-
2022.10.26 20:50 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Sulau
- 2022.10.26 21:49 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
-
2022.11.04 21:12 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
- 2022.11.04 23:09 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Kurt Schwehr
2022.11.08 01:40 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
Thank you Bob for explaining more about libtiff and security fixes. Believe me, I feel libtiff developers' pain with CVEs, as we have a challenging time keeping up with all the CVE reports we get for third party libraries and cross-checking the NVD details with library bug reports and source code commits to see if they are resolved.
Yes, we don't ship the tiffcrop utility - so the tiffcrop CVE in CVE-2022-3570 is not a concern. But a large customer reported 16 additional libtiff CVEs to us, and I already determined a subset of these are in core libtiff source code and most are already fixed in the master branch. Thus we'd like to know if libtiff has a timeframe for a release with these fixes so we can let the customer know. I can provide all the 16 CVE numbers and my findings on each of them if that helps.
Thanks!