Package: libtiff Version: 4.3.0-7 In 4.3.0-7 it looks like you've included a patch based on https://gitlab.com/ libtiff/libtiff/-/commit/9752dae8febab08879fc0159e7d387cff14eb3c3 as a fix for CVE-2022-1355, but I don't think this is the right patch. You can confirm this by building the package with `-fsanitize=address` and running the issue's poc command listed at https://gitlab.com/libtiff/libtiff/-/issues/400:
> tiffcp -8 -8 -8 -8 -8 -8 -8 -8 -8 -8 ./i ./i When putting together the fix for the NixOS package, I noticed that it still triggers AddressSanitizer in an identical way with the patch. I think this happened because the commit in question is (mistakenly?) commented with > Closes #400 et #8 Perhaps this was just a typo on their part. The good news is that the commit https://gitlab.com/libtiff/libtiff/-/commit/ c1ae29f9ebacd29b7c3e0c7db671af7db3584bc2, merged in https://gitlab.com/ libtiff/libtiff/-/merge_requests/323, applies cleanly (no prerequisite patches or patch mangling required) and *does* solve the poc. robert.
