Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-04 Thread Jeff Breidenbach 
And thank you, Kurt.

On Fri, Nov 4, 2022 at 4:10 PM Kurt Schwehr  wrote:

> Hi Ellen,
>
> A side note:  (I'm pretty sure I've shared this in the past, but I can't
> remember where)
>
> I use libtiff from head for Google.  That way...
>
> - can report any troubles right away back to the maintainers and reports
> and patches are easier
> - usually ahead of the CVE game.  CVEs have not been helpful to me
> - There are enough tests in our system that each update does a pretty good
> job of exercising libtiff.  While MatLab isn't the size of google3, it's
> probably big enough to have good confidence in deploying tiff from head.
> - I have a pretty large fuzzer generated corpus that gets checked daily in
> asan and msan mode.  It's not hard to make your own corpus e.g.
> gtiff_fuzzer.cc
> 
>  which
> is apache 2.0 licensed and the fuzzers in the gdal code base.
> - never have to ask for a point releases
>
> As always, thanks to everyone who contributes to libtiff!
>
> -kurt
>
>
> On Fri, Nov 4, 2022 at 2:12 PM Ellen Johnson  wrote:
>
>> Hi Su and libtiff folks,
>>
>>   We just received a slew of 16 libtiff CVEs reported to us by a large
>> customer – this is in addition to CVE-2022-3570 I previously wrote about.
>> I see most of these CVEs are fixed in the libtiff master branch but not yet
>> in an official release.
>>
>>   I have two questions:
>>
>>1. Can anyone provide an update on an estimated release timeframe for
>>a libtiff version (presumably 4.5.0) containing all the CVE fixes that 
>> have
>>been successfully integrated into libtiff master branch since release of
>>4.4.0?
>>2. For newly reported CVE-2022-34266 in
>>https://nvd.nist.gov/vuln/detail/CVE-2022-34266:  I’m confused about
>>this one.  It states there’s a vulneratbility in TIFFFetchStripThing in
>>tif_dirread.c in the libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF
>>on Amazon Linux 2, and states it’s a different vulnerability than
>>CVE-2022-0562.  The NVD report for CVE-2022-34266 doesn’t contain any 
>> links
>>to a libtiff GitLab issue describing the vulnerability, but I do see that
>>the libtiff fix for CVE-2022-0562 was released in 4.4.0.  Can you please
>>let me know if CVE-2022-34266 is a new vulnerability that’s different from
>>CVE-2022-0562 as stated in the NVD CVE report?
>>
>>   Thank you,
>>
>> ellen
>>
>>
>>
>> *From:* Ellen Johnson
>> *Sent:* Wednesday, October 26, 2022 5:50 PM
>> *To:* Sulau ; tiff@lists.osgeo.org
>> *Subject:* RE: [Tiff] clarification on the fix status for new
>> CVE-2022-3570?
>>
>>
>>
>> Hi Su,
>>
>>   Thank you so much for clarifying.
>>
>>   Do you have an estimate on the timeframe for release of 4.5.0?
>>
>>   Thanks,
>>
>>  ellen
>>
>>
>>
>> *From:* Sulau 
>> *Sent:* Wednesday, October 26, 2022 4:51 PM
>> *To:* tiff@lists.osgeo.org
>> *Cc:* Ellen Johnson 
>> *Subject:* AW: [Tiff] clarification on the fix status for new
>> CVE-2022-3570?
>>
>>
>>
>> Hi Ellen,
>>
>>
>>
>> issues 381 and 386 are fixed and related MR is merged into the master
>> branch one week ago. So they will probably be released with next version
>> 4.5.0
>>
>>
>>
>> Regards,
>>
>> Su
>>
>>
>>
>> *Von:* Tiff [mailto:tiff-boun...@lists.osgeo.org
>> ] *Im Auftrag von *Ellen Johnson
>> *Gesendet:* Montag, 24. Oktober 2022 19:05
>> *An:* tiff@lists.osgeo.org
>> *Betreff:* [Tiff] clarification on the fix status for new CVE-2022-3570?
>>
>>
>>
>> Hi libtiff developers,
>>
>>
>>
>>   I’m confused about the new CVE reported in libtiff >= 4.4.0 related to
>> the previous CVEs in tiffcrop.c.  There’s a lot of comments in the GitLab
>> issues and I’m trying to detangle whether this is fixed in 4.4.0, or in the
>> master branch waiting to be released into a new libtiff version, or still
>> open and not yet merged into any branch.
>>
>> NVD link:  https://nvd.nist.gov/vuln/detail/CVE-2022-3570
>>
>> Related libtiff GitLab issue:
>> https://gitlab.com/gitlab-org/cves/-/issues/479
>>
>>
>>
>>   From the GitLab posts and merge requests, it looks like it’s related to
>> the previous CVEs fixed in
>> https://gitlab.com/libtiff/libtiff/-/merge_requests/382.
>>
>>   In these two GitLab issues, the CVE reporter is saying they are still
>> open issues in 4.4.0:
>>
>> https://gitlab.com/libtiff/libtiff/-/issues/381
>>
>> https://gitlab.com/libtiff/libtiff/-/issues/386
>>
>>
>>
>>   Can you please advise on the fix status for
>> https://nvd.nist.gov/vuln/detail/CVE-2022-3570?
>>
>>   Thank you!
>>
>>  ellen
>>
>>
>> ___
>> Tiff mailing list
>> Tiff@lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/tiff
>>
> ___
> Tiff mailing list
> Tiff@lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/tiff
>
___
Tiff mailing list
Tiff@lists.osgeo.org

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-04 Thread Kurt Schwehr 
Hi Ellen,

A side note:  (I'm pretty sure I've shared this in the past, but I can't
remember where)

I use libtiff from head for Google.  That way...

- can report any troubles right away back to the maintainers and reports
and patches are easier
- usually ahead of the CVE game.  CVEs have not been helpful to me
- There are enough tests in our system that each update does a pretty good
job of exercising libtiff.  While MatLab isn't the size of google3, it's
probably big enough to have good confidence in deploying tiff from head.
- I have a pretty large fuzzer generated corpus that gets checked daily in
asan and msan mode.  It's not hard to make your own corpus e.g.
gtiff_fuzzer.cc

which
is apache 2.0 licensed and the fuzzers in the gdal code base.
- never have to ask for a point releases

As always, thanks to everyone who contributes to libtiff!

-kurt


On Fri, Nov 4, 2022 at 2:12 PM Ellen Johnson  wrote:

> Hi Su and libtiff folks,
>
>   We just received a slew of 16 libtiff CVEs reported to us by a large
> customer – this is in addition to CVE-2022-3570 I previously wrote about.
> I see most of these CVEs are fixed in the libtiff master branch but not yet
> in an official release.
>
>   I have two questions:
>
>1. Can anyone provide an update on an estimated release timeframe for
>a libtiff version (presumably 4.5.0) containing all the CVE fixes that have
>been successfully integrated into libtiff master branch since release of
>4.4.0?
>2. For newly reported CVE-2022-34266 in
>https://nvd.nist.gov/vuln/detail/CVE-2022-34266:  I’m confused about
>this one.  It states there’s a vulneratbility in TIFFFetchStripThing in
>tif_dirread.c in the libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on
>Amazon Linux 2, and states it’s a different vulnerability than
>CVE-2022-0562.  The NVD report for CVE-2022-34266 doesn’t contain any links
>to a libtiff GitLab issue describing the vulnerability, but I do see that
>the libtiff fix for CVE-2022-0562 was released in 4.4.0.  Can you please
>let me know if CVE-2022-34266 is a new vulnerability that’s different from
>CVE-2022-0562 as stated in the NVD CVE report?
>
>   Thank you,
>
> ellen
>
>
>
> *From:* Ellen Johnson
> *Sent:* Wednesday, October 26, 2022 5:50 PM
> *To:* Sulau ; tiff@lists.osgeo.org
> *Subject:* RE: [Tiff] clarification on the fix status for new
> CVE-2022-3570?
>
>
>
> Hi Su,
>
>   Thank you so much for clarifying.
>
>   Do you have an estimate on the timeframe for release of 4.5.0?
>
>   Thanks,
>
>  ellen
>
>
>
> *From:* Sulau 
> *Sent:* Wednesday, October 26, 2022 4:51 PM
> *To:* tiff@lists.osgeo.org
> *Cc:* Ellen Johnson 
> *Subject:* AW: [Tiff] clarification on the fix status for new
> CVE-2022-3570?
>
>
>
> Hi Ellen,
>
>
>
> issues 381 and 386 are fixed and related MR is merged into the master
> branch one week ago. So they will probably be released with next version
> 4.5.0
>
>
>
> Regards,
>
> Su
>
>
>
> *Von:* Tiff [mailto:tiff-boun...@lists.osgeo.org
> ] *Im Auftrag von *Ellen Johnson
> *Gesendet:* Montag, 24. Oktober 2022 19:05
> *An:* tiff@lists.osgeo.org
> *Betreff:* [Tiff] clarification on the fix status for new CVE-2022-3570?
>
>
>
> Hi libtiff developers,
>
>
>
>   I’m confused about the new CVE reported in libtiff >= 4.4.0 related to
> the previous CVEs in tiffcrop.c.  There’s a lot of comments in the GitLab
> issues and I’m trying to detangle whether this is fixed in 4.4.0, or in the
> master branch waiting to be released into a new libtiff version, or still
> open and not yet merged into any branch.
>
> NVD link:  https://nvd.nist.gov/vuln/detail/CVE-2022-3570
>
> Related libtiff GitLab issue:
> https://gitlab.com/gitlab-org/cves/-/issues/479
>
>
>
>   From the GitLab posts and merge requests, it looks like it’s related to
> the previous CVEs fixed in
> https://gitlab.com/libtiff/libtiff/-/merge_requests/382.
>
>   In these two GitLab issues, the CVE reporter is saying they are still
> open issues in 4.4.0:
>
> https://gitlab.com/libtiff/libtiff/-/issues/381
>
> https://gitlab.com/libtiff/libtiff/-/issues/386
>
>
>
>   Can you please advise on the fix status for
> https://nvd.nist.gov/vuln/detail/CVE-2022-3570?
>
>   Thank you!
>
>  ellen
>
>
> ___
> Tiff mailing list
> Tiff@lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/tiff
>
___
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-04 Thread Ellen Johnson 
Hi Su and libtiff folks,
  We just received a slew of 16 libtiff CVEs reported to us by a large customer 
- this is in addition to CVE-2022-3570 I previously wrote about.  I see most of 
these CVEs are fixed in the libtiff master branch but not yet in an official 
release.
  I have two questions:

  1.  Can anyone provide an update on an estimated release timeframe for a 
libtiff version (presumably 4.5.0) containing all the CVE fixes that have been 
successfully integrated into libtiff master branch since release of 4.4.0?
  2.  For newly reported CVE-2022-34266 in 
https://nvd.nist.gov/vuln/detail/CVE-2022-34266:  I'm confused about this one.  
It states there's a vulneratbility in TIFFFetchStripThing in tif_dirread.c in 
the libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2, and 
states it's a different vulnerability than CVE-2022-0562.  The NVD report for 
CVE-2022-34266 doesn't contain any links to a libtiff GitLab issue describing 
the vulnerability, but I do see that the libtiff fix for CVE-2022-0562 was 
released in 4.4.0.  Can you please let me know if CVE-2022-34266 is a new 
vulnerability that's different from CVE-2022-0562 as stated in the NVD CVE 
report?
  Thank you,
ellen

From: Ellen Johnson
Sent: Wednesday, October 26, 2022 5:50 PM
To: Sulau ; tiff@lists.osgeo.org
Subject: RE: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi Su,
  Thank you so much for clarifying.
  Do you have an estimate on the timeframe for release of 4.5.0?
  Thanks,
 ellen

From: Sulau mailto:su...@freenet.de>>
Sent: Wednesday, October 26, 2022 4:51 PM
To: tiff@lists.osgeo.org
Cc: Ellen Johnson mailto:ell...@mathworks.com>>
Subject: AW: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi Ellen,

issues 381 and 386 are fixed and related MR is merged into the master branch 
one week ago. So they will probably be released with next version 4.5.0

Regards,
Su

Von: Tiff [mailto:tiff-boun...@lists.osgeo.org] Im Auftrag von Ellen Johnson
Gesendet: Montag, 24. Oktober 2022 19:05
An: tiff@lists.osgeo.org
Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi libtiff developers,

  I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the 
previous CVEs in tiffcrop.c.  There's a lot of comments in the GitLab issues 
and I'm trying to detangle whether this is fixed in 4.4.0, or in the master 
branch waiting to be released into a new libtiff version, or still open and not 
yet merged into any branch.
NVD link:  
https://nvd.nist.gov/vuln/detail/CVE-2022-3570
Related libtiff GitLab issue:  
https://gitlab.com/gitlab-org/cves/-/issues/479

  From the GitLab posts and merge requests, it looks like it's related to the 
previous CVEs fixed in 
https://gitlab.com/libtiff/libtiff/-/merge_requests/382.
  In these two GitLab issues, the CVE reporter is saying they are still open 
issues in 4.4.0:

https://gitlab.com/libtiff/libtiff/-/issues/381

https://gitlab.com/libtiff/libtiff/-/issues/386

  Can you please advise on the fix status for 
https://nvd.nist.gov/vuln/detail/CVE-2022-3570?
  Thank you!
 ellen

___
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff