Hi Ellen,
issues 381 and 386 are fixed and related MR is merged into the master branch one week ago. So they will probably be released with next version 4.5.0 Regards, Su Von: Tiff [mailto:tiff-boun...@lists.osgeo.org] Im Auftrag von Ellen Johnson Gesendet: Montag, 24. Oktober 2022 19:05 An: tiff@lists.osgeo.org Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi libtiff developers, I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the previous CVEs in tiffcrop.c. There's a lot of comments in the GitLab issues and I'm trying to detangle whether this is fixed in 4.4.0, or in the master branch waiting to be released into a new libtiff version, or still open and not yet merged into any branch. NVD link: <https://nvd.nist.gov/vuln/detail/CVE-2022-3570> https://nvd.nist.gov/vuln/detail/CVE-2022-3570 Related libtiff GitLab issue: <https://gitlab.com/gitlab-org/cves/-/issues/479> https://gitlab.com/gitlab-org/cves/-/issues/479 From the GitLab posts and merge requests, it looks like it's related to the previous CVEs fixed in <https://gitlab.com/libtiff/libtiff/-/merge_requests/382> https://gitlab.com/libtiff/libtiff/-/merge_requests/382. In these two GitLab issues, the CVE reporter is saying they are still open issues in 4.4.0: <https://gitlab.com/libtiff/libtiff/-/issues/381> https://gitlab.com/libtiff/libtiff/-/issues/381 <https://gitlab.com/libtiff/libtiff/-/issues/386> https://gitlab.com/libtiff/libtiff/-/issues/386 Can you please advise on the fix status for <https://nvd.nist.gov/vuln/detail/CVE-2022-3570> https://nvd.nist.gov/vuln/detail/CVE-2022-3570? Thank you! ellen
_______________________________________________ Tiff mailing list Tiff@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/tiff
