Numerous CVEs in 4.4 and no bug fix release
Summary
Hi! I package libtiff for Arch Linux. I am currently concerned about packaging this project, as it requires a tremendous amount of time and project-specific insight to backport patches for the numerous severe CVEs in tiffcrop, tiffsplit, etc. that have been found in 4.4.0 and have already been fixed.
While trying to backport patches, I realized that the changes to e.g. tools/tiffcrop.c
are so numerous and invasive, that I can no longer be sure that backporting will not introduce even more severe issues (also because I lack project specific insight and commit messages are sparse) and that the actual work spent on backporting them is immense.
Additionally, for some reason version and date(?!) strings are set in the source code, which prevents applying patches without having to manipulate them (why are these strings not generated by the build system instead?), which introduces further overhead for downstreams.
As I am no longer comfortable working on backporting patches for this project, I am hereby asking you to please create patch level releases for 4.4 (and any other major/minor version you still support). This way all downstreams may benefit from the merged patches for CVEs, that have already been fixed.
Version
4.4.0
Steps to reproduce
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2056
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2057
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2058
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34526
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3570
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3598
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3599
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3597
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3626
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3627
The above are the ones I'm currently aware of, but looking at https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=libtiff makes me wonder whether there are more...
Platform
Arch Linux