2022.10.24 17:04 "[Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson

2022.11.07 23:40 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Bob Friesenhahn

Thank you Kurt. And thank you to all the libtiff developers.

Kurt, thanks for your suggestion about using libtiff from head as you do for Google and it would be great if we could do that too. However here at MathWorks our product security team requires us to use official library releases. Only under rare circumstances would we be able to obtain an exception for this policy.

FYI, more often than not, the libtiff project does not know CVE numbers for issues which were solved. Often CVEs are issued after the problems were solved and developers may be unaware of that. The wording of CVEs is intentionaly vague. The libtiff project does not have a CVE tracking facility.

The project does have control over when it creates new releases.

The 'tiffcrop' utility is included with libtiff, but it is not part of the libtiff library itself. If you don't provide it your product's users, then there is no risk due to it.

Bob

Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt