2022.10.24 17:04 "[Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
-
2022.10.26 20:50 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Sulau
- 2022.10.26 21:49 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
-
2022.11.04 21:12 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Ellen Johnson
- 2022.11.04 23:09 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Kurt Schwehr
2022.11.04 23:09 "Re: [Tiff] clarification on the fix status for new CVE-2022-3570?", by Kurt Schwehr
Hi Ellen,
A side note: (I'm pretty sure I've shared this in the past, but I can't remember where)
I use libtiff from head for Google. That way...
- can report any troubles right away back to the maintainers and reports and patches are easier
- usually ahead of the CVE game. CVEs have not been helpful to me
- There are enough tests in our system that each update does a pretty good job of exercising libtiff. While MatLab isn't the size of google3, it's probably big enough to have good confidence in deploying tiff from head.
- I have a pretty large fuzzer generated corpus that gets checked daily in asan and msan mode. It's not hard to make your own corpus e.g. gtiff_fuzzer.cc <https://github.com/schwehr/gdal-autotest2/blob/master/cpp/frmts/gtiff/gtiff_fuzzer.cc> which is apache 2.0 licensed and the fuzzers in the gdal code base.
- never have to ask for a point releases
As always, thanks to everyone who contributes to libtiff!
-kurt