2024.04.09 16:39 "Re: [Tiff] www.libtiff.org is restored", by Lee Howard

Now "http://www.libtiff.org/" leads to the latest libtiff HTML pages, and the same server/directory which already provides "http://www.simplesystems.org/libtiff/".

With some differences though.

The biggest probably being that http://www.libtiff.org advertises a version 4.6.0t with all the tools restored. If I see it right it doesn't fix all the CVEs in those tools though.

Which CVEs have not been addressed? I was only instructed to address a specific list of bug reports. If the CVEs were not in those bug reports, then there may be others yet to address.

I believe this can be quite confusing to potential users of tiff. Wouldn't it have been better to first fix the CVEs and then create a new release? Or at least add a note/warning?

Yes, it was certainly confusing to have the tools suddenly removed from the 4.6.0 release.

The 4.6.0t changelog (http://libtiff.org/releases/v4.6.0t.html) doesn't give much insight either with entries like:

> Fix some issues in library found through fuzzing.
> Prevent some out-of-memory attacks.

The git logs are available from the git repositories. It's a lot to summarize in the ChangeLog in a productive way.

Maybe this helps the people who would like to bring the tools back and want to take the route of creating a separate tools package.

The tools shouldn't need to be brought back in the first place. But if you want to develop a separate tools package, then I don't object to it.

Thanks,

Lee.