Hi libtiff developers, I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the previous CVEs in tiffcrop.c. There's a lot of comments in the GitLab issues and I'm trying to detangle whether this is fixed in 4.4.0, or in the master branch waiting to be released into a new libtiff version, or still open and not yet merged into any branch. NVD link: https://nvd.nist.gov/vuln/detail/CVE-2022-3570 Related libtiff GitLab issue: https://gitlab.com/gitlab-org/cves/-/issues/479
From the GitLab posts and merge requests, it looks like it's related to the previous CVEs fixed in https://gitlab.com/libtiff/libtiff/-/merge_requests/382. In these two GitLab issues, the CVE reporter is saying they are still open issues in 4.4.0: https://gitlab.com/libtiff/libtiff/-/issues/381 https://gitlab.com/libtiff/libtiff/-/issues/386 Can you please advise on the fix status for https://nvd.nist.gov/vuln/detail/CVE-2022-3570 Thank you! ellen
_______________________________________________ Tiff mailing list Tiff@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/tiff