2022.10.24 17:04 "[Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson

2022.10.24 17:04 "[Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson

Hi libtiff developers,

I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the previous CVEs in tiffcrop.c. There's a lot of comments in the GitLab issues and I'm trying to detangle whether this is fixed in 4.4.0, or in the master branch waiting to be released into a new libtiff version, or still open and not yet merged into any branch.

NVD link: https://nvd.nist.gov/vuln/detail/CVE-2022-3570
Related libtiff GitLab issue: https://gitlab.com/gitlab-org/cves/-/issues/479

From the GitLab posts and merge requests, it looks like it's related to the previous CVEs fixed in https://gitlab.com/libtiff/libtiff/-/merge_requests/382.

In these two GitLab issues, the CVE reporter is saying they are still open issues in 4.4.0:

https://gitlab.com/libtiff/libtiff/-/issues/381
https://gitlab.com/libtiff/libtiff/-/issues/386

Can you please advise on the fix status for https://nvd.nist.gov/vuln/detail/CVE-2022-3570

Thank you!

ellen