Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-07 Thread Ellen Johnson
:41 PM To: Ellen Johnson Cc: tiff@lists.osgeo.org Subject: Re: [Tiff] clarification on the fix status for new CVE-2022-3570? On Mon, 7 Nov 2022, Ellen Johnson wrote: > Thank you Kurt. And thank you to all the libtiff developers. Kurt, > thanks for your suggestion about using libtiff fro

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-07 Thread Bob Friesenhahn
On Mon, 7 Nov 2022, Ellen Johnson wrote: Thank you Kurt. And thank you to all the libtiff developers. Kurt, thanks for your suggestion about using libtiff from head as you do for Google and it would be great if we could do that too. However here at MathWorks our product security team

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-07 Thread Ellen Johnson
. Only under rare circumstances would we be able to obtain an exception for this policy. From: Jeff Breidenbach Sent: Friday, November 4, 2022 7:12 PM To: Kurt Schwehr Cc: Ellen Johnson ; tiff@lists.osgeo.org Subject: Re: [Tiff] clarification on the fix status for new CVE-2022-3570? And thank you

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-04 Thread Jeff Breidenbach
ibing the vulnerability, but I do see that >>the libtiff fix for CVE-2022-0562 was released in 4.4.0. Can you please >>let me know if CVE-2022-34266 is a new vulnerability that’s different from >> CVE-2022-0562 as stated in the NVD CVE report? >> >&

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-04 Thread Kurt Schwehr
t; > > > *From:* Ellen Johnson > *Sent:* Wednesday, October 26, 2022 5:50 PM > *To:* Sulau ; tiff@lists.osgeo.org > *Subject:* RE: [Tiff] clarification on the fix status for new > CVE-2022-3570? > > > > Hi Su, > > Thank you so much for clarifying. > >

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-11-04 Thread Ellen Johnson
report? Thank you, ellen From: Ellen Johnson Sent: Wednesday, October 26, 2022 5:50 PM To: Sulau ; tiff@lists.osgeo.org Subject: RE: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi Su, Thank you so much for clarifying. Do you have an estimate on the timeframe for release

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-10-26 Thread Ellen Johnson
An: tiff@lists.osgeo.org<mailto:tiff@lists.osgeo.org> Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi libtiff developers, I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the previous CVEs in tiffcrop.c. There's a lot of comments in t

Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

2022-10-26 Thread Sulau
:05 An: tiff@lists.osgeo.org Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi libtiff developers, I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the previous CVEs in tiffcrop.c. There's a lot of comments in the GitLab issues and I'm try

[Tiff] clarification on the fix status for new CVE-2022-3570?

2022-10-24 Thread Ellen Johnson
Hi libtiff developers, I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the previous CVEs in tiffcrop.c. There's a lot of comments in the GitLab issues and I'm trying to detangle whether this is fixed in 4.4.0, or in the master branch waiting to be released into a new