Hi Su and libtiff folks, We just received a slew of 16 libtiff CVEs reported to us by a large customer - this is in addition to CVE-2022-3570 I previously wrote about. I see most of these CVEs are fixed in the libtiff master branch but not yet in an official release. I have two questions:
1. Can anyone provide an update on an estimated release timeframe for a libtiff version (presumably 4.5.0) containing all the CVE fixes that have been successfully integrated into libtiff master branch since release of 4.4.0? 2. For newly reported CVE-2022-34266 in https://nvd.nist.gov/vuln/detail/CVE-2022-34266: I'm confused about this one. It states there's a vulneratbility in TIFFFetchStripThing in tif_dirread.c in the libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2, and states it's a different vulnerability than CVE-2022-0562. The NVD report for CVE-2022-34266 doesn't contain any links to a libtiff GitLab issue describing the vulnerability, but I do see that the libtiff fix for CVE-2022-0562 was released in 4.4.0. Can you please let me know if CVE-2022-34266 is a new vulnerability that's different from CVE-2022-0562 as stated in the NVD CVE report? Thank you, ellen From: Ellen Johnson Sent: Wednesday, October 26, 2022 5:50 PM To: Sulau <[email protected]>; [email protected] Subject: RE: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi Su, Thank you so much for clarifying. Do you have an estimate on the timeframe for release of 4.5.0? Thanks, ellen From: Sulau <[email protected]<mailto:[email protected]>> Sent: Wednesday, October 26, 2022 4:51 PM To: [email protected]<mailto:[email protected]> Cc: Ellen Johnson <[email protected]<mailto:[email protected]>> Subject: AW: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi Ellen, issues 381 and 386 are fixed and related MR is merged into the master branch one week ago. So they will probably be released with next version 4.5.0 Regards, Su Von: Tiff [mailto:[email protected]] Im Auftrag von Ellen Johnson Gesendet: Montag, 24. Oktober 2022 19:05 An: [email protected]<mailto:[email protected]> Betreff: [Tiff] clarification on the fix status for new CVE-2022-3570? Hi libtiff developers, I'm confused about the new CVE reported in libtiff >= 4.4.0 related to the previous CVEs in tiffcrop.c. There's a lot of comments in the GitLab issues and I'm trying to detangle whether this is fixed in 4.4.0, or in the master branch waiting to be released into a new libtiff version, or still open and not yet merged into any branch. NVD link: https://nvd.nist.gov/vuln/detail/CVE-2022-3570<https://nvd.nist.gov/vuln/detail/CVE-2022-3570> Related libtiff GitLab issue: https://gitlab.com/gitlab-org/cves/-/issues/479<https://gitlab.com/gitlab-org/cves/-/issues/479> From the GitLab posts and merge requests, it looks like it's related to the previous CVEs fixed in https://gitlab.com/libtiff/libtiff/-/merge_requests/382<https://gitlab.com/libtiff/libtiff/-/merge_requests/382>. In these two GitLab issues, the CVE reporter is saying they are still open issues in 4.4.0: https://gitlab.com/libtiff/libtiff/-/issues/381<https://gitlab.com/libtiff/libtiff/-/issues/381> https://gitlab.com/libtiff/libtiff/-/issues/386<https://gitlab.com/libtiff/libtiff/-/issues/386> Can you please advise on the fix status for https://nvd.nist.gov/vuln/detail/CVE-2022-3570<https://nvd.nist.gov/vuln/detail/CVE-2022-3570>? Thank you! ellen
_______________________________________________ Tiff mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/tiff
