On Mon, 7 Nov 2022, Ellen Johnson wrote:
Thank you Kurt. And thank you to all the libtiff developers. Kurt,
thanks for your suggestion about using libtiff from head as you do
for Google and it would be great if we could do that too. However
here at MathWorks our product security team requires us to use
official library releases. Only under rare circumstances would we
be able to obtain an exception for this policy.
FYI, more often than not, the libtiff project does not know CVE
numbers for issues which were solved. Often CVEs are issued after the
problems were solved and developers may be unaware of that. The
wording of CVEs is intentionaly vague. The libtiff project does not
have a CVE tracking facility.
The project does have control over when it creates new releases.
The 'tiffcrop' utility is included with libtiff, but it is not part of
the libtiff library itself. If you don't provide it your product's
users, then there is no risk due to it.
Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
_______________________________________________
Tiff mailing list
Tiff@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/tiff