Thank you Bob for explaining more about libtiff and security fixes. Believe me, I feel libtiff developers' pain with CVEs, as we have a challenging time keeping up with all the CVE reports we get for third party libraries and cross-checking the NVD details with library bug reports and source code commits to see if they are resolved.
Yes, we don't ship the tiffcrop utility - so the tiffcrop CVE in CVE-2022-3570 is not a concern. But a large customer reported 16 additional libtiff CVEs to us, and I already determined a subset of these are in core libtiff source code and most are already fixed in the master branch. Thus we'd like to know if libtiff has a timeframe for a release with these fixes so we can let the customer know. I can provide all the 16 CVE numbers and my findings on each of them if that helps. Thanks! From: Bob Friesenhahn <bfrie...@simple.dallas.tx.us> Sent: Monday, November 7, 2022 6:41 PM To: Ellen Johnson <ell...@mathworks.com> Cc: tiff@lists.osgeo.org Subject: Re: [Tiff] clarification on the fix status for new CVE-2022-3570? On Mon, 7 Nov 2022, Ellen Johnson wrote: > Thank you Kurt. And thank you to all the libtiff developers. Kurt, > thanks for your suggestion about using libtiff from head as you do > for Google and it would be great if we could do that too. However > here at MathWorks our product security team requires us to use > official library releases. Only under rare circumstances would we > be able to obtain an exception for this policy. FYI, more often than not, the libtiff project does not know CVE numbers for issues which were solved. Often CVEs are issued after the problems were solved and developers may be unaware of that. The wording of CVEs is intentionaly vague. The libtiff project does not have a CVE tracking facility. The project does have control over when it creates new releases. The 'tiffcrop' utility is included with libtiff, but it is not part of the libtiff library itself. If you don't provide it your product's users, then there is no risk due to it. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us<mailto:bfrie...@simple.dallas.tx.us>, http://www.simplesystems.org/users/bfriesen/<http://www.simplesystems.org/users/bfriesen> GraphicsMagick Maintainer, http://www.GraphicsMagick.org/<http://www.GraphicsMagick.org> Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt<http://www.simplesystems.org/users/bfriesen/public-key.txt>
_______________________________________________ Tiff mailing list Tiff@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/tiff
