Re: [Tiff] clarification on the fix status for new CVE-2022-3570?

Wed, 26 Oct 2022 14:56:16 -0700 

Hi Su,
  Thank you so much for clarifying.
  Do you have an estimate on the timeframe for release of 4.5.0?
  Thanks,
     ellen

From: Sulau <su...@freenet.de>
Sent: Wednesday, October 26, 2022 4:51 PM
To: tiff@lists.osgeo.org
Cc: Ellen Johnson <ell...@mathworks.com>
Subject: AW: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi Ellen,

issues 381 and 386 are fixed and related MR is merged into the master branch 
one week ago. So they will probably be released with next version 4.5.0

Regards,
Su

Von: Tiff [mailto:tiff-boun...@lists.osgeo.org] Im Auftrag von Ellen Johnson
Gesendet: Montag, 24. Oktober 2022 19:05
An: tiff@lists.osgeo.org<mailto:tiff@lists.osgeo.org>
Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570?

Hi libtiff developers,

  I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the 
previous CVEs in tiffcrop.c.  There's a lot of comments in the GitLab issues 
and I'm trying to detangle whether this is fixed in 4.4.0, or in the master 
branch waiting to be released into a new libtiff version, or still open and not 
yet merged into any branch.
    NVD link:  
https://nvd.nist.gov/vuln/detail/CVE-2022-3570<https://nvd.nist.gov/vuln/detail/CVE-2022-3570>
    Related libtiff GitLab issue:  
https://gitlab.com/gitlab-org/cves/-/issues/479<https://gitlab.com/gitlab-org/cves/-/issues/479>

  From the GitLab posts and merge requests, it looks like it's related to the 
previous CVEs fixed in 
https://gitlab.com/libtiff/libtiff/-/merge_requests/382<https://gitlab.com/libtiff/libtiff/-/merge_requests/382>.
  In these two GitLab issues, the CVE reporter is saying they are still open 
issues in 4.4.0:
    
https://gitlab.com/libtiff/libtiff/-/issues/381<https://gitlab.com/libtiff/libtiff/-/issues/381>
    
https://gitlab.com/libtiff/libtiff/-/issues/386<https://gitlab.com/libtiff/libtiff/-/issues/386>

  Can you please advise on the fix status for 
https://nvd.nist.gov/vuln/detail/CVE-2022-3570<https://nvd.nist.gov/vuln/detail/CVE-2022-3570>?
  Thank you!
     ellen


_______________________________________________
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff

Reply via email to