On 4/9/24 8:49 AM, Michael Vetter via Tiff wrote:
Now "http://www.libtiff.org/" leads to the latest libtiff HTML pages, and the same
server/directory which already provides "http://www.simplesystems.org/libtiff/".
With some differences though.
The biggest probably being that http://www.libtiff.org advertises a
version 4.6.0t with all the tools restored. If I see it right it
doesn't fix all the CVEs in those tools though.
Which CVEs have not been addressed? I was only instructed to address a
specific list of bug reports. If the CVEs were not in those bug
reports, then there may be others yet to address.
I believe this can be quite confusing to potential users of tiff.
Wouldn't it have been better to first fix the CVEs and then create a
new release? Or at least add a note/warning?
Yes, it was certainly confusing to have the tools suddenly removed from
the 4.6.0 release.
The 4.6.0t changelog (http://libtiff.org/releases/v4.6.0t.html)
doesn't give much insight either with entries like:
Fix some issues in library found through fuzzing.
Prevent some out-of-memory attacks.
The git logs are available from the git repositories. It's a lot to
summarize in the ChangeLog in a productive way.
Maybe this helps the people who would like to bring the tools back and
want to take the route of creating a separate tools package.
The tools shouldn't need to be brought back in the first place. But if
you want to develop a separate tools package, then I don't object to it.
Thanks,
Lee.
_______________________________________________
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff