2023.04.03 20:50 "[Tiff] Remove TIFFCROP from LibTiff", by Sulau

2023.04.04 15:27 "Re: [Tiff] Remove TIFFCROP from LibTiff + tiff2ps & tiff2pdf ?", by Even Rouault

Another alternative to consider is putting a disclaimer on those tools saying that CVEs might not be fixed and use at your own risk. Many pipelines use only trusted data, so they are fine. And folks using untrusted data, should be running their pipelines in a security sandbox. Setting up sandboxes is definitely a user responsibility.

I doubt people who have apparently "fun" (*) running fuzzers on libtiff utilities would notice the disclaimer or take it into account. IMHO the best way to stop the flow of security reports on such utilities which annoy libtiff developers and packagers is to no longer make them built by the supported build systems.

(*): or perhaps as part of their job, as I suspect libtiff is used as a showcase for some commercial security-related products or research activities.

http://www.spatialys.com
My software is free, but my time generally not.