And thank you, Kurt. On Fri, Nov 4, 2022 at 4:10 PM Kurt Schwehr <schw...@gmail.com> wrote:
> Hi Ellen, > > A side note: (I'm pretty sure I've shared this in the past, but I can't > remember where) > > I use libtiff from head for Google. That way... > > - can report any troubles right away back to the maintainers and reports > and patches are easier > - usually ahead of the CVE game. CVEs have not been helpful to me > - There are enough tests in our system that each update does a pretty good > job of exercising libtiff. While MatLab isn't the size of google3, it's > probably big enough to have good confidence in deploying tiff from head. > - I have a pretty large fuzzer generated corpus that gets checked daily in > asan and msan mode. It's not hard to make your own corpus e.g. > gtiff_fuzzer.cc > <https://github.com/schwehr/gdal-autotest2/blob/master/cpp/frmts/gtiff/gtiff_fuzzer.cc> > which > is apache 2.0 licensed and the fuzzers in the gdal code base. > - never have to ask for a point releases > > As always, thanks to everyone who contributes to libtiff! > > -kurt > > > On Fri, Nov 4, 2022 at 2:12 PM Ellen Johnson <ell...@mathworks.com> wrote: > >> Hi Su and libtiff folks, >> >> We just received a slew of 16 libtiff CVEs reported to us by a large >> customer – this is in addition to CVE-2022-3570 I previously wrote about. >> I see most of these CVEs are fixed in the libtiff master branch but not yet >> in an official release. >> >> I have two questions: >> >> 1. Can anyone provide an update on an estimated release timeframe for >> a libtiff version (presumably 4.5.0) containing all the CVE fixes that >> have >> been successfully integrated into libtiff master branch since release of >> 4.4.0? >> 2. For newly reported CVE-2022-34266 in >> https://nvd.nist.gov/vuln/detail/CVE-2022-34266: I’m confused about >> this one. It states there’s a vulneratbility in TIFFFetchStripThing in >> tif_dirread.c in the libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF >> on Amazon Linux 2, and states it’s a different vulnerability than >> CVE-2022-0562. The NVD report for CVE-2022-34266 doesn’t contain any >> links >> to a libtiff GitLab issue describing the vulnerability, but I do see that >> the libtiff fix for CVE-2022-0562 was released in 4.4.0. Can you please >> let me know if CVE-2022-34266 is a new vulnerability that’s different from >> CVE-2022-0562 as stated in the NVD CVE report? >> >> Thank you, >> >> ellen >> >> >> >> *From:* Ellen Johnson >> *Sent:* Wednesday, October 26, 2022 5:50 PM >> *To:* Sulau <su...@freenet.de>; tiff@lists.osgeo.org >> *Subject:* RE: [Tiff] clarification on the fix status for new >> CVE-2022-3570? >> >> >> >> Hi Su, >> >> Thank you so much for clarifying. >> >> Do you have an estimate on the timeframe for release of 4.5.0? >> >> Thanks, >> >> ellen >> >> >> >> *From:* Sulau <su...@freenet.de> >> *Sent:* Wednesday, October 26, 2022 4:51 PM >> *To:* tiff@lists.osgeo.org >> *Cc:* Ellen Johnson <ell...@mathworks.com> >> *Subject:* AW: [Tiff] clarification on the fix status for new >> CVE-2022-3570? >> >> >> >> Hi Ellen, >> >> >> >> issues 381 and 386 are fixed and related MR is merged into the master >> branch one week ago. So they will probably be released with next version >> 4.5.0 >> >> >> >> Regards, >> >> Su >> >> >> >> *Von:* Tiff [mailto:tiff-boun...@lists.osgeo.org >> <tiff-boun...@lists.osgeo.org>] *Im Auftrag von *Ellen Johnson >> *Gesendet:* Montag, 24. Oktober 2022 19:05 >> *An:* tiff@lists.osgeo.org >> *Betreff:* [Tiff] clarification on the fix status for new CVE-2022-3570? >> >> >> >> Hi libtiff developers, >> >> >> >> I’m confused about the new CVE reported in libtiff >= 4.4.0 related to >> the previous CVEs in tiffcrop.c. There’s a lot of comments in the GitLab >> issues and I’m trying to detangle whether this is fixed in 4.4.0, or in the >> master branch waiting to be released into a new libtiff version, or still >> open and not yet merged into any branch. >> >> NVD link: https://nvd.nist.gov/vuln/detail/CVE-2022-3570 >> >> Related libtiff GitLab issue: >> https://gitlab.com/gitlab-org/cves/-/issues/479 >> >> >> >> From the GitLab posts and merge requests, it looks like it’s related to >> the previous CVEs fixed in >> https://gitlab.com/libtiff/libtiff/-/merge_requests/382. >> >> In these two GitLab issues, the CVE reporter is saying they are still >> open issues in 4.4.0: >> >> https://gitlab.com/libtiff/libtiff/-/issues/381 >> >> https://gitlab.com/libtiff/libtiff/-/issues/386 >> >> >> >> Can you please advise on the fix status for >> https://nvd.nist.gov/vuln/detail/CVE-2022-3570? >> >> Thank you! >> >> ellen >> >> >> _______________________________________________ >> Tiff mailing list >> Tiff@lists.osgeo.org >> https://lists.osgeo.org/mailman/listinfo/tiff >> > _______________________________________________ > Tiff mailing list > Tiff@lists.osgeo.org > https://lists.osgeo.org/mailman/listinfo/tiff >
_______________________________________________ Tiff mailing list Tiff@lists.osgeo.org https://lists.osgeo.org/mailman/listinfo/tiff