| Summary: | libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) and another security issue (CVE-2016-9453) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, lewyssmith, luigiwalser, sysadmin-bugs, youpburden |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/707488/ | ||
| Whiteboard: | advisory MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | libtiff-4.0.6-1.6.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Nicolas Salguero
2016-11-18 14:33:46 CET
Suggested advisory: ======================== The updated packages fix a regression introduced by the fix for CVE-2016-9297. ======================== Updated packages in core/updates_testing: ======================== i586: libtiff-progs-4.0.6-1.7.mga5.i586.rpm libtiff5-4.0.6-1.7.mga5.i586.rpm libtiff-devel-4.0.6-1.7.mga5.i586.rpm libtiff-static-devel-4.0.6-1.7.mga5.i586.rpm x86_64: libtiff-progs-4.0.6-1.7.mga5.x86_64.rpm lib64tiff5-4.0.6-1.7.mga5.x86_64.rpm lib64tiff-devel-4.0.6-1.7.mga5.x86_64.rpm lib64tiff-static-devel-4.0.6-1.7.mga5.x86_64.rpm Source RPMs: libtiff-4.0.6-1.7.mga5.src.rpm Status:
NEW =>
ASSIGNED Reference for this update: http://openwall.com/lists/oss-security/2016/11/18/11 CC:
(none) =>
luigiwalser Suggested advisory: ======================== The updated packages fix: A regression introduced by the fix for CVE-2016-9297. An out-of-bounds Write memcpy and less bound check in tiff2pdf (CVE number not assigned yet). References: http://openwall.com/lists/oss-security/2016/11/18/4 http://openwall.com/lists/oss-security/2016/11/18/11 ======================== Updated packages in core/updates_testing: ======================== i586: libtiff-progs-4.0.6-1.8.mga5.i586.rpm libtiff5-4.0.6-1.8.mga5.i586.rpm libtiff-devel-4.0.6-1.8.mga5.i586.rpm libtiff-static-devel-4.0.6-1.8.mga5.i586.rpm x86_64: libtiff-progs-4.0.6-1.8.mga5.x86_64.rpm lib64tiff5-4.0.6-1.8.mga5.x86_64.rpm lib64tiff-devel-4.0.6-1.8.mga5.x86_64.rpm lib64tiff-static-devel-4.0.6-1.8.mga5.x86_64.rpm Source RPMs: libtiff-4.0.6-1.8.mga5.src.rpm Component:
RPM Packages =>
Security
Nicolas Salguero
2016-11-19 00:01:55 CET
Summary:
New version of libtiff that fixes a regression introduced by the fix for CVE-2016-9297 =>
New version of libtiff that fixes a regression introduced by the fix for CVE-2016-9297 and another CVE Apparently this regression had security implications, because the regression fix has been assigned CVE-2016-9448: http://openwall.com/lists/oss-security/2016/11/18/15 Summary:
New version of libtiff that fixes a regression introduced by the fix for CVE-2016-9297 and another CVE =>
libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) and another security issue (In reply to David Walser from comment #2) > FYI: > http://openwall.com/lists/oss-security/2016/11/18/4 CVE-2016-9453: http://openwall.com/lists/oss-security/2016/11/19/1 Summary:
libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) and another security issue =>
libtiff regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448) and another security issue (CVE-2016-9453) Suggested advisory: ======================== The updated packages fix: A regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448). An out-of-bounds Write memcpy and less bound check in tiff2pdf (CVE-2016-9453). References: http://openwall.com/lists/oss-security/2016/11/18/4 http://openwall.com/lists/oss-security/2016/11/18/11 http://openwall.com/lists/oss-security/2016/11/18/15 http://openwall.com/lists/oss-security/2016/11/19/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9453 FYI there's a 4.0.7 release upstream now. Suggested advisory: ======================== The updated packages fix: A regression introduced by the fix for CVE-2016-9297 (CVE-2016-9448). An out-of-bounds Write memcpy and less bound check in tiff2pdf (CVE-2016-9453). References: http://openwall.com/lists/oss-security/2016/11/18/4 http://openwall.com/lists/oss-security/2016/11/18/11 http://openwall.com/lists/oss-security/2016/11/18/15 http://openwall.com/lists/oss-security/2016/11/19/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9448 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9453 ======================== Updated packages in core/updates_testing: ======================== i586: libtiff-progs-4.0.7-1.mga5.i586.rpm libtiff5-4.0.7-1.mga5.i586.rpm libtiff-devel-4.0.7-1.mga5.i586.rpm libtiff-static-devel-4.0.7-1.mga5.i586.rpm x86_64: libtiff-progs-4.0.7-1.mga5.x86_64.rpm lib64tiff5-4.0.7-1.mga5.x86_64.rpm lib64tiff-devel-4.0.7-1.mga5.x86_64.rpm lib64tiff-static-devel-4.0.7-1.mga5.x86_64.rpm Source RPMs: libtiff-4.0.7-1.mga5.src.rpm
Dave Hodgins
2016-11-21 22:44:03 CET
CC:
(none) =>
davidwhodgins MGA5-32 on AcerD620 Xfce No installation issues Followed poc file from http://bugzilla.maptools.org/show_bug.cgi?id=2579, found via http://openwall.com/lists/oss-security/2016/11/18/4 at ClI $ tiff2pdf -o 1test.pdf 1.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: IO error during reading of "BitsPerSample". tiff2pdf: Can't open input file 1.tiff for reading. So no out-of-bounds Tried also one of my own tif files and converted successfully to pdf. Whiteboard:
advisory =>
advisory MGA5-32-OK MGA5-64 on HP Pavilion dv7 KDE No installation issues Followed instructions from comment#10. Here are the CLI informations : tiff2pdf -o 1test.pdf 1.tiff TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: IO error during reading of "BitsPerSample". tiff2pdf: Can't open input file 1.tiff for reading. CC:
(none) =>
youpburden Additional test M5 x64 Thanks to Herman for the link to the alleged PoC. Neither of the two tests above seemed to show the result before & after this update; so I re-tried just to see. BEFORE: libtiff-progs-4.0.6-1.6.mga5, lib64tiff5-4.0.6-1.6.mga5 $ tiff2pdf -o 1test.pdf Downloads/1.tif TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order. TIFFReadDirectory: Warning, Unknown field with tag 1 (0x1) encountered. TIFFReadDirectory: Warning, Unknown field with tag 3 (0x3) encountered. TIFFReadDirectory: IO error during reading of "BitsPerSample". tiff2pdf: Can't open input file Downloads/1.tiff for reading. which is the same result as the previous 2 tests! Never mind. AFTER: libtiff-progs-4.0.7-1.mga5, lib64tiff5-4.0.7-1.mga5 $ tiff2pdf -o 1test.pdf Downloads/1.tiff gave the same output as before. Another PoC which does not show... $ tiff2pdf -o 1test.pdf /mnt/common/docs/ElderChmpgn.tiff produced a large but impeccable PDF file. OK'ing the update. Then validating. Advisory already uploaded. Whiteboard:
advisory MGA5-32-OK =>
advisory MGA5-32-OK MGA5-64-OK An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0405.html Resolution:
(none) =>
FIXED There are a whole bunch of other CVEs in the LWN reference (see the URL), but I'm guessing that we have fixed those as well with this update. URL:
(none) =>
https://lwn.net/Vulnerabilities/707488/ |