2023.04.04 15:14 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Kurt Schwehr
I personally exclude all the programs from my distribution of libtiff to run into fewer CVEs.
Another alternative to consider is putting a disclaimer on those tools saying that CVEs might not be fixed and use at your own risk. Many pipelines use only trusted data, so they are fine. And folks using untrusted data, should be running their pipelines in a security sandbox. Setting up sandboxes is definitely a user responsibility.