Hi Ellen, A side note: (I'm pretty sure I've shared this in the past, but I can't remember where)
I use libtiff from head for Google. That way... - can report any troubles right away back to the maintainers and reports and patches are easier - usually ahead of the CVE game. CVEs have not been helpful to me - There are enough tests in our system that each update does a pretty good job of exercising libtiff. While MatLab isn't the size of google3, it's probably big enough to have good confidence in deploying tiff from head. - I have a pretty large fuzzer generated corpus that gets checked daily in asan and msan mode. It's not hard to make your own corpus e.g. gtiff_fuzzer.cc <https://github.com/schwehr/gdal-autotest2/blob/master/cpp/frmts/gtiff/gtiff_fuzzer.cc> which is apache 2.0 licensed and the fuzzers in the gdal code base. - never have to ask for a point releases As always, thanks to everyone who contributes to libtiff! -kurt On Fri, Nov 4, 2022 at 2:12 PM Ellen Johnson <ell...@mathworks.com> wrote: > Hi Su and libtiff folks, > > We just received a slew of 16 libtiff CVEs reported to us by a large > customer – this is in addition to CVE-2022-3570 I previously wrote about. > I see most of these CVEs are fixed in the libtiff master branch but not yet > in an official release. > > I have two questions: > > 1. Can anyone provide an update on an estimated release timeframe for > a libtiff version (presumably 4.5.0) containing all the CVE fixes that have > been successfully integrated into libtiff master branch since release of > 4.4.0? > 2. For newly reported CVE-2022-34266 in > https://nvd.nist.gov/vuln/detail/CVE-2022-34266: I’m confused about > this one. It states there’s a vulneratbility in TIFFFetchStripThing in > tif_dirread.c in the libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on > Amazon Linux 2, and states it’s a different vulnerability than > CVE-2022-0562. The NVD report for CVE-2022-34266 doesn’t contain any links > to a libtiff GitLab issue describing the vulnerability, but I do see that > the libtiff fix for CVE-2022-0562 was released in 4.4.0. Can you please > let me know if CVE-2022-34266 is a new vulnerability that’s different from > CVE-2022-0562 as stated in the NVD CVE report? > > Thank you, > > ellen > > > > *From:* Ellen Johnson > *Sent:* Wednesday, October 26, 2022 5:50 PM > *To:* Sulau <su...@freenet.de>; tiff@lists.osgeo.org > *Subject:* RE: [Tiff] clarification on the fix status for new > CVE-2022-3570? > > > > Hi Su, > > Thank you so much for clarifying. > > Do you have an estimate on the timeframe for release of 4.5.0? > > Thanks, > > ellen > > > > *From:* Sulau <su...@freenet.de> > *Sent:* Wednesday, October 26, 2022 4:51 PM > *To:* tiff@lists.osgeo.org > *Cc:* Ellen Johnson <ell...@mathworks.com> > *Subject:* AW: [Tiff] clarification on the fix status for new > CVE-2022-3570? > > > > Hi Ellen, > > > > issues 381 and 386 are fixed and related MR is merged into the master > branch one week ago. So they will probably be released with next version > 4.5.0 > > > > Regards, > > Su > > > > *Von:* Tiff [mailto:tiff-boun...@lists.osgeo.org > <tiff-boun...@lists.osgeo.org>] *Im Auftrag von *Ellen Johnson > *Gesendet:* Montag, 24. Oktober 2022 19:05 > *An:* tiff@lists.osgeo.org > *Betreff:* [Tiff] clarification on the fix status for new CVE-2022-3570? > > > > Hi libtiff developers, > > > > I’m confused about the new CVE reported in libtiff >= 4.4.0 related to > the previous CVEs in tiffcrop.c. There’s a lot of comments in the GitLab > issues and I’m trying to detangle whether this is fixed in 4.4.0, or in the > master branch waiting to be released into a new libtiff version, or still > open and not yet merged into any branch. > > NVD link: https://nvd.nist.gov/vuln/detail/CVE-2022-3570 > > Related libtiff GitLab issue: > https://gitlab.com/gitlab-org/cves/-/issues/479 > > > > From the GitLab posts and merge requests, it looks like it’s related to > the previous CVEs fixed in > https://gitlab.com/libtiff/libtiff/-/merge_requests/382. > > In these two GitLab issues, the CVE reporter is saying they are still > open issues in 4.4.0: > > https://gitlab.com/libtiff/libtiff/-/issues/381 > > https://gitlab.com/libtiff/libtiff/-/issues/386 > > > > Can you please advise on the fix status for > https://nvd.nist.gov/vuln/detail/CVE-2022-3570? > > Thank you! > > ellen > > > _______________________________________________ > Tiff mailing list > Tiff@lists.osgeo.org > https://lists.osgeo.org/mailman/listinfo/tiff >
_______________________________________________ Tiff mailing list Tiff@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/tiff
