2022.05.20 16:38 "[Tiff] libtiff v4.4.0 RC1 available", by Even Rouault

2022.05.22 13:04 "Re: [Tiff] libtiff v4.4.0 RC1 available", by Greg Troxel

I locally updated the pkgsrc package to 4.4.0rc1. That builds with autoconf, and that seems right because README.md documents autoconf as the build system.

It looks like patches for the following were applied (as the pkgsrc patches show as reversed and I dropped them):

patches/patch-CVE-2022-0561
patches/patch-CVE-2022-0907
patches/patch-CVE-2022-0909
patches/patch-CVE-2022-0924
patches/patch-CVE-2022-22844

I don't find "CVE" in ChangeLog and there is no NEWS so it's hard to be sure.

Noting in the news which commit fixes which CVE would be a super painful exercice, since there are not mentioned in commit messages, so we'd have to go back to each ticket/merge request and look if someone mentioned a CVE number.

Sure, I realize that's hard. But that degree of cross-correlation isn't what I was getting at.

As a user and packager, I want to see NEWS, which omits 99% of what's in a changelog and mentions:

API breaks
API additions
ABI breaks
CVEs fixed
anything else that's a big deal to a user

I realize volunteer time is slim etc. but it would be really nice if commit and merge messages reference CVEs when known.

Looking at the patches in pkgsrc:

  * patch-CVE-2022-0561

    https://gitlab.com/libtiff/libtiff/-/issues/362
    This fixes CVE-2022-0561 and CVE-2022-0562.

  * patch-CVE-2022-0907

    [PATCH] add checks for return value of limitMalloc (CVE-2022-0907)
    https://gitlab.com/libtiff/libtiff/-/merge_requests/314.patch

    [PATCH] tiffcrop: fix issue #380 and #382 heap buffer overflow in
     extractImageSection (CVE-2022-0891)
    https://gitlab.com/libtiff/libtiff/-/commit/46dc8fcd4d38c3b6f35ab28e532aee80e6f609d6.patch

  * patch-CVE-2022-0909

    [PATCH] fix FPE in tiffcrop
    https://gitlab.com/libtiff/libtiff/-/merge_requests/310.patch

  * patch-CVE-2022-0924

    [PATCH] fix heap buffer overflow in tiffcp
    https://gitlab.com/libtiff/libtiff/-/commit/408976c44ef0aad975e0d1b6c6dc80d60f9dc665.patch

  * patch-CVE-2022-22844

    https://gitlab.com/libtiff/libtiff/-/issues/355

    This fixes CVE-2022-22844.

I followed the issue/MR links and the fixes were all merged.