise on the fix status for
https://nvd.nist.gov/vuln/detail/CVE-2022-3570
Thank you!
ellen
_______________________________________________
Tiff mailing list
[email protected]
https://lists.osgeo.org/mailman/listinfo/tiff
