AWARE SYSTEMS
TIFF and LibTiff Mail List Archive

Thread

2022.10.24 17:04 "[Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
2022.10.26 20:50 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Sulau
2022.10.26 21:49 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
2022.11.04 21:12 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
2022.11.04 23:09 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Kurt Schwehr
2022.11.04 23:12 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Jeff Breidenbach
2022.11.07 18:57 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
2022.11.07 23:40 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Bob Friesenhahn
2022.11.08 01:40 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson

2022.10.24 17:04 "[Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson

Hi libtiff developers,

I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the previous CVEs in tiffcrop.c. There's a lot of comments in the GitLab issues and I'm trying to detangle whether this is fixed in 4.4.0, or in the master branch waiting to be released into a new libtiff version, or still open and not yet merged into any branch.

NVD link: https://nvd.nist.gov/vuln/detail/CVE-2022-3570
Related libtiff GitLab issue: https://gitlab.com/gitlab-org/cves/-/issues/479

From the GitLab posts and merge requests, it looks like it's related to the previous CVEs fixed in https://gitlab.com/libtiff/libtiff/-/merge_requests/382.

In these two GitLab issues, the CVE reporter is saying they are still open issues in 4.4.0:

https://gitlab.com/libtiff/libtiff/-/issues/381
https://gitlab.com/libtiff/libtiff/-/issues/386

Can you please advise on the fix status for https://nvd.nist.gov/vuln/detail/CVE-2022-3570

Thank you!

ellen