Thank you Kurt. And thank you to all the libtiff developers. Kurt, thanks for your suggestion about using libtiff from head as you do for Google and it would be great if we could do that too. However here at MathWorks our product security team requires us to use official library releases. Only under rare circumstances would we be able to obtain an exception for this policy.
From: Jeff Breidenbach <breidenb...@gmail.com> Sent: Friday, November 4, 2022 7:12 PM To: Kurt Schwehr <schw...@gmail.com> Cc: Ellen Johnson <ell...@mathworks.com>; tiff@lists.osgeo.org Subject: Re: [Tiff] clarification on the fix status for new CVE-2022-3570? And thank you, Kurt. On Fri, Nov 4, 2022 at 4:10 PM Kurt Schwehr <schw...@gmail.com<mailto:schw...@gmail.com>> wrote: Hi Ellen, A side note: (I'm pretty sure I've shared this in the past, but I can't remember where) I use libtiff from head for Google. That way... - can report any troubles right away back to the maintainers and reports and patches are easier - usually ahead of the CVE game. CVEs have not been helpful to me - There are enough tests in our system that each update does a pretty good job of exercising libtiff. While MatLab isn't the size of google3, it's probably big enough to have good confidence in deploying tiff from head. - I have a pretty large fuzzer generated corpus that gets checked daily in asan and msan mode. It's not hard to make your own corpus e.g. gtiff_fuzzer.cc<https://github.com/schwehr/gdal-autotest2/blob/master/cpp/frmts/gtiff/gtiff_fuzzer.cc> which is apache 2.0 licensed and the fuzzers in the gdal code base. - never have to ask for a point releases As always, thanks to everyone who contributes to libtiff! -kurt On Fri, Nov 4, 2022 at 2:12 PM Ellen Johnson <ell...@mathworks.com<mailto:ell...@mathworks.com>> wrote: Hi Su and libtiff folks, We just received a slew of 16 libtiff CVEs reported to us by a large customer – this is in addition to CVE-2022-3570 I previously wrote about. I see most of these CVEs are fixed in the libtiff master branch but not yet in an official release. I have two questions: 1. Can anyone provide an update on an estimated release timeframe for a libtiff version (presumably 4.5.0) containing all the CVE fixes that have been successfully integrated into libtiff master branch since release of 4.4.0? 2. For newly reported CVE-2022-34266 in https://nvd.nist.gov/vuln/detail/CVE-2022-34266<https://nvd.nist.gov/vuln/detail/CVE-2022-34266>: I’m confused about this one. It states there’s a vulneratbility in TIFFFetchStripThing in tif_dirread.c in the libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2, and states it’s a different vulnerability than CVE-2022-0562. The NVD report for CVE-2022-34266 doesn’t contain any links to a libtiff GitLab issue describing the vulnerability, but I do see that the libtiff fix for CVE-2022-0562 was released in 4.4.0. Can you please let me know if CVE-2022-34266 is a new vulnerability that’s different from CVE-2022-0562 as stated in the NVD CVE report? Thank you, ellen From: Ellen Johnson Sent: Wednesday, October 26, 2022 5:50 PM To: Sulau <su...@freenet.de<mailto:su...@freenet.de>>; tiff@lists.osgeo.org<mailto:tiff@lists.osgeo.org> Subject: RE: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi Su, Thank you so much for clarifying. Do you have an estimate on the timeframe for release of 4.5.0? Thanks, ellen From: Sulau <su...@freenet.de<mailto:su...@freenet.de>> Sent: Wednesday, October 26, 2022 4:51 PM To: tiff@lists.osgeo.org<mailto:tiff@lists.osgeo.org> Cc: Ellen Johnson <ell...@mathworks.com<mailto:ell...@mathworks.com>> Subject: AW: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi Ellen, issues 381 and 386 are fixed and related MR is merged into the master branch one week ago. So they will probably be released with next version 4.5.0 Regards, Su Von: Tiff [mailto:tiff-boun...@lists.osgeo.org] Im Auftrag von Ellen Johnson Gesendet: Montag, 24. Oktober 2022 19:05 An: tiff@lists.osgeo.org<mailto:tiff@lists.osgeo.org> Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi libtiff developers, I’m confused about the new CVE reported in libtiff >= 4.4.0 related to the previous CVEs in tiffcrop.c. There’s a lot of comments in the GitLab issues and I’m trying to detangle whether this is fixed in 4.4.0, or in the master branch waiting to be released into a new libtiff version, or still open and not yet merged into any branch. NVD link: https://nvd.nist.gov/vuln/detail/CVE-2022-3570<https://nvd.nist.gov/vuln/detail/CVE-2022-3570> Related libtiff GitLab issue: https://gitlab.com/gitlab-org/cves/-/issues/479<https://gitlab.com/gitlab-org/cves/-/issues/479> From the GitLab posts and merge requests, it looks like it’s related to the previous CVEs fixed in https://gitlab.com/libtiff/libtiff/-/merge_requests/382<https://gitlab.com/libtiff/libtiff/-/merge_requests/382>. In these two GitLab issues, the CVE reporter is saying they are still open issues in 4.4.0: https://gitlab.com/libtiff/libtiff/-/issues/381<https://gitlab.com/libtiff/libtiff/-/issues/381> https://gitlab.com/libtiff/libtiff/-/issues/386<https://gitlab.com/libtiff/libtiff/-/issues/386> Can you please advise on the fix status for https://nvd.nist.gov/vuln/detail/CVE-2022-3570<https://nvd.nist.gov/vuln/detail/CVE-2022-3570>? Thank you! ellen _______________________________________________ Tiff mailing list Tiff@lists.osgeo.org<mailto:Tiff@lists.osgeo.org> https://lists.osgeo.org/mailman/listinfo/tiff<https://lists.osgeo.org/mailman/listinfo/tiff> _______________________________________________ Tiff mailing list Tiff@lists.osgeo.org<mailto:Tiff@lists.osgeo.org> https://lists.osgeo.org/mailman/listinfo/tiff<https://lists.osgeo.org/mailman/listinfo/tiff>
_______________________________________________ Tiff mailing list Tiff@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/tiff