Bug 21195

Hi,

Some issues have already been addressed: CVE-2017-9147, CVE-2017-9403, CVE-2017-9404.

But CVE-2017-9936 and CVE-2017-10688 remain.

Best regards,

Nico.

For Mga6, freeze push request.

For Mga5, libtiff-4.0.8-1.1.mga5 fixes CVE-2017-9936 and CVE-2017-10688.

Patched packages uploaded for Mageia 5 and Cauldron.  Thanks Nicolas!

Advisory:
========================

Updated libtiff packages fix security vulnerabilities:

Multiple vulnerabilities have been discovered in the libtiff library and the
included tools, which may result in denial of service or the execution of
arbitrary code (CVE-2017-9936, CVE-2017-10688).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10688
https://www.debian.org/security/2017/dsa-3903
========================

Updated packages in core/updates_testing:
========================
libtiff-progs-4.0.8-1.1.mga5
libtiff5-4.0.8-1.1.mga5
libtiff-devel-4.0.8-1.1.mga5
libtiff-static-devel-4.0.8-1.1.mga5

from libtiff-4.0.8-1.1.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA6TOO, MGA5TOO => (none)
CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs

x86_64  real hardware  Mate

Before the update:

Downloaded poc1 from http://bugzilla.maptools.org/show_bug.cgi?id=2706.
Downloaded POC1.rar from http://bugzilla.maptools.org/show_bug.cgi?id=2712 and
extracted POC1.

[CVE-2017-9936]
$ tiff2ps poc1
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 62085 (0xf285) encountered.
..............................
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 34203" value failed; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16384"; tag ignored.
%!PS-Adobe-3.0 EPSF-3.0
%%Creator: tiff2ps
%%Title: poc1
....................................
image
JBIG: Error (80) decoding: Unknown marker segment encountered.
poc1: Can't read strip.

end
grestore
showpage
%%Trailer
%%EOF

< A long wait while it tried to process the included image. >
$

$ tiff2pdf poc1
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
TIFFReadDirectory: Warning, Unknown field with tag 24655 (0x604f) encountered.
.....................................
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 34203" value failed; tag ignored.
TIFFFetchNormalTag: Warning, IO error during reading of "Tag 16384"; tag ignored.
%PDF-1.1 
%���
1 0 obj
.........................
/Decode [ 1 0 ]
 >>
stream
JBIG: Error (32) decoding: Unexpected end of input data stream.
tiff2pdf: Error on decoding strip 0 of poc1.
tiff2pdf: An error occurred creating output PDF file.
--------------------------------------------------------------------------------------

[CVE-2017-10688]
$ tiffset POC1
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
tiffset: tif_dirwrite.c:2127: TIFFWriteDirectoryTagCheckedLong8Array: Assertion `tif->tif_flags&0x80000U' failed.
Abort

==========================================================================
After updates.

$ tiff2ps poc1
The error trace looks the same as before, so does the output from
$ tiff2pdf poc1

$ tiffset POC1
POC1: Failed to allocate memory for to read TIFF directory (0 elements of 12 bytes each).
TIFFReadDirectory: Failed to read directory at offset 5356.

The situation is handled more gracefully here and no abort.
So, OK for CVE-2017-10688 but there is nothing to go on for CVE-2017-9936.

Checked the viability of the updated libraries by running simple image tests on various files using the tiff utilities.  No regressions.

Where do we go from here?

CC: (none) => tarazed25

Len, just a reminder that NEEDINFO is not the right item to add when QA has a question about an update.  That's for when the bug squad or a developer needs clarification on what the original bug is about from the reporter.  QA should put feedback in the whiteboard in cases like this.

CVE-2017-9936 is not a crash and is only detectable with ASAN, which we were unable to get working when we tried before, so you can pass this update.

Keywords: NEEDINFO => (none)

Thanks David.  Yes I had noticed that the original analysis depended on ASAN.

Thanks also for the feedback information.  I could not find feedback in the list of keywords so used NEEDINFO instead.  Did not realize that you just write feedback onto the whiteboard.

Adding the OK for 64-bits.

Whiteboard: (none) => MGA5-64-OK

MGA5-32 on Asus A6000VM Xfce
No installation issues.
Similar output with poc as above ; except for:
$ tiffset POC1
TIFFReadDirectory: Warning, Unknown field with tag 302 (0x12e) encountered.
TIFFReadDirectory: Warning, Unknown field with tag 61961 (0xf209) encountered.
TIFFWriteDirectoryTagCheckedLong8Array: LONG8 not allowed for ClassicTIFF.

Tried commands with images used on previous updates for libtiff:
tiff2pdf is OK
but 
mind this:
$ tiff2ps 1973-024.tif -O 1973-024.ps
against
$ tiff2pdf 1973-024.tif -o 1973-024.pdf
OK for me.

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
CC: (none) => herman.viaene

Advisoried, validating.

Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0210.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED